You set up Google Analytics. You added a cookie banner. You thought you were done.
Then someone mentioned “Consent Mode v2” and suddenly you’re not sure whether your setup is actually legal, whether your conversion data is accurate, or whether Google is quietly throttling your EU traffic. That sinking feeling is familiar, and it’s also fixable.
Here’s what google consent mode actually is: it’s the communication layer between your cookie consent banner and Google’s tracking tags.
Version 2 of that system – Google Consent Mode v2 – updated the protocol, added two new consent parameters, and became a hard requirement for EU advertisers in early 2024. By July 2025, Google began restricting data collection for EU/EEA sites without proper consent signaling in place.
This guide covers what changed, what happens if you ignore it, and exactly how to get it set up – including which consent management platform will do the heavy lifting for you.
What Is Google Consent Mode v2?
Google Consent Mode v2 is the updated version of Google’s consent signaling framework. It lets your Google tags – GA4, Google Ads, Floodlight – respond correctly to a user’s consent choices instead of running blind.
When someone lands on your site, consent mode fires a default state before any tags load. When the user interacts with your cookie banner, the CMP updates those states in real time. Google’s tags read those signals and adjust what they collect: full data if consent is granted, cookieless pings if it’s denied.
The short version: Google Consent Mode v2 requires two new consent parameters (ad_user_data and ad_personalization) on top of the original four, and integrating a Google-certified CMP is now expected for EU/EEA advertisers running Google Ads. Without it, your conversion data gaps and your EU remarketing reach shrinks – often significantly.
The Two New Parameters: ad_user_data and ad_personalization
Consent Mode v1 had four parameters: adstorage, analyticsstorage, personalizationstorage, and functionalitystorage. Version 2 added two more:
- ad_user_data – controls whether user data from your site can be sent to Google for advertising purposes
- ad_personalization – controls whether that data can be used for personalised ads, including remarketing
Both default to “denied” unless explicitly granted. If you’re running remarketing campaigns or cross-device targeting, you need the user to grant ad_personalization – and your cookie banner needs to collect that consent correctly. If it doesn’t surface this as a separate consent option, your remarketing audience is shrinking without you knowing.
How Consent Mode Communicates With Google Tags
The sequence matters. When a user arrives on your site, consent mode fires gtag(‘consent’, ‘default’, {…}) before Google Tag Manager or any other tags run. This tells Google’s tags what state to assume before user input. When the user accepts or rejects cookies on the banner, the CMP fires gtag('consent', 'update', {...}) with the actual choices.
Google’s tags read those signals and behave accordingly. If ad_storage is granted, GA4 sets cookies and tracks sessions normally. If it’s denied, the tag sends a cookieless ping – a minimal signal with no personal data – which feeds Google’s conversion modeling algorithms instead.
Is Google Consent Mode v2 Mandatory?
Yes, for most sites using Google Ads or GA4 with EU or EEA traffic.
Google made consent mode v2 a requirement for EU/EEA advertisers in March 2024. From July 2025, enforcement tightened further: EU/EEA sites without proper consent signaling started losing GA4 data collection capabilities and saw restrictions on Google Ads remarketing features. This is ongoing in 2026 – it’s not a deadline that has passed, it’s the current baseline.
If you have no EU/EEA visitors and you’re not running Google Ads, you can skip this. But if you’re using GA4 and you have any European traffic, you need it. Most sites have some EU traffic even when they’re not targeting it.
One context worth noting: the Digital Markets Act has reinforced GDPR consent requirements for Google’s services specifically. For Google to serve personalised ads within the EEA, it needs to demonstrate that consent was properly collected upstream. Consent mode is how that gets signaled.
Basic vs Advanced Consent Mode – Which Should You Choose?
Most guides treat this as a footnote. It’s actually the most consequential decision in your consent mode setup, because it directly affects your data quality.
| Basic Consent Mode | Advanced Consent Mode | |
|---|---|---|
| Tags fire before consent? | No | Yes (cookieless pings only) |
| Conversion modeling? | Limited | Full |
| Data before user chooses? | None | Cookieless signal |
| Best for? | Strict privacy stance | Most GA4 + Google Ads setups |
Basic Consent Mode: Tags Blocked Until Consent
In basic mode, no Google tags fire until the user makes a choice. Users who close the tab or scroll past the banner without interacting leave no trace. You lose all visibility on them.
This is the more conservative approach from a privacy standpoint, and in theory it’s simpler to configure. The trade-off is real: on sites where a meaningful percentage of visitors bounce before choosing, basic mode produces significant blind spots in your analytics and conversion data.
Advanced Consent Mode: Tags Fire with Cookieless Pings
In advanced mode, tags fire immediately but send cookieless pings when consent is denied. These pings carry no personal data and set no cookies – they’re stateless signals that tell Google a visit happened without identifying the visitor.
