CMP configuration functionality_storage

Borlabs Cookie (CMP) — consent fix

Borlabs Cookie is detected as CMP, but GTM tags fire before the Borlabs consent status is established. Common causes: (1) GTM loads synchronously in <head> before Borlabs has initialised, (2) tags are not tied to the Borlabs consent check, (3) Borlabs 3.x uses a new API that differs from 2.x — sites that upgrade break their existing GTM triggers.

Domains

  • borlabs-cookie.s3.amazonaws.com
  • cdn.borlabs.io

Cookies

  • borlabs-cookie

Borlabs Cookie is a widely used Consent Management Platform (CMP) for WordPress. If the scanner indicates that your website loads trackers before consent, it is not an issue with Borlabs itself. It means that your configuration — or more commonly, the connection between Borlabs and Google Tag Manager (GTM) — is incorrect. As a result, the consent you collect is not legally valid under the GDPR.

Why Borlabs triggers a warning

Most problems with Borlabs arise from flawed implementations and, in particular, the major update from Borlabs version 2 to version 3.

  1. GTM loads too early: GTM is loaded hardcoded (synchronously) in the <head> of the site, before Borlabs even gets the chance to initialise the consent state.
  2. Tags ignore Borlabs: The marketing and analytics tags in GTM are set to fire on 'All Pages' and do not check whether Borlabs has actually given the green light.
  3. The Upgrade Trap: Websites that upgraded from version 2.x to 3.x often still run on outdated GTM triggers. (Version 2.x operated via window.Borlabs.Cookie, whereas version 3.x requires the new borlabs_cookie_consent_saved event).

The Fix: Properly connect Borlabs and GTM

To make the connection between Borlabs and your scripts watertight, you must specifically check the Google Consent Mode settings.

1. Activate Google Consent Mode v2 (For version 3.x)

Borlabs 3.x features native support for Consent Mode v2. This is by far the safest way to manage GTM.

  1. In your WordPress dashboard, go to Borlabs Cookie > Settings.
  2. Navigate to the Google Consent Mode settings.
  3. Enable the integration.
  4. Ensure that the defaults for GDPR regions are set strictly (all storage types set to denied).

2. Check GTM for Consent Checks

Now that Consent Mode is enabled, GTM must listen to it.

  1. Open your GTM workspace.
  2. Go to your tags for marketing (e.g., Meta Pixel) and analytics (e.g., Google Analytics).
  3. Check the Consent Settings (under Advanced Settings). Ensure it specifically states that ad_storage or analytics_storage is required.

3. The alternative route (Custom Events in GTM)

If you do not or cannot use Consent Mode, you must fire the tags in GTM based on Borlabs' events.

  • For Borlabs 3.x: Use the event name borlabs_cookie_consent_saved in your GTM Custom Event triggers.
  • Ensure that you either load the GTM container code via Borlabs itself (as a Script Blocker component), or use the data layer event as a trigger. Never just use "All Pages".

How to Verify the Fix

Use Google Tag Assistant in combination with your browser's Network tab.

  1. Open your website in an incognito window with Tag Assistant activated.
  2. Check the Tag Assistant interface before you click the cookie banner. Your tracking tags must absolutely not be listed as 'Fired'. The Consent Mode tab should show everything as denied.
  3. Click 'Deny all' in the Borlabs banner.
  4. Review the subsequent events in Tag Assistant. Still, no marketing tags should fire.
  5. In the Network tab (F12), there must be no calls to Facebook, Google Ads, or other trackers visible.

Not sure if the fix worked, or want to verify that no other scripts are leaking data? Run a free scan with ConsentChecker.eu for instant confirmation.

Sources

Go directly to Borlabs Cookie

View the official documentation and configuration options for Borlabs Cookie.

View Borlabs Cookie →

Check your own site

Scan your website for free to see if Borlabs Cookie (CMP) (or other trackers) loads before consent.

Start free scan →