Introducing our free plan: Now you can take control of your compliance at no cost →
Limited offer until November 30th:Start a free trial and get 30% off your subscription for the first year when you upgrade! Sign up here →
Start a free trial and get 30% off your subscription for the first year when you upgrade →

Consent Mode v2 for dummies

Blog
Lars Krarup Olesen
There's a ton of available information on Google Consent Mode v2, but often it's complex (and slightly vague). So, in this article, we break it down and answer the fundamental questions, including what it actually is, how it works, and what might happen if you don't implement it. Let's get to it!
Table of Contents

Editor’s note: Google released its first version of Consent Mode back in 2020, and now we have the latest second version from late 2023. Throughout this article, I will refer to the first version as “Consent Mode v1”.

When Google developed Consent Mode, they wanted to make it possible for website owners to respect their visitors’ consent choices while minimizing data loss in Google Analytics and Ads (Floodlight, etc.). Simply put, Consent Mode ensured that marketers could still get useful data, even when visitors reject cookies and tracking for analytics and/or advertising purposes.

But is that kosher?
We’ll get to that.

Let’s begin by looking at the forces that initially influenced Google to develop Consent Mode v1 and now Consent Mode v2.

Google logo

Background: Privacy regulations and consumer pressure

Before you collect and process any personal information about other human beings, you must have legal grounds to do so. You are not allowed to keep registers of people – whether in folders in a cabinet, on your computer or on servers. You must be able to explain, for example, why you have the information and what you are doing with it.

Why?

  1. Because it’s the law.
  2. Because consumers and citizens have low regard for websites and companies that track them, profile them, and sell their data without asking for permission.
  3. Because Google requires you to do so.

With “the law”, I’m (mainly) referring to 2 legal frameworks:

  • The GDPR
  • The ePrivacy Directive

And with people having “low regard”, I’m referring to studies like this one from BCG, which states that a majority (71%) of consumers prefer to buy from brands that are honest about what data they collect and why. Or this Google study, which upholds that when people trust a brand, they are twice as likely to share their personal information.

While the GDPR came into force in 2018, the ePrivacy Directive has been with us since 2002. These two pieces of legislation clarify that you, as a website owner, must collect informed opt-in consent for cookies and similar technologies if you target people in the European Union or the European Economic Area.

Want to read more about these laws? Check out this article about the GDPR and this one about the ePrivacy Directive.

But most importantly, Google has its own EU user consent policy. The first version is from 2015 and reflects the requirements of the ePrivacy Directive and the GDPR. On January 18, 2024, Google declared that as of March 2024, they will enhance enforcement of this policy for the audience and measurement solutions aka Google Ads and Google Analytics:

If you fail to comply with this policy, we may limit or suspend your use of the Google product and/or terminate your agreement.

- Google

Did Google Consent Mode v1 not meet those requirements?

Not to the same extent. Consent Mode v2 enables you to be uncompromisingly compliant (assuming you use its “Basic” mode). And if you want to continue optimizing your Ads campaigns, having Consent Mode is a must.

But then there’s the fine print.

Google Consent Mode v2 comes in 2 flavors

One of the ways Consent Mode v2 stands out compared to its predecessor, is that it has 2 “modes” which means that you can choose to implement it in either its “Basic” version or its “Advanced” version.

The Basic mode would (probably) get compliance clearance from your lawyer/DPO without much fuzz. The Advanced mode, though, would require more “paperwork” before a lawyer signs off on it.

And why is that?

In the Basic version, Consent Mode v2 is calibrated like this:

  1. Website visitors come to your website.
  2. Some visitors say no to tracking, and others say yes.
  3. Only data from those visitors who say yes to tracking will be processed in GA4 and Google Ads.

In the Advanced version, Consent Mode v2 is calibrated like this:

  1. Website visitors come to your website.
  2. Some visitors say no to tracking, and others say yes.
  3. Data from visitors who say yes to tracking will be processed in GA4 and Google Ads.
  4. Data from visitors that say no to tracking will be transferred to GA4 and Google Ads via “cookieless pings.”

But the data is limited to:

  • Device type
  • Conversion type
  • Time of day
  • Country

The tags or SDKs are loaded before the visitors consents.

As you probably understand, that 4th step in the advanced version complicates things. Google underlines that the information collected via these “cookieless pings” is non-identifying and aggregated.

But does that make the Advanced version of Consent Mode v2 compliant?

I recommend you talk to a lawyer or DPO to get clearance.

So why collect that data at all, then?

Because it enables Google to make their “conversion modeling” better.

The upside of Consent Mode v2: Conversion modeling

When you ask your app and website visitors for consent, a fair amount will say no. This leaves you in the blind on the actions and conversions of those “nay-sayers”. Where did they come from? Was it an ad campaign? Which one? How many of them converted?

To make you less blind, Consent Mode v2 offers you conversion modeling.

