Google Consent Mode v2: Complete Implementation, Audit & Troubleshooting Guide
Google Consent Mode v2 is now mandatory for EEA and UK traffic that uses Google Ads, Google Analytics 4 or Floodlight. It adds two new signals—ad_user_data and ad_personalization—and forces a clear choice between Basic and Advanced implementation. Get it wrong and your tags either fire before consent, creating GDPR liability, or stop feeding conversion data. This guide gives you a complete implementation, audit and troubleshooting workflow.
What Google Consent Mode v2 actually does
Consent Mode is a signaling layer between your consent banner and Google tags. Tags read four explicit signals and decide what they are allowed to do.
- ad_storage — Can Google tags read and write advertising cookies?
- analytics_storage — Can Google Analytics use cookies and local storage?
- ad_user_data — Can user data be sent to Google for advertising purposes?
- ad_personalization — Can Google use data for personalized advertising and remarketing?
In Basic mode, Google tags stay blocked until consent is granted. In Advanced mode, they send cookieless pings for modeling without setting advertising cookies.
Consent Mode v1 vs v2: what changed
| Capability | Consent Mode v1 | Consent Mode v2 |
|---|---|---|
| Consent signals | ad_storage, analytics_storage | Four signals including ad_user_data and ad_personalization |
| EEA/UK remarketing | Worked with limited signals | Requires ad_user_data and ad_personalization for full functionality |
| Conversion modeling | Available in Advanced mode | Improved modeling with all four signals |
| Google Ads compliance | Partial | Mandatory for continued audience building in EEA/UK |
| CMP integration | Two default signals | Must forward four signals to dataLayer or gtag |
| Tag behavior when denied | No storage / cookieless pings | Same, but personalization is now independently controlled |
Step-by-step implementation
1. Set default consent before any Google script loads
The most common mistake is script order. If GTM or gtag.js loads before the default consent command, tags run without consent state. Place this snippet as the first script in your <head>, before GTM, gtag or any CMP loader.
<script>
window.dataLayer = window.dataLayer || [];
function gtag(){dataLayer.push(arguments);}
gtag('consent', 'default', {
'ad_storage': 'denied',
'analytics_storage': 'denied',
'ad_user_data': 'denied',
'ad_personalization': 'denied',
'wait_for_update': 500,
'region': ['EEA', 'UK']
});
</script>Use wait_for_update to give your CMP time to resolve the user choice before tags fire. The region parameter applies strict defaults only where required.
2. Update consent when the user makes a choice
When the visitor accepts, rejects or customizes categories, push the matching state. If only analytics is accepted, keep advertising signals denied.
gtag('consent', 'update', {
'ad_storage': 'granted',
'analytics_storage': 'granted',
'ad_user_data': 'granted',
'ad_personalization': 'granted'
});Most major CMPs now support v2 natively. Verify they map all four signals, not just the two old ones.
3. Configure GTM to respect consent signals
Open GTM and confirm each Google tag uses the built-in consent checks. For non-Google tags—Meta Pixel, TikTok, LinkedIn, Hotjar—use a custom trigger that fires only after your CMP pushes a consent-granted event. Avoid generic triggers like All Pages or DOM Ready.
After publishing, use GTM Preview mode and the Tag Assistant to confirm each signal updates correctly when you accept, reject and customize consent.
Common audit and troubleshooting issues
After debugging hundreds of Consent Mode setups, we see the same failure patterns repeatedly. Here is what to look for and how to fix each one.
- Default consent loads too late. If the GTM container appears above the gtag default command, tags initialize without consent state. Move the default snippet to the very top of the head.
- Only v1 signals are configured. Legacy CMP templates often push only ad_storage and analytics_storage. Missing ad_user_data or ad_personalization disables remarketing and personalization in Google Ads.
- wait_for_update is missing. Without it, GTM may fire tags before the CMP resolves consent, causing inconsistent behavior across page loads.
- Hardcoded scripts bypass the CMP. A Google Ads conversion snippet embedded directly in the HTML ignores GTM consent checks. Move every Google tag into GTM or add explicit gtag consent wrappers.
- Analytics cookies appear while analytics_storage is denied. This is a direct GDPR violation. It usually means a second gtag instance or a plugin initializes GA independently of Consent Mode.
How to audit your implementation
Open Chrome in Guest mode, clear all storage, load the page and inspect DevTools before touching the banner. If you see _ga, _gid, _gcl_aw, IDE, NID or any advertising identifier before the consent timestamp, something is leaking.
In Basic mode, requests to Google domains should not fire before consent. In Advanced mode, you may see cookieless pings, but no cookies should be written and no user identifiers should be transmitted.
Verify GCM v2 with ConsentScope
Stop switching between DevTools tabs. ConsentScope detects cookies, localStorage, sessionStorage and third-party scripts before consent so you can see in seconds whether your Consent Mode setup is working.
Get ConsentScope FreeFAQ
Is Google Consent Mode v2 mandatory?
For websites serving EEA and UK users with Google Ads, Google Analytics 4 or Floodlight, v2 is effectively mandatory. Without the ad_user_data and ad_personalization signals, Google limits or disables remarketing, audience building and some conversion features.
Should I use Basic or Advanced mode?
Use Basic mode for the simplest compliance posture: no Google tags run until consent is granted. Use Advanced mode if your legal team accepts cookieless pings for conversion modeling and you want to recover measurement signals from users who decline.
Does Consent Mode v2 make my site GDPR compliant?
Consent Mode helps you communicate consent state to Google tags, but it does not automatically block every non-essential cookie or third-party script. You still need a consent banner, correct default consent, consent-aware triggers and continuous monitoring.
Need a professional audit trail?
ConsentScope Pro generates client-ready PDF reports with cookie timelines, violation scores and before/after consent evidence. Perfect for agencies, DPOs and compliance reviews.
Upgrade to ConsentScope ProConsentScope Team
Verified authorPrivacy Engineers & Chrome Extension Developers
We build tools that help developers, agencies and privacy advocates detect GDPR cookie violations automatically. Our team analyzes consent banners, cookie behavior and third-party scripts across thousands of websites every month.
Related articles
How to Check If Cookies Are Set Before Consent (Complete GDPR Audit Guide)
Learn how to check if cookies are set before user consent. Step-by-step GDPR audit guide for developers, agencies and privacy professionals.
Cookiebot Not Blocking Cookies? Here's How to Debug and Fix It
Cookiebot still firing cookies before consent? Learn the most common causes, step-by-step debugging and fixes that actually work.
How to Audit Website Cookies for GDPR Compliance (Step-by-Step)
Step-by-step guide to auditing website cookies for GDPR compliance. Built for developers, agencies and privacy professionals who need a repeatable process.