ConsentPixel – Privacy · Verified

Drupal 7 · 10 · CMS ⚡ No Module Required

Cookie Consent for
Drupal That Closes
the Module Gap.

Drupal CMS 1.0 ships with Klaro built in. The EU Cookie Compliance module has been installed millions of times. But both carry the same critical limitation: they cannot block external JavaScript — so GA4, Meta Pixel, Hotjar, and every other third-party tracking script fires regardless of what your visitor chose. ConsentPixel — Privacy · Verified closes this gap with one script tag. No module. No Composer dependency. No code review cycle.

Start Free 14-Day Trial → Scan My Drupal Site
Drupal 7, 10 & Drupal CMS
GDPR · CCPA · CIPA · 19 US state laws
Google Consent Mode v2 built in
Works alongside or replaces Klaro
1M+
EU Cookie Compliance module active installs on Drupal sites
$5,000
Per-visitor CIPA exposure from session-replay on California traffic
€20M
Max GDPR fine — or 4% of global annual revenue
5 min
To add ConsentPixel to any Drupal theme — no module required

The Critical Gap in Drupal's Built-In Privacy Modules

Drupal has a strong open-source privacy culture and a rich module ecosystem for consent management. Drupal CMS 1.0, released in January 2025, made Klaro Cookie & Consent Manager a built-in component — the most significant native privacy feature in Drupal's history. The EU Cookie Compliance module has been installed on over a million Drupal sites. For a CMS built on community trust and enterprise reliability, these tools represent a genuine commitment to privacy.

But both carry a limitation that Drupal's own documentation acknowledges explicitly — and that most site owners do not notice until they run a compliance audit or receive a regulatory inquiry.

⚠ Official Drupal Documentation Warning EU Cookie Compliance module — stated limitation

The EU Cookie Compliance module's own documentation states: "Important: This module can only prevent cookies from being set on the current site. External JavaScripts will still be able to set their own cookies."

This is not a bug — it is an architectural limitation of how Drupal-native cookie management works. The module can control cookies your Drupal theme and modules set directly. It cannot intercept and block JavaScript loaded from external domains — like ga4, fbq (Meta Pixel), Hotjar's script, or any GTM tag — before those scripts fire and transmit data to third-party servers.

✗ GA4 still fires

Google Analytics 4 loaded via Google Tag Manager or a Drupal GA module fires on page load regardless of the visitor's consent choice in the EU Cookie Compliance banner.

✗ Meta Pixel still fires

The Meta Pixel and any other social advertising tag loaded externally executes before and after consent — sharing browse behaviour with Meta's ad network unconditionally.

✗ Hotjar / Clarity still fire

Session-replay scripts added via the theme or a Drupal module run regardless of consent state — creating $5,000/visitor CIPA exposure for every California visitor.

✗ GTM tags still fire

Every tag inside a Google Tag Manager container — conversion pixels, remarketing, analytics — fires in full regardless of what the visitor chose on the consent banner.

Klaro in Drupal CMS 1.0 addresses this better for Drupal-managed content — embedded maps, YouTube iframes, and features Drupal CMS controls natively. But external JavaScript loaded via GTM or directly injected into the theme still falls outside Klaro's blocking scope. For any Drupal site with a real marketing and analytics stack, neither module provides the technical script blocking that GDPR actually requires.

Trackers Commonly Running on Drupal Sites

Drupal's enterprise, government, media, and higher education user base means its sites tend to carry sophisticated analytics configurations — often including multiple measurement tools, accessibility tools, marketing pixels, and third-party content embeds. These are the most common tracking integrations found on Drupal sites and the specific privacy law exposure each creates.

