Google Consent Mode v2 became mandatory for advertisers serving the EU, EEA, and UK in March 2024 for measurement that relies on Google’s advertising and analytics stack. Without a compliant Consent Mode setup, conversion modeling degrades, Smart Bidding loses signal, and remarketing audiences shrink — outcomes that show up directly in paid media efficiency and in GA4. Most eCommerce brands running Google Ads have implemented something labeled Consent Mode by now.
Paid media teams feel this first: ROAS looks noisier, audience match rates drift, and conversion lag reports stop lining up with finance’s numbers. Those symptoms often trace back to consent defaults that never fire on every page template, mobile web views, or checkout subdomains — not to “the algorithm.”
A second problem is more common than teams admit: implementation is often wrong — wrong defaults, missing parameters, or CMPs that never send a consent update to Google. A third problem is quieter and more dangerous: a Consent Mode configuration that passes Google’s checklist can still create California Invasion of Privacy Act (CIPA) exposure if tags fire before the user has meaningfully consented in a way that satisfies CIPA’s prior-consent standard.
This guide walks through what Consent Mode v2 is, how it should integrate with your consent management platform (CMP), how to implement it through Google Tag Manager (GTM), and the advanced-mode versus basic-mode choice that most documentation glosses over — and why that choice matters for California visitors.
What Is Google Consent Mode v2?
Consent Mode is a Google-specific API that tells Google tags how to behave based on a user’s consent choices. Instead of treating every visitor the same, the browser sends gtag('consent', 'default', …) and gtag('consent', 'update', …) signals that GA4, Google Ads, Floodlight, and related tags can read. Those tags then either run full measurement, run in a limited “cookieless” mode, or stay restricted — depending on what was granted.
Version 2 added two new consent parameters on top of the original pair:
ad_user_data— whether the user allows Google to use their data for advertising purposes in line with policy.ad_personalization— whether personalized advertising (e.g. remarketing personalization) is allowed.
The original parameters remain:
analytics_storage— GA4 and similar analytics behavior.ad_storage— cookies and identifiers used for advertising measurement.
When a user declines relevant categories, Consent Mode does not always mean “no request leaves the browser.” In advanced implementations, Google tags may still send cookieless pings — network requests that do not set advertising cookies and, per Google’s framing, do not collect personal data in the same way as full tagging. Google uses those signals, plus machine learning, to model conversions and traffic for users who did not consent to full tracking — partially recovering measurement visibility.
For EU/EEA/UK advertisers, Google requires Consent Mode v2 (and the full parameter set where applicable) to use Google Ads conversion tracking, Smart Bidding signals, remarketing, and certain GA4 audience and advertising features in line with consent requirements. If your CMP or GTM setup does not send the right defaults and updates, you are not just out of compliance on paper — you are flying blind in the products Google expects you to use for performance.
Teams sometimes ask whether Consent Mode “replaces” a CMP. It does not. Consent Mode is the language Google tags speak. The CMP is still the system that captures the user’s choice, blocks what must be blocked, and translates that choice into default and update calls. One without the other is incomplete: a CMP with no Consent Mode wiring leaves Google tags uninformed; Consent Mode with no enforcement leaves non-Google vendors and misordered tags running wild.
| Parameter | What it controls | Where it matters |
|---|---|---|
analytics_storage | Analytics cookies / storage for measurement | GA4, Google Analytics features tied to storage |
ad_storage | Advertising cookies / storage | Google Ads, conversion tags, many remarketing flows |
ad_user_data | Use of user data for ads (policy-aligned) | Google Ads — required for v2 completeness |
ad_personalization | Personalized ads | Remarketing personalization, display personalization |
How Consent Mode v2 Works With a CMP
The integration architecture is the same whether you use PieEye, Cookiebot, OneTrust, or another certified CMP — the sequence is what matters:
- User lands on the storefront or landing page.
- CMP initializes and, in a well-configured stack, blocks or gates Google tags until consent defaults are set (this is where many “Google-compliant” setups still fail for CIPA — more below).
- Banner or modal appears; the user accepts, rejects, or sets granular choices.
