Consent Compliance: GDPR, CCPA, DPDP

Why Consent Monitoring Matters

Consent management platforms (CMPs) are supposed to block tags until the user grants consent. In practice, they fail silently. The CMP loads, the banner displays, the user makes a choice — but behind the scenes, tags fire anyway. The CMP vendor says it is configured correctly. GTM says the tag fired. Nobody checks whether the CMP actually blocked the tag before consent.

The penalties for getting this wrong are specific. GDPR fines reach 4% of annual global revenue or 20 million euros, whichever is higher. CCPA penalties are $7,500 per intentional violation. India’s DPDP Act (2023) imposes penalties up to 250 crore rupees. These are not theoretical — enforcement actions are increasing every quarter. A single pre-consent tag fire on a high-traffic site can generate thousands of violations per day.

Reading the Consent Dashboard

The TagDrishti Consent panel shows real-time consent compliance data for your site. Open it from the left sidebar under Consent.

The dashboard has three sections:

Consent State Overview: A summary of the current consent rates across your site. Shows: total sessions, sessions with consent granted, sessions with consent denied, sessions where consent was not requested (CMP did not load).

Pre-Consent Tag Fires: The critical section. Lists every tag that fired before the user made a consent decision. These are potential violations. Each entry shows: tag name, page URL, number of pre-consent fires in the last 24 hours, and the consent category the tag belongs to (analytics, advertising, functional). A tag appearing here means your CMP is not blocking it correctly.

Per-Region Consent Rates: A table showing consent grant rates by region. Columns: region, sessions, consent rate, opt-out rate. This data helps you understand regional patterns and verify that your CMP respects regional requirements (GDPR for EU, CCPA for California, DPDP for India).

Understanding the 5 Consent Signals

TagDrishti monitors five consent signals for each session. Together, they give a complete picture of whether consent is working correctly:

1. CMP Load

Did the CMP script load on the page? If the CMP fails to load (network error, script blocked, deployment error), no consent is collected and all tags fire without restriction. TagDrishti flags sessions where the CMP did not load.

2. Banner Display

Did the consent banner actually appear to the user? The CMP script can load but the banner can fail to render (CSS conflict, z-index issue, JavaScript error in the banner component). If the banner does not display, the user cannot make a choice, and the CMP defaults to a preconfigured state (usually “deny all” in GDPR regions, “accept all” elsewhere). TagDrishti detects whether the banner element was visible in the viewport.

3. User Choice

What did the user choose? Accept all, reject all, or customize. TagDrishti logs the choice and the timestamp. This is not about auditing the user — it is about verifying that tags respect the choice made.

4. Tag Gating

After the user chose, did the CMP actually block the tags it was supposed to block? This is where most failures happen. The user clicks “Reject All,” the CMP records the choice, but an analytics tag fires anyway because it is miscategorized in the CMP or because its GTM trigger does not check consent state. TagDrishti compares the user’s consent choice against which tags actually fired and flags mismatches.

5. GPC Signal (Global Privacy Control)

For CCPA compliance, browsers can send a GPC signal (Sec-GPC: 1 header or navigator.globalPrivacyControl === true). California law requires sites to treat GPC as a valid opt-out of sale/sharing of personal information. TagDrishti detects the GPC signal and checks whether advertising and data-sale tags are blocked when GPC is active.

Per-Region Consent Rate Table

The consent rate varies dramatically by region. Typical rates observed across TagDrishti-monitored sites:

• EU (GDPR): 45–65% consent grant rate. Users are conditioned to see consent banners and many decline. Your analytics data for EU traffic will always be partial.
• United States (non-California): 85–95% consent rate. Many sites do not show a banner to non-California US users, or use notice-only banners with implied consent.
• California (CCPA): 70–80% consent rate. CCPA requires an opt-out mechanism, not opt-in. Higher rates than GDPR because the default is consent granted unless the user opts out.
• India (DPDP): 75–85% consent rate. The DPDP Act is new (2023) and enforcement is still developing. Consent fatigue has not set in the way it has in the EU.
• Rest of world: 90%+ consent rate. Many regions do not have specific consent requirements, and banners are informational only.

Use this data to set expectations for analytics data completeness. If 40% of your EU traffic declines consent, your GA4 data for EU visitors covers 60% of sessions. Adjust reporting accordingly.

Pre-Consent Tag Fire Detection

This is the highest-priority compliance feature. A pre-consent tag fire means a tag executed before the user made a consent decision. In GDPR regions, this is a violation regardless of whether the user later grants consent.

Common causes of pre-consent tag fires:

1. Tag not gated by consent in GTM: The tag trigger does not include a consent check. It fires on “All Pages” regardless of consent state. Fix: Add a consent condition to the trigger or use Google Consent Mode.
2. CMP loads after tags: The CMP script is placed after GTM in the page source. GTM fires tags before the CMP has a chance to block them. Fix: Move the CMP script above GTM in the <head>.
3. Tag miscategorized in CMP: An advertising tag (Facebook Pixel) is categorized as “functional” in the CMP. Functional tags are not blocked. The tag fires immediately. Fix: Recategorize the tag in the CMP settings.
4. Hard-coded tag on page: A developer placed a tag directly in the HTML instead of through GTM or the CMP. The CMP has no control over it. Fix: Move the tag into GTM and gate it with consent.
5. Consent Mode not configured: Google Consent Mode v2 requires specific gtag('consent', 'default', {...}) calls before any Google tags fire. If this is missing, GA4 and Google Ads tags fire with full consent by default. Fix: Add the Consent Mode default configuration before the GTM snippet.

GPC Signal for CCPA

Global Privacy Control (GPC) is a browser-level signal that tells websites the user does not want their personal information sold or shared. California law (CCPA/CPRA) requires sites to honor this signal.

TagDrishti detects GPC in two ways:

• The Sec-GPC: 1 HTTP header on page requests.
• The navigator.globalPrivacyControl JavaScript property.

When GPC is detected, TagDrishti checks: Are advertising tags still firing? Is the Facebook Pixel still active? Are retargeting cookies being set? If any data-sale or advertising tag fires while GPC is active, the dashboard flags it as a GPC violation.

To fix GPC violations: Configure your CMP to read the GPC signal and apply the “do not sell/share” consent category automatically. Most CMPs support this (OneTrust, Cookiebot, and Osano all have GPC settings). After configuration, test in Firefox (which sends GPC by default in private browsing) or install the GPC browser extension in Chrome.

What to Do When a Violation Is Detected

1. Immediate: Check the Pre-Consent Tag Fires panel. Identify which tags are firing before consent. Note the page URLs and session counts.
2. Classify severity: An analytics tag (GA4) firing pre-consent is a violation but lower risk than an advertising tag (Facebook Pixel) firing pre-consent. Advertising tags that transmit personal data to third parties are highest severity.
3. Fix the tag gating: Use the root cause list above. Most fixes involve reconfiguring the CMP or adding consent conditions to GTM triggers. Deploy the fix.
4. Verify: Open the site in a private window. Use the CMP to deny consent. Check the TagDrishti Live Feed — no blocked tags should fire. Grant consent. Confirm tags now fire correctly.
5. Document: Record the violation window (start time to fix time), the number of affected sessions, the tag involved, and the fix applied. This documentation is critical if a regulator asks about your compliance practices.
6. Prevent recurrence: Set a TagDrishti alert rule for pre-consent fires. Threshold: alert if any tag fires pre-consent more than 10 times in one hour. This catches future regressions immediately.

Consent compliance is not a one-time setup. Every CMP update, GTM publish, and site deployment can break consent gating. Continuous monitoring is the only way to stay compliant.