📊
Google Analytics 4
GDPR · CCPA · GCM v2
Installed via the Google Analytics module or GTM. Fires on every page load. Drupal's EU Cookie Compliance module cannot block it — GA4 loads from Google's CDN regardless of banner state.
🔖
Google Tag Manager
GDPR · GCM v2 Required
Often added via the GTM module or theme. All GTM tags fire regardless of Drupal consent modules. GCM v2 default block must fire before GTM loads — not inside any Drupal module output.
📘
Meta Pixel
GDPR · CCPA · CIPA
External JavaScript that Drupal's consent modules cannot intercept. Fires on all pages, sharing browsing behaviour and content engagement data with Meta's ad network.
🔥
Hotjar / Clarity
GDPR · CIPA
Session-replay scripts loaded via the theme or a module. Neither Klaro nor EU Cookie Compliance blocks these — $5,000/visitor CIPA exposure for California visitors with no consent gate.
🗺️
Embedded Maps (Google/Leaflet)
GDPR
Drupal CMS's Klaro handles maps enabled through Drupal CMS features. But Google Maps iframes added via custom modules or themes load independently and require separate consent gating.
🎯
LinkedIn Insight Tag
GDPR · CCPA
Common on Drupal sites serving professional and B2B audiences. External pixel that fires regardless of Drupal consent modules. Often overlooked in compliance configurations.
📹
YouTube / Vimeo Embeds
GDPR
Klaro in Drupal CMS can handle Drupal-managed video embeds. Custom-coded video embeds via the theme or other modules may load YouTube tracking independently.
💬
Live Chat (Intercom, Drift)
GDPR · CCPA
B2B and enterprise Drupal sites frequently run live chat tools. External JavaScript that sets persistent identifiers regardless of Drupal's built-in consent modules.
📧
Marketing Automation (Marketo, HubSpot)
GDPR · CCPA
Enterprise and higher education Drupal sites often integrate marketing automation platforms that install tracking scripts independent of Drupal's module-based consent layer.

Drupal Modules vs. ConsentPixel — What Each Actually Does

Capability EU Cookie Compliance Module Klaro (Drupal CMS 1.0) ConsentPixel
Blocks external JS before consent✗ Documented limitation⚠ Drupal-managed only✓ All registered scripts
Blocks GA4 / GTM tags✗ No✗ No✓ Yes
Google Consent Mode v2 (all 4 params)✗ No✗ No✓ All plans
Global Privacy Control (GPC) detection✗ No✗ No✓ Auto-detected
CIPA session-replay blocking✗ No✗ No✓ Yes
US state law opt-out (19 states)✗ No✗ No✓ All plans
Consent audit log (timestamped)⚠ Basic⚠ Basic✓ Full log, exportable
Blocks Drupal-managed embeds (maps, video)⚠ Partial✓ Yes (Drupal CMS features)✓ When registered
No module install / Composer required✗ Module required✗ Built into Drupal CMS✓ Script tag only
No Drupal core update dependency✗ Must maintain with Drupal✗ Tied to Drupal CMS✓ Independent deployment
🚫
A consent banner that cannot block external JavaScript is not GDPR compliant. GDPR requires that non-essential processing does not occur before consent is obtained. A banner that displays while GA4, Meta Pixel, and Hotjar continue firing in the background satisfies the notice requirement but not the consent requirement. Every enforcement action against websites in 2025–2026 has been specifically about scripts firing before or regardless of consent — not about missing banners.

See what fires on your Drupal site despite your consent module

ConsentPixel scans your Drupal site in a fresh session — no cache, no prior consent — and shows every external script transmitting data before any consent is recorded.

Scan My Drupal Site →

How to Install ConsentPixel on Drupal

ConsentPixel installs on Drupal as a single script tag in the document head — no Drupal module installation, no Composer package, no code review process. It must load before all other scripts in the head to ensure pre-consent blocking works correctly. There are three approaches depending on your Drupal version and access level.

1

Create your ConsentPixel account and scan your site

Sign up at consentpixel.com, add your Drupal site domain, and run the auto-scanner. ConsentPixel maps every tracker and external script across your site — including those loaded via GTM, Drupal modules, and custom theme code. Copy your unique pixel snippet from the dashboard.

2

Method A — Theme template (recommended for Drupal 8/9/10)

Add the ConsentPixel snippet to your theme's html.html.twig file as the very first element inside the <head> tag — before your GTM snippet, before the Drupal {{ head }} variable, before all other script output.

themes/custom/yourtheme/templates/html.html.twig 
<head>
  {# ConsentPixel — must be first script in head #}
  <script
    src="https://pixel.consentpixel.com/YOUR-SITE-ID.js"
    async></script>

  {# Drupal head output below — includes GTM, GA4 modules etc. #}
  {{ head }}
  ...

Placing the snippet before {% raw %}{{ head }}{% endraw %} ensures ConsentPixel fires before any module-injected head scripts including the Google Analytics module and GTM module outputs.