That signal feeds Google’s conversion modeling, which uses statistical methods to estimate conversions for the non-consenting portion of your traffic. If you’re running paid campaigns, this modeling can be the difference between seeing 60% of your actual conversions and seeing 90% of them.
Advanced mode is legal under GDPR because the cookieless pings contain no personal data. Most DPAs and privacy regulators have not raised concerns about cookieless pings specifically.
Which Is Right for Your Business?
For most advertisers running Google Ads: advanced mode. The conversion modeling is meaningfully better, and you’re not creating a legal risk by using it.
If you’re in a sensitive sector (healthcare, legal, financial services) where any pre-consent data collection feels risky, or if your legal counsel has advised maximum caution, go with basic. You’re accepting data gaps in exchange for a cleaner audit trail.
What Changed From Consent Mode v1 to v2?
The headline changes:
Two new consent parameters were added (ad_user_data and ad_personalization) alongside the original four, bringing the total to six. These aren’t optional extras – if your CMP only passes four parameters, Google won’t receive the advertising-specific signals it needs for Ads features to work correctly in the EEA.
Google-certified CMP integration is now the expected standard for EU/EEA advertisers. Under v1, any CMP could claim support. Under v2, Google maintains a certified partner list with Silver and Gold tiers. Some Google Ads features explicitly require a certified CMP for EU/EEA traffic.
Conversion modeling became more dependent on signal quality. Gaps or delays in your consent update calls affect the accuracy of the modeled data Google uses to fill attribution gaps. A sloppy implementation doesn’t just fail compliance – it actively degrades your measurement.
There’s also a “Google Consent Mode v3” appearing in related searches at the time of writing. Nothing has been confirmed yet. If and when it arrives, Google-certified CMPs update automatically – another reason to use one rather than a manual implementation.
What Happens If You Don’t Implement It?
The consequences are operational first, legal second.
Your GA4 data develops gaps. Without proper consent signals, Google can’t apply its conversion modeling to non-consenting users. Attribution reports undercount conversions. If your media buying decisions are based on those numbers, you’re optimising against wrong data.
Your EU remarketing audience shrinks. Without ad_personalization being properly granted and signaled, you can’t run personalised ads to EU/EEA users through Google Ads. The audience just isn’t there.
Your legal position gets harder to defend. Consent mode doesn’t make you GDPR compliant on its own – but running tracking tags without any consent signaling while claiming GDPR compliance is a difficult position to hold up in a supervisory authority investigation. Our GDPR implementation guide covers the broader compliance picture.
The ongoing enforcement context matters here. In 2026, this is not a future risk you can defer. Non-compliant sites are operating with degraded measurement today.
How to Implement Google Consent Mode v2
Three paths. The right one depends on your setup and technical confidence.
Option A: Use a Google-Certified CMP (Recommended)
This is the right route for most businesses. A certified CMP handles the entire consent signaling layer – the default states, the update calls, and any future parameter changes Google rolls out.
- Choose a Google-certified CMP from the comparison table in the next section
- Install it on your site using the JavaScript snippet or the CMS plugin for your platform (WordPress, Shopify, Wix, Squarespace)
- Inside the CMP dashboard, configure your consent categories, jurisdictions, and default states – set all six parameters to denied for EU/EEA visitors by default
- The CMP fires
gtag('consent', 'default', {...})before Google tags load andgtag('consent', 'update', {...})when users choose - Verify using Google Tag Assistant (see the verification section below)
The advantage of this route: when Google releases new requirements, the CMP updates its implementation. You don’t have to touch your codebase.
Option B: Implement via Google Tag Manager
If you’re already running GTM, you can configure consent mode through the GTM interface using Google’s Consent Initialization trigger and consent overview variables.
Most certified CMPs publish GTM templates in the Community Template Gallery. If you’re using a CMP, their GTM template is almost always cleaner and more reliable than building the consent logic yourself. The main risk with manual GTM setups is tag firing order: consent defaults must fire before all other tags, and GTM’s trigger priority settings need to reflect that.
Option C: Manual Implementation via gtag.js
For developers who want direct control, implement consent mode in your codebase. Add the default call before your Google tag script loads:
// Set defaults before Google tag loads – all denied for EEA
gtag('consent', 'default', {
'ad_storage': 'denied',
'analytics_storage': 'denied',
'ad_user_data': 'denied',
'ad_personalization': 'denied',
'personalization_storage': 'denied',
'functionality_storage': 'denied',
'region': ['GB', 'AT', 'BE', 'BG', 'HR', 'CY', 'CZ', 'DK', 'EE',
'FI', 'FR', 'DE', 'GR', 'HU', 'IS', 'IE', 'IT', 'LV',
'LI', 'LT', 'LU', 'MT', 'NL', 'NO', 'PL', 'PT', 'RO',
'SK', 'SI', 'ES', 'SE', 'CH']
});
Then call gtag('consent', 'update', {...}) with the user’s actual choices when they interact with your banner. This gives you precise control but puts the maintenance burden on you – including adding new parameters when Google requires them.
