ConsentPixel – Privacy · Verified

Any HTML · Static · Any Host ⚡ One Script Tag, Any Host

Cookie Consent for
Any HTML Site That
Actually Blocks Scripts.

A hand-coded or static site does exactly what you wrote into it — including every analytics tag, pixel, and embed you hardcoded into the <head>. There is nothing in plain HTML to hold those scripts for consent; they fire on load. ConsentPixel — Privacy · Verified blocks every registered script with one <script> tag, on any host: Netlify, Vercel, GitHub Pages, S3, cPanel, or your own server.

Works on any host — Netlify, Vercel, S3, cPanel
GDPR · CCPA · CIPA · 19 US state laws
Google Consent Mode v2 built in
No framework or build step required
1
Script tag to install — nothing else
$5,000
Per-visitor CIPA exposure from session-replay on California traffic
€20M
Max GDPR fine — or 4% of global annual revenue
2 min
To paste ConsentPixel into your <head>

The Gap: Plain HTML Has No Consent Layer

A static or hand-coded site is the simplest case and, for consent, one of the riskiest. Whatever scripts you placed in the <head> — a Google Analytics tag, a Meta Pixel, a Hotjar snippet, an embedded map or video — execute exactly as written, in order, the moment the browser parses the page. There is no platform, no plugin, and no setting between them and the visitor.

That means there is nothing native to defer a tracker until consent. Plain HTML has no concept of consent at all. Every tag you hardcoded fires on load, on every page, for every visitor — regardless of where they are or what they would have chosen.

⚠ No Consent Concept What a static site does — exactly what you wrote

Static hosting — Netlify, Vercel, GitHub Pages, S3, cPanel, or a plain server — serves your HTML as-is. The host does not add or gate scripts; it just delivers the files. Any tracking is whatever you hardcoded.

Because there is no layer between your markup and the browser, a visitor in the EU loads your page and every hardcoded GA, pixel, and embed transmits data immediately — there is nothing to show a banner or hold a script.

✗ Hardcoded GA / pixels fire on load

Any analytics or pixel tag in your <head> runs the instant the page is parsed — there is nothing to defer it.

✗ Embeds track on render

Hardcoded YouTube, Maps, and social embeds set third-party cookies and load tracking when the page renders.

✗ Session-replay runs pre-consent

A hardcoded Hotjar or Clarity snippet records from page load — $5,000/visitor CIPA exposure for California visitors.

✗ No GCM v2 / GPC handling

Plain HTML has no mechanism to set Google Consent Mode v2 parameters or detect the Global Privacy Control signal.

The simplicity that makes static sites fast and cheap also means there is zero built-in compliance. If your hand-coded site has any third-party tag at all and receives EU or California traffic, it is loading regulated scripts before consent with nothing to stop them.

Trackers Commonly Hardcoded into HTML Sites

Static and hand-coded sites carry whatever you pasted into the <head> — usually analytics, a pixel or two, and a few embeds. These are the integrations most commonly found, and the privacy exposure each creates.

📊
Google Analytics 4
GDPR · CCPA · GCM v2
The most common tracker on static HTML sites. Sets _ga cookies and transmits to Google on page load. Needs Google Consent Mode v2 default-deny set before GA4 initialises.
🔖
Google Tag Manager
GDPR · GCM v2 Required
Every tag inside a GTM container fires on load — conversion pixels, remarketing, analytics. The GCM v2 default state must be set before GTM loads, not after.
📘
Meta Pixel
GDPR · CCPA · CIPA
Loads from Facebook's CDN and fires on load, sharing browsing behaviour and conversions with Meta's ad network regardless of any banner shown.
🔥
Hotjar / Microsoft Clarity
GDPR · CIPA
A hardcoded session-replay snippet runs from page load regardless of consent — $5,000/visitor CIPA exposure for California visitors with no consent gate.
🎯
LinkedIn / TikTok Pixels
GDPR · CCPA
External pixels that set identifiers and fire on load. Common on B2B, agency, and creator sites and frequently missed in consent configurations.
📹
YouTube / Vimeo Embeds
GDPR
Embedded players set third-party cookies and load tracking when the page renders — not when the visitor presses play. Must be consent-gated for GDPR.
💬
Live Chat (Intercom, Drift, Crisp)
GDPR · CCPA
Chat widgets set persistent identifiers and load before consent. Common on SaaS, service, and agency sites.
📧
Email / Marketing Automation
GDPR · CCPA
HubSpot, Mailchimp, Klaviyo, and ConvertKit tracking scripts install cookies and track page views independently of any consent layer.

