The Data (Use and Access) Act has been live in the UK since February 5, 2026. It aligned PECR fines with UK GDPR — up to £17.5M or 4% of global turnover (Bird & Bird, 2026). And it added an instigator clause: if your agency installed a tracking tag on your site, the liability still lands on you, the operator.
Most UK WooCommerce stores have not audited their GTM container against this. They don’t need to hire a consultant. They need DevTools, a private window, and five filter strings. The audit takes 30 minutes and surfaces roughly 80% of the exposure.
Why This 30 Minutes Matters Now
DUAA closed three things at once. First, the fine cap: PECR violations now sit alongside UK GDPR at £17.5M or 4% of global turnover, whichever is greater. Second, the instigator clause: the person who instigates the placing of cookies on user devices is responsible — agency-installed tags now create direct liability for the store (DAC Beachcroft, 2025). Third, the enforcement powers: the ICO can compel interviews, demand audits, and issue stop orders under expanded DUAA powers — without needing to take you to court first.
Translation: the agency that wired up your GTM container in 2022 is no longer a shield. The tags that fire before your consent banner appears are your problem now.
The audit answers exactly one question: does anything in my GTM container fire before the user clicks accept? WordPress powers 43.5% of all websites (W3Techs, 2024), and the GTM-on-WooCommerce stack is the most common surface where this audit produces findings.
The Setup (2 Minutes)
Open a private/incognito browser window. No extensions. No logged-in session. This matters: extensions can block tags from firing and mask findings; logged-in sessions can hit a stale consent record that suppresses the banner entirely.
Open DevTools (F12 or Cmd-Option-I). Click the Network tab. Tick Preserve log so navigation doesn’t wipe the history. Make sure the recording light is red.
Now load your store homepage. Do not interact with the consent banner. Do not click anything. Just let the page settle for ten seconds.
The Five Filters
This is the audit. In the Network tab filter box, type each of the five strings below in turn. For each one, look at the URLs that appear. If you see requests before you click accept, that finding is your exposure.
1. googleadservices
Captures Google Ads conversion tracking, remarketing tags, and Floodlight container calls. If googleadservices.com requests fire pre-consent, your Google Ads remarketing audiences and conversion tags are running without consent. Common cause: a Conversion Linker tag set to fire on All Pages without a consent state check.
2. doubleclick
Captures DoubleClick Floodlight, Display & Video 360 pixels, and YouTube remarketing. doubleclick.net pre-consent firing typically means you have a Display campaign tag inheriting the All Pages trigger from a legacy GTM template.
3. facebook
Captures Meta Pixel calls (connect.facebook.net for the loader, facebook.com/tr for the events). If either fires pre-consent, your Meta Pixel is running. Common cause: the Meta Pixel base tag set to All Pages with no consent gating, often installed via a Facebook for WooCommerce plugin auto-injection rather than GTM itself.
4. linkedin
Captures LinkedIn Insight Tag (snap.licdn.com) and Conversion Tracking. Pre-consent firing here is more common than people expect because LinkedIn campaigns are often set up by sales teams without involving the marketing tag manager.
5. hotjar
Captures Hotjar’s session recording and heatmap loader (static.hotjar.com, script.hotjar.com). Hotjar pre-consent is the highest-risk finding because session recording captures form input — meaning email addresses, postal codes, and sometimes typed payment details get recorded into a third-party tool before the user has consented to anything.
Each finding is documentable on its own. Take a screenshot. Note the exact request URL. Note that the consent banner had not been interacted with. That’s your audit log entry for that platform.
What To Do With Each Finding
The first reflex is to add a consent-state check to the trigger. That works for tags inside your GTM container. It does not work for tags that are not in GTM — and a surprising number of the findings will be tags that are not in GTM. The Meta Pixel injected by the Facebook for WooCommerce plugin lives in the WordPress page template, not in GTM. The Hotjar snippet pasted into the theme’s header.php in 2021 is not in GTM either.
The audit checklist looks like this:
- Locate — for each finding, find where the tag actually lives. GTM container, plugin auto-injection, theme template snippet, or another tag manager you forgot about.
- Gate — wrap each tag with a consent-state condition. In GTM that’s the built-in Consent State variable; in a plugin that’s whatever consent integration the plugin offers; in a hard-coded snippet that’s removing it and re-implementing it through GTM with a consent check.