3

Method B — Drupal admin JavaScript injection (no theme edit needed)

In the Drupal admin, navigate to Admin → Appearance → Settings → your active theme. Scroll to the JavaScript Code / Additional JavaScript field (if your theme supports this setting) and paste the ConsentPixel snippet. Save the configuration and clear Drupal's cache.

Alternatively, use the Administration menu → Configuration → Development → JavaScript aggregation settings to add a custom head script. The exact path varies by Drupal version and installed modules — your site's admin or developer will know the correct location.

4

Method C — Drupal 7: page.tpl.php

For Drupal 7 sites, add the snippet to your theme's page.tpl.php file as the first element inside the <head> tag:

sites/all/themes/yourtheme/page.tpl.php 
<head>
  <!-- ConsentPixel — first script in head -->
  <script
    src="https://pixel.consentpixel.com/YOUR-SITE-ID.js"
    async></script>

  <?php print $head; ?>
  ...
5

Register your external scripts and configure GCM v2

In the ConsentPixel dashboard, register each external tracking tool by consent category: Analytics (GA4, Adobe Analytics), Marketing (Meta Pixel, LinkedIn, TikTok), Functional (live chat, marketing automation), Session Recording (Hotjar, Clarity). ConsentPixel will block each category until the visitor consents.

Enable Google Consent Mode v2. ConsentPixel injects all four GCM v2 parameters before any Google tag loads — including before your GTM module output fires. This is the correct firing sequence that Drupal's GTM module cannot guarantee on its own.

6

Decide how to handle Drupal's existing consent modules

You have two options. Option A — Layered approach: Keep Klaro (for Drupal CMS embedded content) or EU Cookie Compliance (for Drupal-native cookies) running alongside ConsentPixel, which handles all external scripts. This maintains Drupal CMS's native privacy features while adding true external script blocking. Option B — ConsentPixel only: Disable EU Cookie Compliance or Klaro, and let ConsentPixel handle all consent including Drupal-native features. This provides a single unified consent experience and a single consent log. Either approach eliminates the external JavaScript gap.

💡
Using Drupal's Google Analytics module or GTM module? Both inject their script output via Drupal's standard head hooks — which means they fire after the {{ head }} Twig variable renders. Placing ConsentPixel before {{ head }} in your template ensures it loads first. Verify load order with DevTools Network tab: ConsentPixel's domain must appear before googletagmanager.com or google-analytics.com in the waterfall — if not, check the template position and clear Drupal's render cache.

What ConsentPixel Does for Your Drupal Site

🛡️

Closes the external JS gap

Intercepts and blocks external tracking scripts — GA4, Meta Pixel, GTM tags, Hotjar, LinkedIn — before consent is established. Addresses the documented limitation of EU Cookie Compliance and Klaro that cannot block externally hosted JavaScript.

📡

Google Consent Mode v2 — correct head order

Injects all four GCM v2 parameters as the first head script, before Drupal's GTM module or GA4 module output fires. Protects Google Ads conversion measurement for EU and UK visitors — the gap Drupal's module-injected GCM v2 implementations frequently miss.

🌐

GPC browser signal detection

Automatically detects the Global Privacy Control signal and suppresses targeted advertising scripts for California, Colorado, Virginia, and Connecticut visitors — a requirement Drupal's built-in modules do not address at all.

🔥

CIPA session-replay protection

Blocks Hotjar, Clarity, and session-replay tools before consent — critical for enterprise and media Drupal sites that use these tools for UX research and receive California traffic. Eliminates $5,000/visitor CIPA exposure.

🏛️

Government and institution data compliance

Drupal powers thousands of government, university, and healthcare websites. These organisations face elevated GDPR accountability obligations and often handle special category data. ConsentPixel's consent log provides the GDPR Article 5(2) accountability documentation these organisations require.

🔍

No Drupal update dependency

ConsentPixel deploys independently of your Drupal update cycle. Module updates, security patches, and Drupal version upgrades do not affect your consent configuration or consent logs. Compliance continues without coordination with your development team.