- CMP sends
gtag('consent', 'update', { … })with the four parameters set tograntedordeniedper choice. - Google tags read the updated state and switch from default → updated behavior.
Basic mode means Google tags do not run until consent is granted for the relevant categories. Nothing is sent to Google for those tags until the user allows it. Measurement for non-consenting users is minimal by design.
Advanced mode (often the default in guides and templates) is different: Google tags can fire immediately on page load in a denied default state, sending cookieless pings before the user has interacted with the banner. If the user later grants consent, tags upgrade to full measurement.
That distinction is the hinge of this article. For GDPR, advanced mode is framed as acceptable because cookieless pings are not supposed to constitute the same processing as full tracking. For CIPA, the analysis is not identical — the next section explains why.
Step-by-Step: Implementing Consent Mode v2 via GTM
Most eCommerce brands implement Consent Mode through GTM plus a CMP. The following is a practical sequence for that pattern.
Step 1 — Verify your CMP is Consent Mode v2 certified
Google publishes a list of certified CMP partners. Your CMP must support all four parameters: analytics_storage, ad_storage, ad_user_data, and ad_personalization. If it only maps the older two, you are not in a complete v2 posture for Google’s requirements.
Step 2 — Set consent defaults in GTM
In GTM, configure the Google tag (or a Consent Initialization tag) so that defaults are denied before the CMP resolves. That establishes a known baseline: Google tags start in a denied state until the CMP sends an update.
Example:
gtag('consent', 'default', {
'analytics_storage': 'denied',
'ad_storage': 'denied',
'ad_user_data': 'denied',
'ad_personalization': 'denied',
'wait_for_update': 500
});
wait_for_update gives the CMP a short window (in milliseconds) to push an update after load.
Step 3 — Configure the CMP to send update signals
When the user saves a choice, the CMP must call gtag('consent', 'update', { … }) with the correct granted/denied values. Map each banner toggle to the right parameters: a user who allows “analytics” but not “ads” should not blindly grant ad_storage. Verify in DevTools Network and Console that updates fire on accept, reject, and when the user changes preferences later — including returning visitors who already stored a choice, because re-entry flows are where stale states hide.
Pay attention to tag order in GTM: Consent Initialization should run before tags that require consent. Duplicate Google tags (one hardcoded in the theme, one in GTM) are a frequent source of “it works in staging” bugs.
Step 4 — Verify in Google Tag Assistant
Use Tag Assistant (or the Chrome extension workflow Google documents) to confirm defaults before interaction and updates after consent. Each tag should show the consent state you expect; mismatches here usually point to tag order or duplicate Google tags.
Step 5 — Confirm in GA4 and Google Ads
In GA4, review Admin → Data collection settings related to consent and signals. In Google Ads, review conversion actions and consent-related diagnostics. You are looking for coverage: Consent Mode signals present across sessions, not a one-off test on a developer laptop.
Implementation mistakes are common. For a deeper pass on what breaks in the real world, see the five most common GTM consent misconfiguration failures.
The CIPA Risk That Most Consent Mode Guides Miss
Advanced mode fires tags before the user has consented in the sense CIPA cares about.
In advanced mode, Google tags execute early — even when defaults are denied. They send cookieless pings to Google. That behavior is positioned as compatible with GDPR expectations around personal data in many setups. Google’s documentation is written primarily through that lens.
California’s CIPA § 631(a) is a different statute. It restricts reading, intercepting, or learning the contents of a communication without the consent of all parties in defined circumstances. California litigation has treated session behavior, navigation, and signals sent from the browser to third parties as within the scope of “communication” in ways that surprise teams who only read EU guidance.
The operative issue for your stack: prior consent. If a tag transmits behavioral or session-level signals to Google before the user has had a chance to accept or decline in a way that satisfies CIPA’s prior-consent standard, even a “cookieless” ping may still be argued as an interception or collection of communication content without consent. That is not a GDPR analysis — it is a California wiretapping-style analysis.
