Consent Mode V2: The Complete Technical Implementation Guide

Google Consent Mode V2 has been mandatory for EEA traffic since March 2024. If you’re advertising to European audiences, you need it. If you’re in South Africa under POPIA, you should have it. And if you’re an agency managing clients across multiple jurisdictions, you can’t avoid it.

But the implementation is more nuanced than Google’s documentation suggests. Most guides cover the basic setup — add a CMP, configure Consent Mode, done. They skip the parts that actually matter: how Consent Mode affects your conversion data, how to test it properly, what “advanced” vs “basic” actually means for your reporting, and what happens when you get it wrong.

This is the complete technical guide. If you manage GTM containers for clients, this is the implementation playbook.

What Consent Mode Actually Does

Consent Mode is a protocol between your Consent Management Platform (CMP) and Google tags. It tells Google tags whether the user has consented to specific types of data collection. Based on that signal, Google tags adjust their behaviour — either firing normally (consent granted), firing in a limited “cookieless” mode (consent denied), or not firing at all.

The key consent types are:

Consent Type	What It Controls
analytics_storage	GA4 cookies (measurement, analytics)
ad_storage	Google Ads cookies (conversion tracking, remarketing)
ad_user_data	Sending user data to Google for advertising
ad_personalization	Remarketing and personalised advertising
functionality_storage	Functional cookies (language preferences, etc.)
personalization_storage	Personalisation cookies (video recommendations, etc.)
security_storage	Security cookies (authentication, fraud prevention)

The two new parameters added in V2 are ad_user_data and ad_personalization. These were added to comply with the EU Digital Markets Act and give users more granular control over how their data is used for advertising purposes. Without these two signals, Google Ads conversion tracking stops working for EEA users. That’s what makes V2 mandatory — not a nice-to-have.

Basic vs Advanced Consent Mode

This is where most implementations go wrong, because the terminology is confusing.

Basic Consent Mode: Google tags do NOT load until the user makes a consent choice. If the user grants consent, tags fire normally. If the user denies consent, tags don’t fire at all. Zero data is collected from users who deny consent. This is the conservative, privacy-first approach.

Advanced Consent Mode: Google tags load immediately (before the user makes a consent choice) with all consent types set to “denied” by default. The tags fire in a limited, cookieless mode — they send “consent pings” to Google that contain no personal data but allow Google to do conversion modelling. When the user grants consent, the tags switch to full mode. When they deny, the tags continue in cookieless mode.

The difference matters enormously for your data:

Scenario	Basic Mode	Advanced Mode
User grants consent	Full tracking	Full tracking
User denies consent	Zero data	Cookieless pings → Google models conversions
User ignores banner	Zero data	Cookieless pings → Google models conversions
Impact on reported conversions	Underreported (only consented users)	More complete (consented + modelled)

My recommendation: Use Advanced Consent Mode if your privacy framework allows it. The modelled conversions from denied/ignored users can recover 30-60% of the conversion data you’d otherwise lose. For advertisers spending significant budgets, this directly impacts bidding algorithm performance — more conversion signals means better optimisation.

However, some interpretations of GDPR (and potentially POPIA) consider the cookieless pings in Advanced mode to constitute data processing that requires consent. Consult your legal team. If you’re unsure, Basic mode is the safe choice.

Implementation: Step by Step

Prerequisites

Before starting, you need:

1. A Consent Management Platform. Cookiebot, OneTrust, Usercentrics, or any CMP that integrates with Google Consent Mode. The CMP must be able to fire the gtag('consent', 'update', {...}) command when the user makes a choice.

2. GTM access. You’ll configure Consent Mode through GTM’s built-in consent settings. Direct gtag.js implementations are also possible but harder to manage.

3. A consent banner design. The banner needs to offer genuine choice — “Accept all” and “Reject all” must be equally prominent. Dark patterns (hiding the reject button, using confusing language) will get you in trouble with regulators and undermine the entire point.

Step 1: Set Default Consent State

In GTM, create a tag that fires on “Consent Initialization - All Pages” (this trigger fires before any other trigger, even Page View):

Create a Custom HTML tag or use the Google tag (gtag.js) with consent defaults:

<script>
  window.dataLayer = window.dataLayer || [];
  function gtag(){dataLayer.push(arguments);}

  gtag('consent', 'default', {
    'analytics_storage': 'denied',
    'ad_storage': 'denied',
    'ad_user_data': 'denied',
    'ad_personalization': 'denied',
    'functionality_storage': 'denied',
    'personalization_storage': 'denied',
    'security_storage': 'granted',
    'wait_for_update': 500
  });
</script>

Key details:

• All storage types default to “denied.” This is the correct starting state. Tags will load in cookieless mode (Advanced) or not load at all (Basic).
• security_storage is granted by default. Security cookies (like those preventing CSRF attacks) are generally considered essential and don’t require consent.
• wait_for_update: 500 tells Google tags to wait 500ms for a consent update from the CMP before proceeding. This gives the CMP time to check for a returning user who already made a consent choice in a previous session.

