If you notice scripts firing on your website before a user has given consent — for example Google Tag Manager, Klaviyo, or Meta/Facebook pixels — CookieFirst gives you three ways to control this. Each method suits different setups, and you may use more than one depending on how your site is built.
Method 1: Automatic Blocking
The simplest way to block known third-party scripts is to enable automatic blocking directly from your CookieFirst dashboard. When turned on, CookieFirst automatically detects and blocks recognized third-party scripts until the user has given the appropriate consent.
You can enable this globally in your domain settings. You can also apply automatic blocking on a per-service basis by setting the integration method to Autoblock in the script section of your domain.
This is a good starting point if you are new to the platform and want a quick, low-effort way to bring your site into compliance for the most common scripts.
Method 2: Manual Tagging
If you manage scripts directly in your website's HTML, you can tag each script individually to control when it loads based on the user's consent category.
To do this, change the script's type attribute to text/plain and add a data-cookiefirst-category attribute with the relevant consent category. CookieFirst will then hold the script until the user consents to that category.
Example:
<script type="text/plain" data-cookiefirst-category="advertising">
/* Your advertising script here */
</script>Common consent categories include advertising, analytics, functional, and necessary. Use the category that best matches the purpose of the script.
This method gives you precise control over individual scripts and works well for tracking pixels such as the Meta/Facebook Pixel.
For a full walkthrough, see the manual tagging guide: https://support.cookiefirst.com/hc/en-us/articles/360011566698-Block-external-scripts-from-loading-or-setting-cookies
Method 3: Containers
Rather than blocking individual scripts, you can use a container — a tool that manages all script firing in one place. CookieFirst supports two container approaches:
Google Tag Manager as a container
If you manage your scripts through GTM, you can configure GTM to respect user consent before firing tags. CookieFirst integrates with GTM and supports Google Consent Mode, meaning GTM tags will only fire once the user has given the appropriate consent type (such as ad_storage or analytics_storage).
For detailed setup instructions, see the GTM integration guide: https://support.cookiefirst.com/hc/en-us/articles/4410412855441-Google-Tag-Manager-and-Google-Consent-Mode-v2
CookieFirst banner as a container
Alternatively, you can use the CookieFirst banner itself as the container, adding third-party scripts directly in the CookieFirst backend under your domain's Third Party Scripts tab. Scripts added here are managed and released by CookieFirst based on user consent, without needing GTM.
For detailed setup instructions, see the CookieFirst container guide: https://support.cookiefirst.com/hc/en-us/articles/360011566358-Load-external-scripts-over-CookieFirst-GDPR-compliance
Shopify-specific setup
If your website runs on Shopify, there is an additional layer to be aware of. CookieFirst communicates consent to Shopify via the Shopify Customer Privacy API, and Shopify then controls when scripts are released on its end.
You can configure how Shopify handles this in the Customer Events section of your Shopify admin, where you can choose between Optimized mode (scripts load based on consent) and Always On mode (scripts always load). Make sure this is set to Optimized to ensure scripts are properly gated behind consent.
Which method should you use?
| Situation | Recommended method |
|---|---|
| You want a quick setup with minimal manual work | Automatic blocking |
| You manage scripts directly in your HTML | Manual tagging |
| You use Google Tag Manager | GTM as a container |
| You prefer to manage everything inside CookieFirst | CookieFirst as a container |
| You are on Shopify | Shopify Customer Privacy API + Customer Events settings |
These methods can also be combined. For example, you might enable automatic blocking as a baseline and use manual tagging for scripts that are not automatically detected.
Further reading
For further information about CookieFirst feel free to browse through our FAQs: https://support.cookiefirst.com/hc/en-us
If you have questions about a specific script or setup, our support team is happy to help.