- Verify — re-run the same DevTools audit. The pre-consent requests should be gone.
- Document — keep the audit log. Under DUAA, the ICO can compel an audit at short notice. Showing them a dated DevTools audit from before they asked is materially better than not having one.
One more practical detail: EU cookie consent rejection runs between 40% and 70% on most stores. Even with a perfectly compliant banner, between 4 and 7 of every 10 EU/UK visitors will deny consent — meaning the tags you successfully gate will not fire for those users. That is the data-loss reality the audit reveals once you have closed the compliance gap.
The Pattern Behind the Findings
Every audit finding has the same structural cause. Tags fire client-side, in the browser, controlled by a dependency chain that includes the consent banner, the tag manager, the platform’s own loader, and any plugin that injects its own pixels alongside. Every link in that chain can fail independently — and every link is also a maintenance liability for whoever is left holding the GTM container.
This is the pattern that turns a 30-minute audit into a quarterly maintenance task forever. The eight hops a WooCommerce conversion has to survive before Smart Bidding sees it run on the same fragile chain. So does the double-counting that Google’s own WooCommerce plugin produces with Tag Gateway. The browser is the breakage layer.
The question isn’t whether you should audit your GTM container. It’s whether you should be running tags in the browser at all.
How Seresa Removes the Audit Surface
Transmute Engine™ is a first-party Node.js server that runs on your own subdomain (for example, data.yourstore.com). The inPIPE WordPress plugin captures WooCommerce events at the PHP hook layer and sends them via API to Transmute Engine, which routes them server-to-server to Meta CAPI, Google Ads Enhanced Conversions, GA4, Microsoft UET CAPI, LinkedIn Conversions API, and BigQuery. There is no browser-side third-party loader to audit because the events never travel through one. The DevTools audit still finds your remaining first-party requests — and that’s all there is to find.
Key Takeaways
- DUAA active since February 5, 2026. PECR fines aligned with UK GDPR — up to £17.5M or 4% global turnover. The ICO can compel audits, interviews, and stop orders directly.
- The instigator clause. Agency-installed tags create direct liability for the store. The agency that wired up your GTM container in 2022 is no longer a shield.
- The 30-minute audit. Private window, no extensions, DevTools Network tab, consent banner not yet interacted with. Filter on five strings: googleadservices, doubleclick, facebook, linkedin, hotjar.
- Findings outside GTM. Many pre-consent tags will be plugin-injected or theme-template hardcoded — not in your GTM container at all. Locate before gating.
- The architectural answer. Server-side capture removes the browser-side loader entirely. There is nothing to audit because no third-party tag fires at all.
FAQ
The Data (Use and Access) Act 2024 (DUAA) is the UK’s first major data protection reform since UK GDPR. The relevant cookie and marketing provisions became active on February 5, 2026. It aligned PECR fines with UK GDPR at up to £17.5M or 4% global turnover, added the instigator clause that places direct liability on whoever caused the cookie placement, and expanded ICO enforcement powers to include compelled interviews, audits, and stop orders.
No, the opposite. The instigator clause clarifies that the person who caused the cookie placement is liable. In practice, the ICO treats the store operator as the instigator because the operator chose to engage the agency and operates the site where the cookies are placed. Agency contracts that purport to transfer this liability are not generally effective against the regulator. The audit findings are your audit findings, regardless of who built the GTM container.
Only if the banner blocks tags pre-consent at the technical level — not just at the visual level. A banner that displays a We-use-cookies message but does not actually gate tag firing has no effect on the audit. The DevTools test is the truth: if requests fire before you click accept, your banner is not blocking them. This is one of the most common findings — banners that ask for consent without enforcing it.
DUAA applies to any organisation processing personal data of UK residents in the course of offering goods or services to them. A WooCommerce store that ships to UK addresses, accepts UK customer accounts, or runs Google or Meta ads targeted at UK users is in scope regardless of where the company is registered. EU stores already in the GDPR/ePrivacy framework face similar (and in some areas stricter) requirements through their own consent regimes.
Open the private window. Pull up DevTools. Five filters, thirty minutes — by the time the kettle boils twice, you’ll know exactly where you stand. See how Transmute Engine eliminates the browser-side audit surface entirely.
