DE EN

Usercentrics: Reject Path Leaks Trackers

Usercentrics is a Munich-based CMP widely used in DACH. If the dsgvochecker.de reject-path test reports trackers despite the banner being present, the cause is almost always one of these four. Every recommendation sourced from the official Usercentrics docs.

TL;DR: The four most common reject-path leaks on Usercentrics: (1) tracker classified as "Essential", (2) GTM implementation without auto-blocking, (3) Google Consent Mode v2 not enabled, (4) custom service without manual init block.

Cause 1: Is a tracker service wrongly classified as "Essential"?

Essential services run always — without consent. Marketing pixels must never be Essential.

In Usercentrics, trackers are configured as "service templates" assigned to a category: Essential, Functional, Marketing, Statistics. Essential services run always — no consent prompt, before and after reject. If a marketing pixel (e.g. Meta Pixel, Google Analytics) is accidentally classified as Essential, the reject path leaks.

Fix: In the Usercentrics admin under Configuration → Privacy Settings → Services, audit every entry. Tracker services must be in Marketing or Statistics — never in Essential. When in doubt, prefer Functional over Essential.

Source: Usercentrics Knowledge Hub — Cookie Categories Explained

Cause 2: Was Usercentrics deployed via GTM instead of directly in the head?

Via GTM, auto-blocking is not available — the script is there but blocks nothing.

Usercentrics documents this clearly: when the Usercentrics CMP is deployed via Google Tag Manager as a tag, the auto-blocking feature is not available — because GTM loads tags asynchronously and auto-blocking cannot work reliably. Result: the Usercentrics script is there but blocks nothing automatically.

Fix: Embed the Usercentrics init script directly in <head> — before all tracker scripts, before GTM. GTM tags additionally need to be gated by Consent Mode triggers (see Cause 3).

Source: Usercentrics Support — Implementing Usercentrics CMP v3 using GTM

Cause 3: Is Google Consent Mode v2 enabled in Usercentrics?

Without v2, GTM has no consent information — marketing tags fire immediately.

Even with correct Usercentrics setup, GTM tags fire if their trigger does not check a consent condition. Google has required Consent Mode v2 across the board since 2024, and Usercentrics as a certified Google CMP partner is prepared for it — but enabling it is explicit.

Fix: In the Usercentrics admin under Configuration → Google Consent Mode, enable the v2 implementation. In GTM under Admin → Container Settings → Consent Settings, set the default to denied for analytics_storage, ad_storage, ad_user_data, ad_personalization. Usercentrics will then push updates to GTM.

Source: Usercentrics Support — Implementing Google Consent Mode with Usercentrics

Cause 4: Does your custom tool have a manual init block?

Tools outside the service library need a wrapper that listens for the consent event.

If you use a tool not in Usercentrics' service-template library (custom pixels, marketing tools, in-house analytics), you must create a custom service template and wrap the actual tracker init code so it listens for the Usercentrics consent event. If the init code sits in the DOM and runs immediately, it runs both before and after reject.

Fix: Wrap tracker init code as <script type="text/plain" data-usercentrics="Service-Name">, or in JS wait for the UC_UI_INITIALIZED event and then check UC_UI.getServicesBaseInfo() for the service's consent. Example:

window.addEventListener('UC_UI_INITIALIZED', () => {
  const svc = UC_UI.getServicesBaseInfo()
    .find(s => s.name === 'My-Tracker');
  if (svc?.consent?.status === true) {
    // run tracker init code here
  }
});

Source: Usercentrics CMP v3 API Documentation

How do I verify the fix worked?

Clear all caches, then re-scan. If the test reports "Reject path clean", you are GDPR-compliant.

After every change: redeploy the site, clear caches (CDN + browser), and start another reject-path scan at dsgvochecker.de. If the test reports "Reject path clean", your Usercentrics is now GDPR-compliant.

Related guides

Cookiebot Auto-blocking order, GTM Consent Mode, SST Borlabs Cookie (WordPress) Content Blocker, plugin conflicts, cache reset All CMPs at a glance Which CMP dominates the DACH market, comparison

As of: 2026-04-29 · Sources from support.usercentrics.com are linked at each point.