Conversion modeling uses uses machine learning algorithms to estimate or predict the actions of users who said no to analytics and/or marketing cookies. It is a way for Google to say: “well, based on the actions of similar users who accept cookies, x amount of the nay-sayers have probably moved around like this.”

Conversion modeling is neat.

With the Basic mode, conversion modeling is truly straightforward: You get an estimate for the visitors who rejected cookies based on the visitors who said accepted cookies. But with the Advanced mode, on the other hand, you feed Google’s machine learning algorithm with more data to make the modeling more accurate.

What kind of "more data"?

Those mentioned in the previous section:
  1. Device type
  2. Conversion type
  3. Country
  4. Time of day
  5. Browser type
As stated, this data is picked up and sent in with “cookieless pings.” Cookieless in this context means that no cookies are being set in the visitor’s browser to collect the information. Because that’s how cookies usually roll, and thus how they can collect so-called “online identifiers,” which (without consent) is a big no-no from a data protection perspective.
So the point, according to Google, is that the data collected and sent to Google’s services with these pings becomes minimal and can not be used to identify a person.

Again, if you have questions regarding whether the advanced mode is GDPR compliant, please talk to your DPO (Data Protection Officer).

Which version of Consent Mode v2 should you choose?

What’s worth underlining here is that the unconsented data isn’t displayed in Google’s reports. So you will not be able to see it or identify the users in GA4 or Ads. But can Google? The notion is that they can’t because the data is sent directly into the modeling machine and processed without “anyone” looking.

If you are a hardcore digital marketer set to get as much data as possible from your Ads campaigns, you would probably want to go for the advanced implementation of Consent Mode v2.

Consent Mode’s value for a digital marketer lies in its modeling power.

If you are deciding between the Basic mode or the Advanced mode, you need to ask yourself two questions:

  1. How much do you value the modeled data?
  2. Is it worth getting additional data from users who did not consent to sharing it?
With this clarified, let’s consider what you need to get Consent Mode v2 in place.

Consent Mode v2 is not a cookie banner

Since Consent Mode is about, well, “consent,” how you collect consent from your website visitors and app users is very central.

To collect consent in a legally compliant way, you must have a consent mechanism – i.e. a cookie banner – that allows your visitors to register their consent preferences and enables you to store and document consents.

This means several things. For example;

  1. Having a no/reject option on the first layer of the cookie banner, with the same weight as the yes/accept option
  2. Giving granular transparency where all trackers are displayed and accounted for
  3. Storing all consents so you can document that you have processes for collecting consents and adhering to them when asked by the enforcement authorities

Read more about cookie compliance here.

And double down on the subject here, where the European Data Protection Board (EDPB) clarifies what cookie compliance is. And to repeat myself, Google has its own EU user consent policy, which mirrors the GDPR and the ePrivacy Directive.

The bottom line is that Consent Mode v2 is not a cookie banner. But it needs one to compute.

And for the record:

A cookie banner is not “just” a cookie banner; it’s the user interface for your website visitors. The engine running it is a Consent Management Platform.

So, if you need to implement Consent Mode v2, you need to either build your own CMP or choose one of the Google Certified CMPs, like Cookie Information, for example.

Google recommends the latter approach.

With that said, how does the cookie banner communicate the visitor’s consent preference to Google?

With tags and flags.

And why is this knowledge worth having?

Because it illustrates how Consent Mode v2 is part of the bigger Google puzzle, where Chrome has phased out the third-party cookie and replaced that logic with new privacy-friendly APIs.

Let’s break it down.
implement consent mode v2

How does Consent Mode v2 Work?

Consent Mode v1 used two flags. Consent Mode v2 uses 4.

And what’s that about?

Well, Consent Mode v1 could send two signals – analytics_storage and ad_storage – from the website to Google via the cookie banner/CMP to communicate the following:

  1. Does the user consent to their personal data being used for analytics purposes (analytics_storage)?
  2. Does the user consent to their data being used for marketing purposes (ad_storage)?

Hence, Consent Mode v1 could signal to Google if a user was or wasn’t OK with cookies being set for analytic purposes and/or marketing purposes.

And as I mentioned above, Consent Mode v1 only had the Advanced mode and no Basic mode.

With Consent Mode v2, two more flags have been added, as well as the ability to choose a setup that blocks tags prior to consent, aka Basic mode. The two additional flags – ad_user_data and ad_personalization – are not new categories but rather additions to the “ad_”/marketing category.

The two new flags signal: 
  1. Does the user consent to their personal data being used for advertising purposes (ad_user_data)?
  2. Does the user consent to their personal data being used for remarketing (ad_personalization)?
Confused? Totally understandable.

What is the difference between these new parameters?

From a website user’s perspective?

Nothing. Because the cookie banner stays as good as the same, with no extra toggle for remarketing, at least for now.