Step 2: Configure Your CMP

Your CMP needs to do two things:

1. Show the consent banner to first-time visitors.
2. Fire a consent update when the user makes a choice:

gtag('consent', 'update', {
  'analytics_storage': 'granted',  // or 'denied'
  'ad_storage': 'granted',
  'ad_user_data': 'granted',
  'ad_personalization': 'granted'
});

Most CMPs handle this automatically when properly configured with Google Consent Mode integration enabled. Cookiebot, OneTrust, and Usercentrics all have native integrations — you configure the mapping between CMP consent categories and Google consent types, and the CMP fires the update command automatically.

Step 3: Configure GTM Tags for Consent

In GTM, every tag that uses personal data needs a consent configuration:

1. Open the tag settings.
2. Under “Consent Settings,” click “Require additional consent for tag to fire.”
3. Add the relevant consent types:
   • GA4 Configuration tag: Requires analytics_storage
   • Google Ads Conversion Tracking: Requires ad_storage + ad_user_data
   • Google Ads Remarketing: Requires ad_storage + ad_personalization
   • Meta Pixel: Requires ad_storage + ad_user_data + ad_personalization
   • TikTok Pixel: Same as Meta
   • LinkedIn Insight Tag: Same as Meta

For non-Google tags (Meta, TikTok, LinkedIn), Consent Mode’s built-in behaviour only applies to Google tags. You need to use GTM’s consent settings (the “Require additional consent” checkbox) to gate these tags. When the required consent types are denied, GTM simply won’t fire the tag.

Step 4: Configure Consent Mode in the Google Tag

If you’re using the GA4 Configuration tag in GTM:

1. Open your Google tag (GA4 Configuration).
2. In tag configuration, ensure “Send a page_view event when this configuration loads” is enabled.
3. Under the consent settings, add analytics_storage as required.

For Google Ads tags, add both ad_storage and ad_user_data as required consent.

Step 5: Region-Specific Defaults

If you serve both EEA and non-EEA audiences, you can set different defaults by region:

gtag('consent', 'default', {
  'analytics_storage': 'denied',
  'ad_storage': 'denied',
  'ad_user_data': 'denied',
  'ad_personalization': 'denied',
  'region': ['AT', 'BE', 'BG', 'CY', 'CZ', 'DE', 'DK', 'EE',
             'ES', 'FI', 'FR', 'GR', 'HR', 'HU', 'IE', 'IT',
             'LT', 'LU', 'LV', 'MT', 'NL', 'PL', 'PT', 'RO',
             'SE', 'SI', 'SK', 'IS', 'LI', 'NO']
});

gtag('consent', 'default', {
  'analytics_storage': 'granted',
  'ad_storage': 'granted',
  'ad_user_data': 'granted',
  'ad_personalization': 'granted',
  'region': ['ZA']  // South Africa — adjust based on your POPIA interpretation
});

This sets consent to denied by default for EEA countries (requiring explicit opt-in) and granted by default for South Africa (opt-out model, if your POPIA interpretation supports this). The CMP still shows the banner in both regions, but the starting state differs.

Important: This region-based approach is a business decision with legal implications. Some privacy professionals argue that POPIA requires explicit opt-in (like GDPR). Others argue that POPIA’s “legitimate interest” basis allows opt-out for analytics and advertising. Get legal advice for your specific situation.

Testing Your Implementation

This is the step most people skip, and it’s why most Consent Mode implementations are silently broken.

Test 1: Default State

1. Open the site in an incognito window.
2. Open Google Tag Assistant (or GTM Preview mode).
3. Before interacting with the consent banner, verify:
   • Google tags have loaded (Advanced mode) or haven’t loaded (Basic mode)
   • All consent types show as “denied” in Tag Assistant’s consent tab
   • No cookies have been set (check Application → Cookies in DevTools)

Test 2: Consent Granted

1. Click “Accept All” on the consent banner.
2. Verify:
   • Consent types update to “granted” in Tag Assistant
   • Google Analytics cookies (_ga, _ga_<container-id>) are now set
   • Google Ads cookies (_gcl_au, _gac_*) are now set
   • GA4 begins sending events normally