Plain HTML vs. ConsentPixel

Plain HTML executes your tags exactly as written, with no gate. ConsentPixel is a single tag that becomes the consent layer your static site never had.

CapabilityPlain HTML (native)ConsentPixel
Blocks external JS before consent✗ Not supported✓ All registered scripts
Blocks GA4 / GTM tags✗ No✓ Yes
Google Consent Mode v2 (all 4 params)✗ No✓ All plans
Global Privacy Control (GPC) detection✗ No✓ Auto-detected
CIPA session-replay blocking✗ No✓ Yes
US state law opt-out (19 states)✗ No✓ All plans
Timestamped consent audit log⚠ Basic / none✓ Full log, exportable
Page-scoped consent enforcement✗ No✓ Yes
Works without platform plan upgrade⚠ Often gated✓ Any plan
🚫
A static site with hardcoded tags is firing every tracker pre-consent by definition. GDPR requires non-essential processing to wait for consent. Plain HTML has no consent concept, so your hardcoded GA, pixels, and embeds run on every page load with no choice recorded — the exact pattern 2025–2026 enforcement has targeted.

See what your static site fires before any consent

ConsentPixel scans your live site in a fresh session — no cache, no prior consent — and shows every hardcoded script transmitting data on load, on any host.

Scan My HTML Site →

How to Install ConsentPixel on Any HTML Site

ConsentPixel installs on any HTML site as a single <script> tag — no framework, no build step, no host-specific setup. It must be the first element in your <head> so pre-consent blocking works correctly, and it runs identically on Netlify, Vercel, GitHub Pages, S3, cPanel, or your own server.

1

Create your ConsentPixel account and scan your site

Sign up at consentpixel.com, add your domain, and run the auto-scanner. ConsentPixel maps every tracker across your pages — including the tags and embeds you hardcoded. Copy your unique pixel snippet from the dashboard.

2

Paste the snippet as the first element in <head>

Open each HTML file and paste the ConsentPixel snippet as the very first element inside <head>, before any GA, Meta Pixel, GTM, or embed code.

Top of <head> on every page
<head>
  <!-- ConsentPixel — must be first -->
  <script
    src="https://pixel.consentpixel.com/YOUR-SITE-ID.js"
    async></script>

  <!-- Your GA / Meta / GTM / embeds below -->
</head>

If you use a shared header include, an SSI directive, or a build-step partial, add it there once so it appears on every page automatically.

3

Deploy or upload your files

Push to Netlify or Vercel, commit to GitHub Pages, sync to S3, or upload via FTP/cPanel — whatever your workflow is. ConsentPixel begins blocking registered scripts as soon as the updated files are live.

4

Register your scripts and configure GCM v2

In the ConsentPixel dashboard, register each tool by consent category: Analytics (GA4), Marketing (Meta, LinkedIn), Functional (live chat), Session Recording (Hotjar, Clarity). ConsentPixel holds each category until the visitor consents.

Enable Google Consent Mode v2 — ConsentPixel injects all four GCM v2 parameters as the first head script, before your GTM container or GA4 loads.

5

Cover every page

Make sure the snippet is in the <head> of every HTML file, not just the homepage. A shared include or build partial is the reliable way to guarantee full coverage across a multi-page static site.

💡
Using a static-site generator? If you build with Eleventy, Hugo, Jekyll, or similar, add the ConsentPixel snippet to your base layout / head partial once — it will render into every page on build. After deploying, open your live site in an incognito window and confirm in DevTools that ConsentPixel's domain loads before google-analytics.com on every page.

What ConsentPixel Does for Your HTML Site

🛡️

Blocks your hardcoded scripts

Intercepts GA4, Meta Pixel, GTM, and Hotjar tags you placed in your <head> — the scripts plain HTML has no way to gate — and holds them until consent.

