// Configuring Google Consent Mode v2 for privacy-compliant measurement and advertising. Covers default and update commands, consent state mapping to GA4 and Google Ads, conversion modeling with cookieless pings, and EEA requirements effective March 2024.
| name | google-consent-mode-v2 |
| description | Configuring Google Consent Mode v2 for privacy-compliant measurement and advertising. Covers default and update commands, consent state mapping to GA4 and Google Ads, conversion modeling with cookieless pings, and EEA requirements effective March 2024. |
| license | Apache-2.0 |
| metadata | {"author":"mukul975","version":"1.0","domain":"privacy","subdomain":"cookie-consent-compliance","tags":"google-consent-mode, ga4, google-ads, conversion-modeling, eea-compliance"} |
Google Consent Mode v2 is a framework that adjusts the behavior of Google tags (Analytics, Ads, Floodlight) based on user consent status. Announced in November 2023 with enforcement beginning March 2024, Consent Mode v2 introduces two new parameters — ad_user_data and ad_personalization — alongside the existing analytics_storage and ad_storage parameters. For advertisers serving users in the European Economic Area (EEA), implementing Consent Mode v2 is required to maintain measurement and audience capabilities in Google Ads and GA4. Without it, Google will not process EEA user data for remarketing lists or conversion measurement.
| Parameter | Controls | Default | Description |
|---|---|---|---|
ad_storage | Advertising cookies | denied | Controls whether advertising-related cookies (gcl*, IDE) can be read/written |
ad_user_data | User data for advertising | denied | Controls whether user data can be sent to Google for advertising purposes |
ad_personalization | Ad personalization | denied | Controls whether data can be used for remarketing and personalized ads |
analytics_storage | Analytics cookies | denied | Controls whether analytics cookies (_ga, _gid) can be read/written |
functionality_storage | Functionality cookies | granted | Controls functionality cookies (language preferences) |
personalization_storage | Personalization cookies | denied | Controls personalization cookies (recommendations) |
security_storage | Security cookies | granted | Controls security-related cookies (authentication, fraud prevention) |
Map CMP consent categories to Consent Mode parameters:
| CMP Category | ad_storage | ad_user_data | ad_personalization | analytics_storage |
|---|---|---|---|---|
| All rejected (default) | denied | denied | denied | denied |
| Analytics only | denied | denied | denied | granted |
| Analytics + Advertising | granted | granted | granted | granted |
| Analytics + Advertising (no personalization) | granted | granted | denied | granted |
| All accepted | granted | granted | granted | granted |
Step 1: Set defaults before any Google tags load
Place this script in the <head> before the Google tag:
<script>
window.dataLayer = window.dataLayer || [];
function gtag(){dataLayer.push(arguments);}
// Set default consent state — deny all non-essential before user interaction
gtag('consent', 'default', {
'ad_storage': 'denied',
'ad_user_data': 'denied',
'ad_personalization': 'denied',
'analytics_storage': 'denied',
'functionality_storage': 'granted',
'personalization_storage': 'denied',
'security_storage': 'granted',
'wait_for_update': 500 // Wait 500ms for CMP to load
});
// Enable URL passthrough for conversion measurement without cookies
gtag('set', 'url_passthrough', true);
// Enable ads data redaction when ad_storage is denied
gtag('set', 'ads_data_redaction', true);
</script>
Step 2: Load the Google tag
<script async src="https://www.googletagmanager.com/gtag/js?id=G-PINNACLE123"></script>
<script>
gtag('js', new Date());
gtag('config', 'G-PINNACLE123');
</script>
Step 3: Update consent state when user interacts with CMP
// Called by the CMP when user makes a consent choice
function updateGoogleConsent(consentState) {
gtag('consent', 'update', {
'ad_storage': consentState.advertising ? 'granted' : 'denied',
'ad_user_data': consentState.advertising ? 'granted' : 'denied',
'ad_personalization': consentState.personalization ? 'granted' : 'denied',
'analytics_storage': consentState.analytics ? 'granted' : 'denied'
});
}
Step 1: Configure Consent Initialization trigger
In GTM, use the "Consent Initialization — All Pages" trigger type for the default consent tag. This fires before all other triggers.