Test 3: Consent Denied

1. Clear cookies and reload in incognito.
2. Click “Reject All” on the consent banner.
3. Verify:
   • Consent types show as “denied”
   • No analytics or advertising cookies are set
   • In Advanced mode: consent pings are sent (visible in Network tab as requests to google-analytics.com or googleads.g.doubleclick.net with gcs= parameter)
   • In Basic mode: no requests to Google analytics/ads endpoints at all

Test 4: Returning Visitor

1. Accept consent, close the tab.
2. Reopen the site.
3. Verify:
   • The CMP remembers the previous choice (no banner shown, or banner shows current state)
   • Consent state is restored within the wait_for_update window
   • Tags fire normally from the first page view

Test 5: Non-Google Tags

1. Deny consent.
2. Verify that Meta Pixel, TikTok Pixel, LinkedIn Insight Tag, and any other third-party tags do NOT fire.
3. Grant consent.
4. Verify they fire correctly.

Impact on Your Data

Consent Mode changes your numbers. You need to understand how so you can set appropriate expectations with clients.

Conversion Reporting

With Advanced Consent Mode, Google uses modelled conversions to fill the gap from users who deny or ignore consent. In practice, for a South African audience where consent rates tend to be high (80-90% grant rate), you might see:

• 90% of conversions tracked directly (consented users)
• 10% modelled by Google (denied/ignored users)
• Total reported conversions: close to pre-Consent-Mode levels

For EEA audiences where consent rates are lower (50-70% grant rate), the modelling fills a larger gap:

• 60% tracked directly
• 30-35% modelled
• Total: 90-95% of pre-Consent-Mode levels

With Basic Consent Mode, there’s no modelling. You only see conversions from consented users. If your consent rate is 70%, you lose 30% of your conversion data. This directly impacts smart bidding performance — fewer conversions means the algorithm has less data to optimise.

GA4 Reporting

GA4 applies “behavioural modelling” for users who deny analytics consent (Advanced mode only). This fills gaps in user counts, session counts, and event data. The modelled data appears alongside observed data in standard reports — Google doesn’t separately label it in most views.

In Basic mode, users who deny consent simply don’t appear in GA4. Your user counts will be lower than actual traffic. For SA sites with 85% consent rates, this is a 15% undercount. For EU sites with 60% consent rates, it’s a 40% undercount.

Common Mistakes

1. Forgetting ad_user_data and ad_personalization. These are the V2 additions. Without them, Google Ads conversion tracking won’t work for EEA traffic. I’ve seen accounts where someone implemented Consent Mode V1 in 2023 and never updated — they’ve been losing EEA conversion data for over a year without realising it.

2. Not setting wait_for_update. Without this, Google tags fire immediately with the default (denied) state and never receive the consent update from the CMP. The CMP loads asynchronously, and if it takes longer than expected, the tag has already fired in denied mode for that page view.

3. Only configuring Google tags. Consent Mode’s automatic behaviour only applies to Google tags. Meta Pixel, TikTok, LinkedIn, and any other third-party tags need manual consent gating through GTM’s consent settings. If you only set up Consent Mode for Google tags, your Meta Pixel is happily firing without consent — a compliance violation.

4. Testing only the happy path. Most people test “accept all” and call it done. Test the deny path, the ignore path (user closes the banner without choosing), and the returning visitor path. These are where the bugs hide.

5. Not communicating the data impact to clients. When you implement Consent Mode, reported conversions will change. If you don’t warn the client, they’ll see a drop and blame you. Explain the change proactively, set expectations about modelled conversions, and frame it correctly: the old numbers were artificially high because they included non-consented tracking.

6. Dark pattern consent banners. Making “Reject” tiny, grey, and hidden behind “Manage preferences” while “Accept All” is a giant green button. Regulators are actively fining for this. The French CNIL has issued multiple fines specifically for consent banners where rejecting is harder than accepting. Design your banner fairly — it’s the right thing to do, and it protects your clients from regulatory action.

Auditing Existing Implementations

If you’re inheriting a site that already has Consent Mode configured, here’s the audit checklist (pair this with a full Google Ads audit to catch conversion tracking issues beyond consent):

1. Check the default consent state. Is it set before any tags fire? Use GTM Preview to verify firing order.
2. Verify all six consent types are present in the default command (V2 requires ad_user_data and ad_personalization).
3. Confirm the CMP fires consent updates correctly for both accept and deny scenarios.
4. Check non-Google tags are properly gated with consent requirements.
5. Review the consent banner for compliance (equal prominence for accept/reject).
6. Check GA4 and Google Ads for modelled conversion data (indicates Advanced mode is working).
7. Verify no cookies are set before consent is granted.

This audit can be done manually in 30-60 minutes per site. With an AI-powered GTM auditing tool, you can check the tag firing order, consent state, and cookie behaviour programmatically — useful if you’re managing dozens of client containers and can’t manually test each one.