Block third-party scripts (no GTM needed)
The consent loader blocks tagged third-party trackers until the visitor consents to the matching category, and releases them automatically afterwards — a real script blocker, not just a Google Consent Mode signal.
1. Tag the scripts you want to block
Add type="text/plain" and a data-ach-category attribute to each tracker. A text/plain script is parsed but never executed by the browser, so it stays blocked by default. For external scripts, move the URL from src to data-src.
<!-- External tracker (e.g. Meta Pixel loader) -->
<script type="text/plain" data-ach-category="marketing"
data-src="https://connect.facebook.net/en_US/fbevents.js"></script>
<!-- Inline tracking snippet -->
<script type="text/plain" data-ach-category="analytics">
// your analytics init code here
</script>Valid categories: necessary, functional, analytics, marketing, preferences. Scripts in the necessary category run immediately.
2. That's it — the loader does the rest
When a visitor accepts a category (or had previously accepted it), the loader swaps each matching text/plain script for an executable one so it runs. Scripts injected later are picked up automatically via a MutationObserver. Categories the visitor declined stay blocked.
3. Verifying
1. Open the site in incognito. Before deciding, confirm the tagged scripts have not run (e.g. no Meta Pixel network calls in the Network tab).
2. Click Accept all (or just the relevant category). Confirm the tracker now loads.
3. Re-open preferences and reject a category. The change takes effect on the next page load — a script that already executed cannot be un-run (standard CMP behaviour).
<head> still fires. Run the cookie scanner to discover third-party scripts on your site, then tag each one. See compliance notes.