📡

Google Consent Mode v2 — correct order

Injects all four GCM v2 parameters as the first head script, before your GTM or GA4 runs. Protects Google Ads measurement for EU and UK visitors.

🌐

GPC browser signal detection

Automatically honours the Global Privacy Control signal for California, Colorado, Virginia, and Connecticut visitors — impossible to do in plain HTML alone.

🔥

CIPA session-replay protection

Blocks Hotjar, Clarity, and Lucky Orange before consent — eliminating the $5,000/visitor CIPA exposure California traffic creates.

Any host, no build step

Runs identically on Netlify, Vercel, GitHub Pages, S3, cPanel, or your own server. No framework, no bundler, no server-side code required — just one tag.

⚙️

One tag, fully managed

Categories, banner text, GCM v2, and the audit log are all configured in the ConsentPixel dashboard — you never touch the static files again after the one-time install.

Static Site Privacy Compliance Checklist (2026)

📋 HTML / Static Site Compliance Checklist — 2026 11 items
Audit every external script loading on your static siteCheck GTM tags, embedded code, app/plugin scripts, and any integration that calls a third-party domain
Verify external JavaScript is blocked before consent — not just first-party cookiesTest in your browser's DevTools Network tab in a private/incognito window before accepting anything
Add ConsentPixel as the first element in <head> on every page (or in your shared include)A shared header include or build partial guarantees the tag appears first on every page of a multi-page static site
Configure Google Consent Mode v2 with all four parametersRequired for EEA/UK Google Ads — the default-deny state must fire before GTM or GA4 loads
Block session-replay tools before consent$5,000/visitor CIPA exposure — Hotjar, Clarity, Lucky Orange must never run before explicit consent
Implement GPC browser signal recognitionMandatory in California, Colorado, Virginia, and Connecticut — most native banners do not provide this
Add a "Do Not Sell or Share" opt-out for US visitorsRequired across California and all 19 active US state privacy laws in 2026
Consent-gate all embedded third-party content — maps, video, social widgetsYouTube, Google Maps, and X/Twitter embeds set third-party cookies and must be gated for GDPR
Update your privacy policy to disclose all external integrationsName GA4, GTM, Meta, LinkedIn, Hotjar, and any automation platform as third-party data recipients
Maintain a full timestamped consent audit logRequired under GDPR Article 5(2) accountability — keep an exportable record of every consent choice
Re-test after any static template, theme, or app changeUpdates can change script load order — confirm ConsentPixel still loads first after any change

Frequently Asked Questions

Yes — ConsentPixel installs on any HTML site as a single <script> tag placed first in your <head>. Plain HTML has no native consent layer, so the scripts you hardcode fire on load with nothing to gate them. ConsentPixel becomes that consent layer with no framework or build step required.
Any of them. ConsentPixel is just a script tag, so it works identically on Netlify, Vercel, GitHub Pages, Amazon S3, Cloudflare Pages, cPanel shared hosting, or your own server. The host only serves your files — ConsentPixel runs in the browser.
Yes — the snippet must be in the <head> of every HTML page. The reliable way to do this on a multi-page site is a shared header include, an SSI directive, or a static-site-generator head partial, so the tag renders into every page automatically.
If your site runs session-replay or heatmap tools and receives California visitors, CIPA applies regardless of how the site is built. California's wiretapping statute carries statutory damages of up to $5,000 per affected visitor with no proof of harm required. ConsentPixel blocks all session-replay scripts before consent.
No — and static sites are speed-sensitive, so this matters. ConsentPixel loads asynchronously from Cloudflare's edge and adds only a few kilobytes. Because it holds tracking scripts until consent, first-time visitors often load fewer scripts on first paint.
No. ConsentPixel requires no framework, bundler, or server-side code — it is a plain <script> tag. If you do use a static-site generator, you can add it to your base layout's head partial once so it renders into every page on build.
Static Site Compliance — One Tag, Any Host

One script tag in your <head>.
Every hardcoded tracker covered.

ConsentPixel — Privacy · Verified blocks the GA4, pixels, and embeds your hand-coded site loads with no native consent layer — while passing all four GCM v2 parameters and honouring GPC signals. No framework, no build step. Works on any host.

Scroll to Top