Cookie Consent for
Any HTML Site That
Actually Blocks Scripts.
A hand-coded or static site does exactly what you wrote into it — including every analytics tag, pixel, and embed you hardcoded into the <head>. There is nothing in plain HTML to hold those scripts for consent; they fire on load. ConsentPixel — Privacy · Verified blocks every registered script with one <script> tag, on any host: Netlify, Vercel, GitHub Pages, S3, cPanel, or your own server.
The Gap: Plain HTML Has No Consent Layer
A static or hand-coded site is the simplest case and, for consent, one of the riskiest. Whatever scripts you placed in the <head> — a Google Analytics tag, a Meta Pixel, a Hotjar snippet, an embedded map or video — execute exactly as written, in order, the moment the browser parses the page. There is no platform, no plugin, and no setting between them and the visitor.
That means there is nothing native to defer a tracker until consent. Plain HTML has no concept of consent at all. Every tag you hardcoded fires on load, on every page, for every visitor — regardless of where they are or what they would have chosen.
Static hosting — Netlify, Vercel, GitHub Pages, S3, cPanel, or a plain server — serves your HTML as-is. The host does not add or gate scripts; it just delivers the files. Any tracking is whatever you hardcoded.
Because there is no layer between your markup and the browser, a visitor in the EU loads your page and every hardcoded GA, pixel, and embed transmits data immediately — there is nothing to show a banner or hold a script.
✗ Hardcoded GA / pixels fire on load
Any analytics or pixel tag in your <head> runs the instant the page is parsed — there is nothing to defer it.
✗ Embeds track on render
Hardcoded YouTube, Maps, and social embeds set third-party cookies and load tracking when the page renders.
✗ Session-replay runs pre-consent
A hardcoded Hotjar or Clarity snippet records from page load — $5,000/visitor CIPA exposure for California visitors.
✗ No GCM v2 / GPC handling
Plain HTML has no mechanism to set Google Consent Mode v2 parameters or detect the Global Privacy Control signal.
The simplicity that makes static sites fast and cheap also means there is zero built-in compliance. If your hand-coded site has any third-party tag at all and receives EU or California traffic, it is loading regulated scripts before consent with nothing to stop them.
Trackers Commonly Hardcoded into HTML Sites
Static and hand-coded sites carry whatever you pasted into the <head> — usually analytics, a pixel or two, and a few embeds. These are the integrations most commonly found, and the privacy exposure each creates.
Plain HTML vs. ConsentPixel
Plain HTML executes your tags exactly as written, with no gate. ConsentPixel is a single tag that becomes the consent layer your static site never had.
| Capability | Plain HTML (native) | ConsentPixel |
|---|---|---|
| Blocks external JS before consent | ✗ Not supported | ✓ All registered scripts |
| Blocks GA4 / GTM tags | ✗ No | ✓ Yes |
| Google Consent Mode v2 (all 4 params) | ✗ No | ✓ All plans |
| Global Privacy Control (GPC) detection | ✗ No | ✓ Auto-detected |
| CIPA session-replay blocking | ✗ No | ✓ Yes |
| US state law opt-out (19 states) | ✗ No | ✓ All plans |
| Timestamped consent audit log | ⚠ Basic / none | ✓ Full log, exportable |
| Page-scoped consent enforcement | ✗ No | ✓ Yes |
| Works without platform plan upgrade | ⚠ Often gated | ✓ Any plan |
See what your static site fires before any consent
ConsentPixel scans your live site in a fresh session — no cache, no prior consent — and shows every hardcoded script transmitting data on load, on any host.
How to Install ConsentPixel on Any HTML Site
ConsentPixel installs on any HTML site as a single <script> tag — no framework, no build step, no host-specific setup. It must be the first element in your <head> so pre-consent blocking works correctly, and it runs identically on Netlify, Vercel, GitHub Pages, S3, cPanel, or your own server.
Create your ConsentPixel account and scan your site
Sign up at consentpixel.com, add your domain, and run the auto-scanner. ConsentPixel maps every tracker across your pages — including the tags and embeds you hardcoded. Copy your unique pixel snippet from the dashboard.
Paste the snippet as the first element in <head>
Open each HTML file and paste the ConsentPixel snippet as the very first element inside <head>, before any GA, Meta Pixel, GTM, or embed code.
<head>
<!-- ConsentPixel — must be first -->
<script
src="https://pixel.consentpixel.com/YOUR-SITE-ID.js"
async></script>
<!-- Your GA / Meta / GTM / embeds below -->
</head>If you use a shared header include, an SSI directive, or a build-step partial, add it there once so it appears on every page automatically.
Deploy or upload your files
Push to Netlify or Vercel, commit to GitHub Pages, sync to S3, or upload via FTP/cPanel — whatever your workflow is. ConsentPixel begins blocking registered scripts as soon as the updated files are live.
Register your scripts and configure GCM v2
In the ConsentPixel dashboard, register each tool by consent category: Analytics (GA4), Marketing (Meta, LinkedIn), Functional (live chat), Session Recording (Hotjar, Clarity). ConsentPixel holds each category until the visitor consents.
Enable Google Consent Mode v2 — ConsentPixel injects all four GCM v2 parameters as the first head script, before your GTM container or GA4 loads.
Cover every page
Make sure the snippet is in the <head> of every HTML file, not just the homepage. A shared include or build partial is the reliable way to guarantee full coverage across a multi-page static site.
What ConsentPixel Does for Your HTML Site
Blocks your hardcoded scripts
Intercepts GA4, Meta Pixel, GTM, and Hotjar tags you placed in your <head> — the scripts plain HTML has no way to gate — and holds them until consent.
Google Consent Mode v2 — correct order
Injects all four GCM v2 parameters as the first head script, before your GTM or GA4 runs. Protects Google Ads measurement for EU and UK visitors.
GPC browser signal detection
Automatically honours the Global Privacy Control signal for California, Colorado, Virginia, and Connecticut visitors — impossible to do in plain HTML alone.
CIPA session-replay protection
Blocks Hotjar, Clarity, and Lucky Orange before consent — eliminating the $5,000/visitor CIPA exposure California traffic creates.
Any host, no build step
Runs identically on Netlify, Vercel, GitHub Pages, S3, cPanel, or your own server. No framework, no bundler, no server-side code required — just one tag.
One tag, fully managed
Categories, banner text, GCM v2, and the audit log are all configured in the ConsentPixel dashboard — you never touch the static files again after the one-time install.
Static Site Privacy Compliance Checklist (2026)
Frequently Asked Questions
One script tag in your <head>.
Every hardcoded tracker covered.
ConsentPixel — Privacy · Verified blocks the GA4, pixels, and embeds your hand-coded site loads with no native consent layer — while passing all four GCM v2 parameters and honouring GPC signals. No framework, no build step. Works on any host.