Drupal Privacy Compliance Checklist (2026)

📋 Drupal Site Compliance Checklist — 2026 12 items
Audit every external script loading on your Drupal siteCheck GTM tags, Drupal analytics modules, theme-injected scripts, and any custom module that calls external APIs
Verify external JavaScripts are blocked before consent — not just Drupal-native cookiesEU Cookie Compliance module explicitly cannot block external JS — test in DevTools Network tab in incognito
Add ConsentPixel before {{ head }} in your Twig templateMust precede all module-injected head scripts — incorrect order breaks pre-consent blocking
Configure Google Consent Mode v2 with all four parametersRequired for EEA/UK Google Ads — must fire before GTM module output, not inside a Drupal module
Block session-replay tools before consent — especially on authenticated pages$5,000/visitor CIPA exposure — Hotjar, Clarity, Lucky Orange must never run before explicit consent
Implement GPC browser signal recognitionMandatory in California, Colorado, Virginia, and Connecticut — no Drupal module currently provides this
Decide: ConsentPixel alongside or replacing Klaro / EU Cookie ComplianceLayered approach retains Drupal CMS native features; ConsentPixel-only provides unified consent experience
Add "Do Not Sell or Share" opt-out for US visitorsRequired for California and all 19 active US state privacy laws in 2026
Review all embedded third-party content — maps, video, social widgetsYouTube, Google Maps, Twitter/X embeds set third-party cookies — must be consent-gated for GDPR
Update privacy policy to disclose all external script integrationsName GA4, GTM, Meta, LinkedIn, Hotjar, marketing automation platforms as third-party data recipients
Maintain a full consent audit log for GDPR accountabilityRequired under GDPR Article 5(2) — Drupal's built-in modules provide only basic logging
Test after every Drupal update and module updateCore updates can affect template rendering order — verify ConsentPixel still loads first after any update

Frequently Asked Questions

Drupal CMS 1.0 ships with the Klaro Cookie & Consent Manager built in, and the EU Cookie Compliance module has over a million active installs on older Drupal sites. However, both have a critical documented limitation: they can only block cookies set directly by the Drupal site — external JavaScript loaded from third-party domains (GA4, Meta Pixel, Hotjar, GTM tags) fires regardless of visitor consent choice. This means any Drupal site with a real analytics and marketing stack is technically non-compliant under GDPR even with these modules active.
Add the ConsentPixel script tag to your theme's html.html.twig (Drupal 8/9/10) as the first element inside <head>, before the {{ head }} Twig variable. For Drupal 7, add it to page.tpl.php before the <?php print $head; ?> output. No Drupal module installation, no Composer package, no code review cycle required. Clear Drupal's render cache after adding, and verify load order in DevTools Network tab.
Drupal's own EU Cookie Compliance module documentation states: "Important: This module can only prevent cookies from being set on the current site. External JavaScripts will still be able to set their own cookies." This is an architectural limitation — the module controls Drupal-generated cookies but cannot intercept externally hosted JavaScript. Any GA4, Meta Pixel, Hotjar, or GTM-loaded script fires unconditionally regardless of what a visitor chooses on the consent banner.
Yes. The recommended layered approach: keep Klaro handling Drupal CMS's native embedded content (maps, videos, features), and let ConsentPixel handle all external tracking scripts (GA4, GTM, Meta Pixel, Hotjar). Both can coexist — Klaro manages Drupal-managed features, ConsentPixel closes the external JavaScript gap Klaro cannot address. Alternatively, disable Klaro and use ConsentPixel for all consent including Drupal-native features, providing a single unified consent experience and consent log.
Yes — if your Drupal site uses session-replay tools (Hotjar, Clarity, Lucky Orange) and receives visitors from California, CIPA applies. Enterprise and media Drupal sites frequently run these tools for UX research. Neither Klaro nor EU Cookie Compliance has CIPA-specific session-replay blocking. $5,000 per affected California visitor, no proof of harm required. ConsentPixel blocks all session-replay tools before consent.
No — ConsentPixel deploys entirely independently of your Drupal update cycle. It is a single script tag in your theme template that references a file served from Cloudflare's edge network. Drupal core updates, module security patches, and Drupal version upgrades do not affect ConsentPixel's operation or your consent configuration. The only thing to verify after a major Drupal update is that the template change was preserved and the script still loads first in the head — which takes 30 seconds in DevTools.
Drupal Compliance — Close the External JavaScript Gap

One script tag in your Twig template.
Every external script covered.

ConsentPixel — Privacy · Verified blocks the external JavaScript that Drupal's EU Cookie Compliance module and Klaro cannot touch — GA4, GTM tags, Meta Pixel, session-replay — while passing all four GCM v2 parameters and detecting GPC signals. No module. No Composer. No update dependencies.

Start Free 14-Day Trial Scan My Drupal Site →
Scroll to Top