Default Consent Tag (Consent Initialization trigger):
| Setting | Value |
|---|---|
| Tag type | Google tag: Consent configuration |
| Action | Default |
| ad_storage | Denied |
| ad_user_data | Denied |
| ad_personalization | Denied |
| analytics_storage | Denied |
| Wait for update | 500 ms |
| URL passthrough | Enabled |
| Ads data redaction | Enabled |
Step 2: Configure Consent Update tag
Create a custom HTML tag or use a CMP-specific template that fires on consent change:
Update Consent Tag (Custom Event trigger: consent_update):
| Setting | Value |
|---|---|
| Tag type | Google tag: Consent configuration |
| Action | Update |
| ad_storage | {{CMP - Ad Storage Consent}} |
| ad_user_data | {{CMP - Ad User Data Consent}} |
| ad_personalization | {{CMP - Ad Personalization Consent}} |
| analytics_storage | {{CMP - Analytics Storage Consent}} |
Step 3: Configure tag consent settings
For each Google tag in GTM, configure the built-in consent checks:
| Tag | Required Consent | Additional Consent |
|---|---|---|
| GA4 Configuration | analytics_storage | — |
| GA4 Event | analytics_storage | — |
| Google Ads Conversion | ad_storage | ad_user_data |
| Google Ads Remarketing | ad_storage | ad_user_data, ad_personalization |
| Floodlight Counter | ad_storage | ad_user_data |
| Floodlight Sales | ad_storage | ad_user_data |
Apply different defaults based on user geography:
// Strict defaults for EEA users
gtag('consent', 'default', {
'ad_storage': 'denied',
'ad_user_data': 'denied',
'ad_personalization': 'denied',
'analytics_storage': 'denied',
'region': ['AT', 'BE', 'BG', 'HR', 'CY', 'CZ', 'DK', 'EE', 'FI', 'FR',
'DE', 'GR', 'HU', 'IE', 'IT', 'LV', 'LT', 'LU', 'MT', 'NL',
'PL', 'PT', 'RO', 'SK', 'SI', 'ES', 'SE', 'IS', 'LI', 'NO']
});
// Less restrictive defaults for US users (adjust per state law)
gtag('consent', 'default', {
'ad_storage': 'granted',
'ad_user_data': 'granted',
'ad_personalization': 'granted',
'analytics_storage': 'granted',
'region': ['US']
});
When consent is denied, Google tags still send cookieless pings that include:
Google uses these pings, combined with data from consenting users, to build machine learning models that estimate:
For Google to generate modeled conversions, Pinnacle E-Commerce Ltd must meet:
| Requirement | Threshold |
|---|---|
| Minimum consented conversions per day | 70+ per conversion action |
| Minimum total conversions per day | 100+ per conversion action |
| Consent Mode implemented for | At least 7 consecutive days |
| Tag coverage | All conversion-relevant pages |
GA4 behavioral modeling fills gaps in analytics data:
| Requirement | Threshold |
|---|---|
| Minimum daily consented users | 1,000+ per property |
| Minimum days of data | 7+ consecutive days |
| Consent Mode coverage | All GA4 pageview and event tags |
Use Google Tag Assistant (browser extension) to verify:
In GA4 DebugView, consent-impacted events display with:
Monitor network requests to https://www.google-analytics.com/g/collect:
| Parameter | Consent Granted | Consent Denied |
|---|---|---|
_p (Page ID) | Present | Present |
cid (Client ID) | From _ga cookie | Randomly generated per-hit |
gcs (Consent State) | G111 (all granted) | G100 (all denied) |
gcd (Consent Default) | Present | Present |
| Cookie set | _ga, _gid | None |
Google's Digital Markets Act (DMA) compliance requirements:
Nigeria Data Protection Regulation (NDPR) and Nigeria Data Protection Act (NDPA) 2023 compliance. Covers lawful basis for processing, data subject rights, cross-border transfer mechanisms, Data Protection Compliance Organisation (DPCO) registration, mandatory DPIA filing, and breach notification. Keywords: NDPR, NDPA, Nigeria, NITDA, DPCO, Africa data protection, cross-border transfer.
Implements compliance with South Africa's Protection of Personal Information Act (POPIA), Act No. 4 of 2013. Covers conditions for lawful processing, data subject rights, cross-border transfer restrictions, Information Regulator enforcement, and responsible party obligations. Keywords: POPIA, South Africa, Information Regulator, responsible party, operator, prior authorisation.
Tracks and monitors US state privacy legislation across all 50 states, DC, and territories. Covers enacted comprehensive privacy laws (California CCPA/CPRA, Virginia VCDPA, Colorado CPA, Connecticut CTDPA, Utah UCPA, and subsequent enactments), pending bills, effective dates, and key requirement differences. Keywords: state privacy law, CCPA, CPRA, VCDPA, CPA, CTDPA, UCPA, multi-state.
Implements compliance with Turkey's Personal Data Protection Law (Kisisel Verilerin Korunmasi Kanunu, KVKK, Law No. 6698). Covers data controller obligations, data subject rights, VERBIS registration, cross-border transfer restrictions, Board decisions, and administrative fines. Keywords: KVKK, Turkey, VERBIS, data controller registry, Board decision, cross-border.
Implements compliance with the UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (UAE PDP Law) and its Executive Regulations. Covers data controller and processor obligations, data subject rights, cross-border transfer requirements, sensitive data processing, and UAE Data Office enforcement. Keywords: UAE PDP, Federal Decree-Law 45, UAE Data Office, DIFC, ADGM, cross-border transfer.
Maps the US federal privacy landscape including sectoral laws (HIPAA, GLBA, FERPA, COPPA, FCRA, ECPA, VPPA), FTC Section 5 enforcement, proposed federal comprehensive legislation, and the interaction between federal and state privacy regimes. Keywords: federal privacy, HIPAA, GLBA, FERPA, COPPA, FCRA, FTC, sectoral, preemption.