GDPR // Google Analytics script tags included and executed without consent

Hi there,

as the current GDPR (“Cookie consent”) solution is a very important and valuable first step, it seems to not fully work as expected.
We are using the “Must Opt-In” mode to be GDPR compliant at all.

We have several external services that we pasted into the “Google Services” -> “Google Analytics” textbox. As this is the only place to allow custom JS code to be inserted into the theme.
As the GDPR is also about consenting to data submission to external services, the only GDPR compliant behaviour in Opt-In mode would be to NOT render the content of the Google Analytics field, unless the user has opted-in to “External Services” or “Google Analytics”.

Is this a bug, or at least something on your road map? Because currently the cookie handling is … okish. Because deleting them does not really fulfill GDPR at all which is quite clear about consent before storing information or sending data anywhere. But the current behaviour is arguably better than nothing.

So in general the GDPR management currently lacks a way to consent to custom 3rd party tags and defer rendering of the <script> tags until consent given.

An example: Inserting custom script Tags for Google Tag Manager and Facebook Analytics to the Google Analytics field will make the <script> tags always being rendered. This leads to HTTP calls to Google as well as Facebook. This must not happen without consent. Without consent the Google Analytics cookies will be deleted. All other (unknown) cookies will remain although no consent given.
Yes, I do know about the possibility to delete custom cookies. But as I said, to be GDPR compliant, the include of external scripts must not happen in the first place until consented.

Would love to get some feedback on this fundamental part of GDPR compliance.

Best,
Jan