Which CMPs Support Google Consent Mode Best?
Every CMP claims full consent mode v2 support. The practical differences show up in platform coverage, update speed when Google releases requirements, and whether the certification tier matches your needs.
| CMP | Google Certified | Tier | WordPress | Shopify | GTM | Free Plan |
|---|---|---|---|---|---|---|
| Cookiebot | Yes | Silver | Yes | Yes | Yes | No (trial) |
| CookieYes | Yes | Silver | Yes | Yes | Yes | Yes (limited) |
| OneTrust | Yes | Gold | Yes | Enterprise | Yes | No |
| CookieScript | Yes | Silver | Yes | Yes | Yes | Yes (limited) |
| Usercentrics | Yes | Gold | Yes | Yes | Yes | No |
Google’s certification tiers aren’t just marketing labels. Gold-tier CMPs meet stricter integration standards and typically offer more control over consent granularity and regional rule sets. For most small to mid-sized businesses, a Silver-tier CMP is sufficient – especially if you’re on a single domain with standard Google tag setups.
For EU-focused businesses running WordPress and Google Ads, Cookiebot is a strong Silver-tier option – the Cookiebot review covers pricing, setup, and GDPR compliance in detail. If budget is a factor, CookieScript offers a free tier with consent mode v2 support and a solid WordPress plugin – see the CookieScript review for the full breakdown. Enterprise setups with complex multi-region consent rules are better served by OneTrust or Usercentrics – the OneTrust review has the specifics.
For a side-by-side ranking of every CMP we’ve tested against consent mode compliance, the full CMP comparison is the right next step.
How to Verify Consent Mode v2 Is Working
Setup isn’t done until you’ve confirmed the signals are actually firing. Here’s how:
- Install the Google Tag Assistant Chrome extension and open it on your site
- Start a recording session and navigate to your homepage
- Interact with your cookie banner – accept all cookies first, then reload and reject all in a separate session
- In Tag Assistant, click the Consent tab – you’ll see the consent state log for that session
- Confirm that all six parameters are listed and that their states change correctly (denied on reject, granted on accept)
- Specifically check that
ad_user_dataandad_personalizationappear – if they’re missing, your CMP is running a v1 implementation
A second check in Google Ads: go to Tools → Conversions → Settings and look for the consent mode status for EU/EEA traffic. It should read “Active.” If it shows a warning or “Not detected,” your implementation has a gap.
One more check for advanced mode users: in your browser’s developer tools, open the Network tab and filter for requests to google-analytics.com after rejecting cookies. You should see requests with gcs=G100 in the URL – these are the cookieless pings confirming advanced mode is working.
FAQ
Do I need Google Consent Mode if I’m not in the EU?
Not strictly. Google’s enforcement targets EU/EEA advertisers. But if you have any EU/EEA traffic and you’re running Google Ads or GA4, you need consent mode for those users. Use the region parameter in your default call to restrict consent mode logic to EU/EEA visitors – global traffic continues as normal.
Is Google Consent Mode v2 GDPR compliant?
It’s a necessary part of a GDPR-compliant setup, not the whole thing. Consent mode handles the technical communication between your banner and Google’s tags – but it doesn’t replace a lawful basis, proper consent records, a compliant cookie notice, or a data processing agreement with Google. Think of it as the plumbing: consent mode is what carries the signal; GDPR compliance is the building code the plumbing has to meet. The cookie compliance guide covers the full requirements.
What is the default consent state in Google?
Denied – across all six parameters – for regions where consent mode is active. That’s the safe default, and it’s what Google expects you to set. The most common implementation mistake is not setting the default state before other tags load, which means Google’s tags fire in an uncontrolled state before the user has made any choice. Set the defaults, then update them on consent.
How do I check if Consent Mode is active on my site?
Tag Assistant is the most reliable method. Install it, start a session on your site, and check the Consent tab after interacting with your banner. You should see all six consent parameters updating in response to user choices. The Network tab approach (looking for gcs= in GA4 request URLs) works too but requires more interpretation. If you’re using a CMP, check its dashboard – most certified CMPs include a consent mode status indicator that confirms the integration is active.
Ready to get this set up? The full CMP comparison ranks every tool we’ve reviewed by consent mode support, platform compatibility, and price. If you already have a platform in mind, the individual reviews go deep on setup and compliance specifics.
One thing to keep on your radar: “Google Consent Mode v3” is already appearing in search suggestions. Nothing is confirmed. But if you’re building a compliance setup that needs to last, choose a Google-certified CMP that updates automatically – so the next version change doesn’t mean another configuration project.