So: Yes, you can have a Consent Mode v2 setup that Google validates and that still creates a CIPA fact pattern for California traffic — because advanced mode intentionally sends traffic to Google before banner interaction.
This is not an argument against using Google’s products. It is an argument against assuming EU documentation answers California litigation risk. Your general counsel and your performance team may both be “right” from their frameworks — the job of the stack is to satisfy both Google’s measurement requirements and the stricter pre-fire bar that CIPA-focused review looks for.
The more conservative configuration for California-heavy eCommerce is basic mode: Google tags do not fire until consent is granted for the relevant categories. You lose some modeled conversion recovery for users who never consent — that is the trade. You also reduce the pre-consent network activity that plaintiffs’ theories focus on.
Document the decision. If you stay on advanced mode for EU modeling reasons, record why, who signed off, and what supplemental blocking you use for California — auditable discipline matters when exposure is uneven across markets.
If your brand is already in the beauty, health, or fashion verticals where demand letters cluster, or you have already received correspondence, basic mode plus container-level blocking is a rational default. For more on how letters and exposure work in practice, read how CIPA demand letters work and what exposure looks like.
Choosing the Right Consent Mode Configuration for Your Store
| Situation | Recommended mode | Why |
|---|---|---|
| EU/EEA/UK only, negligible California traffic | Advanced | Maximizes modeling; Google’s EU framing fits the primary risk |
| Material California traffic, no CIPA letters yet | Basic | Removes pre-consent Google tag activity |
| California traffic in beauty / health / high-litigation verticals | Basic | Aligns with plaintiff targeting patterns |
| Already received CIPA demand letters | Basic + full stack audit | Reduce immediate technical facts under dispute |
| Multi-brand enterprise (many properties) | Basic + unified CMP | Consistent enforcement beats mixed modes |
Regardless of mode, Consent Mode signals alone are not a CIPA program. They tell Google how to behave. They do not automatically stop other vendors’ scripts, misconfigured GTM triggers, or pixels that load outside the CMP. Your CMP must enforce that the GTM container and non-Google tags are blocked until consent is granted where required — not merely pass gtag updates after the fact.
For a practical audit of whether the banner matches tag reality, use how to audit whether your cookie banner is actually blocking tags.
What Changes With Consent Mode v2 for Your Reporting
After a correct rollout, marketers should expect:
- GA4 will show modeled conversions alongside observed conversions where Google can model. That is expected.
- Google Ads conversion columns may include modeled components — not a bug if Consent Mode is enabled and documented.
- Smart Bidding can temporarily look softer while Google’s systems recalibrate after consent states stabilize. Treat that as a planning window, not a reason to rip out Consent Mode.
- Remarketing list sizes will drop for users who decline personalization — that is compliance doing its job, not a broken pixel.
- Consent signal coverage in GA4 should trend toward 100% of sessions with a default state at minimum; gaps mean defaults are not firing everywhere (e.g. certain subdomains or apps).
Align finance and marketing on definitions: “observed” versus “modeled” conversions serve different questions. If leadership still wants a single number that matches the bank deposit, Consent Mode will force a more honest conversation about what is knowable under user choice.
Reporting literacy matters: your team should not panic when modeled data appears — they should panic when consent signals are missing or when tags fire before the banner in jurisdictions that treat that as a problem.
Conclusion
Consent Mode v2 is not optional for eCommerce brands that depend on Google Ads in the EU, EEA, and UK. Implementation is not a single checkbox: basic vs advanced mode is a risk decision about pre-consent tag activity, especially for California.
The safest default for US eCommerce with California traffic is basic mode with a CMP that blocks the container and third-party tags until consent is granted — not just sends gtag updates to Google. That pairing aligns Google’s v2 requirements with CIPA’s prior-consent reality more closely than advanced mode alone.
If you are unsure whether your banner is cosmetic or enforceable, audit your CMP and GTM together — then book a walkthrough to see how PieEye ties consent defaults, blocking, and Google tags into one defensible path. Use the cookie banner audit resources linked above and request a demo when you are ready to close the gap between “Consent Mode installed” and “Consent Mode enforced.”