Features

Every capability, no asterisks

consentline is engineered around one promise — nothing reaches a tracker before consent — and the operational tooling to prove it. Here's exactly how each piece works.

01 · THE LEAD

True hard-block

Most CMPs lean on Google Consent Mode — tags still load and send "cookieless" pings before the visitor agrees. consentline doesn't gate; it blocks. gtm.js never enters the document until consent is granted.

  • No cookieless pings, no g/collect beacons pre-consent
  • Built for a defensible CIPA / CCPA litigation posture
  • Cookieless analytics you choose to leave ungated still run

network · before consent

www.googletagmanager.com/gtm.jsblocked
www.google-analytics.com/g/collectblocked
googleads.g.doubleclick.netblocked
cdn.usefathom.com/script.jsallowed*

*cookieless analytics, ungated by your config

02

Jurisdiction-aware

consentline geo-detects each visitor at the edge and applies the correct ruleset across eight US state privacy laws — with a conservative baseline and a fail-closed fallback when detection is uncertain.

CPRAVCDPACPACTDPADPDPATDPSAOCPANJDPA
Detected location California, US
Applied rulesetCPRA
Opt-out of sale/sharerequired
Default stateall tags blocked
Detection failed?fail closed →
03

GPC honored

When a browser sends a Global Privacy Control signal, consentline treats it as a valid opt-out — automatically, and on every return visit. No banner nagging for visitors who've already expressed a preference at the browser level.

Sec-GPC signal detected

Opt-out applied automatically. Targeting & analytics tags stay blocked — no click required.

04

Append-only consent log

Every consent choice is recorded to an append-only audit trail at the edge (Cloudflare D1) — visitor IPs are salted-and-hashed, never stored raw, and duplicate writes are ignored. Export the whole log as CSV evidence for audits and DSARs — the proof regulators and plaintiffs' attorneys ask for.

Consent log Export CSV
timestampchoiceregion
14:02:41Zaccept-allUS-CA
14:02:55Zreject-allUS-VA
14:03:10Zanalytics-onlyUS-CO
14:03:22Zgpc-autoUS-CT
Cloudflare D1 · append-only · salted IP hash · CSV export
05

GTM-native & declarative

Drop it into Google Tag Manager and gate tags with plain markup — type="text/plain" data-consent on scripts and data-consent-src on iframes. No DOM monkey-patching, no proxy shims, nothing to break on your next deploy.

index.html

<!-- gated until consent -->
<script type="text/plain"
        data-consent="analytics"
        src="/gtm.js"></script>

<iframe data-consent-src="//maps…"
        data-consent="functional"></iframe>
06

Fast & supply-chain-safe

A tiny vanilla-JS banner — no framework, no runtime dependency. Every release is an immutable, SRI-pinned artifact (sha384) served from the CDN, so the exact bytes you reviewed are the exact bytes that run.

4.3 KB

gzipped · zero dependencies

integrity

sha384-2wlN3D9…immutable…6hSfx7le

Head to head

consentline vs. a typical CMP

Capability
consentline
Typical CMP
Blocks gtm.js before consent
Yes
Consent-mode only
Cookieless pings pre-consent
None
Sent
Global Privacy Control (GPC)
Auto-applied
Varies
Multi-state rule engine
8 laws
Add-on
Append-only audit-log export
CSV
Limited
SRI-pinned immutable releases
sha384
No
GTM-native, declarative gating
Yes
Wrapper SDK
Banner weight
4.3 KB
40–120 KB

See it block tags on your own site

A 20-minute demo with a live before/after network capture — on a page you pick.

Request a demo