But from Google’s perspective, they signal that the user grants or denies consent for personal ads and remarketing, highlighting that there is a distinction that Google considers.
Like this. 
If the user says yes to marketing cookies:
  1. The first new flag (ad_user_data) allows Google to collect personal data for online advertising.
  2. The second new flag (ad_personalization) allows Google to use personal data for remarketing.

So why does Google need two new flags for that?

Shouldn’t it be enough with the ad_storage flag?

Here’s where we get smack in the middle of what Consent Mode v2  is about.

Without these two new flags, you will not be able to do remarketing.

The new flags give Google the information it needs to enable remarketing and personalized advertising.

You see, without Consent Mode v2, this happens:

  1. Personal data collection for online advertising is disabled.
  2. No user_id
  3. No enhanced conversions
  4. Google Ads, Display & Video 360, and Search Ads 360 will not receive data.
  5. No personalized advertising with Google’s advertising products

So, when you take a closer look at the new flags, it becomes clear that Google is—actually—stepping up its enforcement of Consent Mode through these two additions. If you choose to keep using Consent Mode v1 (or don’t implement Consent Mode at all), Google will know.

Thus, Google has made Consent Mode v2 a requirement, which means that you, as a digital marketer and website owner, must collect consent for your visitors and users and send those signals to Google. And post-March 2024, this can only be done via Consent Mode v2.

The two new flags are not what they seem

Interestingly, the two new flags do not impact how/if the consent tags fire on the website. This is still “only” controlled by the two first/original flags (analytics_storage and ad_storage). Because those are the only consent states that actually alter how the tag code works. The two new flags (ad_user_data and ad_personalization) are URL flags, which automatically get added to the Google request.

One way to look at the new tags is like “specifications”; they get added to the two original flags like stickers in the form of URL parameters.

So when a user accepts or rejects consent for certain types of data usage, this information is sent to Google’s servers.

Google’s servers then read these parameters and process the user’s data according to their consent preferences, i.e., if the user has said yes or no to cookies.
So, these URL parameters are specified instructions sent along with the user data to Google’s servers, indicating how the data can be used based on the user’s consent.
To summarize:
  1. A user comes to your website.
  2. The user clicks on the cookie banner to grant or deny consent.
  3. The two genuine/original flags react and signal either, “OK, we’re good to go,” or “Stop, no consent here, fellas.”
  4. If it’s “OK, we’re good to go”, the two specifications-flags get added to these signals to instruct Google on processing and using the consented data sent to them.
Now, let’s examine how Consent Mode v2 fits into the bigger picture.
The Digital Services Act is setting global precedence

Consent Mode v2 and the "death" of the third-party cookie

2024 is a big year for digital marketers. In part because Google’s web browser Chrome is phasing out third-party cookies. Other browsers, like Safari and Firefox, already did this a couple of years ago. But the stakes are higher with Chrome because it sits on about 60% of the global web browser market. Chrome is also not going cold turkey, as other browsers have. Instead, it has deployed a couple of new “privacy-friendly” APIs to take the third-party cookies’ place.

As you probably know, the third-party cookie is essential for granular remarketing, where advertisers build user profiles to target visitors with “relevant ads.” The back side to this kind of tracking and profiling consists of dire privacy concerns. The new APIs in Chrome enable a more privacy-friendly remarketing and advertising ecosystem—and the different APIs are helping with this in different ways, according to Google.
But one way to summarize the new logic in Chrome is contextual marketing—where users are not targeted as individuals but as groups of people interested in specific topics.

Much is to be said about the depreciation of the third-party cookie and what this means for digital marketers and companies that now need to adapt to the changes. But from a Consent Mode v2 perspective, the point is:

Consent Mode v2 is crucial for website owners who want to optimize their ad campaigns and for building audiences in the Google ecosystem. It is also an update adapted to (long-term) work and service website owners in the third-party cookie-less reality of Chrome.

How? This is not 100% clear yet.
Chrome is, as we speak, (2024) successively removing the third-party cookie and deploying the new APIs. And testing and adjusting as they move along.

But what we can see thus far is the following:
  1. One of the new APIs—Protected Audience API—is connected to features in Google Ads and also rolled out in GA4.
  2. This API “knows” if a user belongs to a specific “context.” For example, if the user is interested in cars or other themes or topics. This API also enables conversions.
  3. Both these aspects are predominantly Google Ads features. But since you usually work with Google Ads and GA4—in tandem—these aspects are also deployed in GA4. So you, for example, can see conversions in GA4 without logging back into Google Ads.
And then we have Consent Mode v2, which complements what Google is enabling in Chrome and directly sends signals into GA4 and Ads:
  1. Consent Mode v2 ensures that data collection for processing comes in with instructions explaining whether the user has said yes or no to statistical and/or marketing purposes.
  2. The two new add-related flags in Consent Mode v2 instruct Google what the visitor is OK with and, thus, what Google can do with it in the third-party-cookie-less Chrome-ecosystem, and within the reporting in GA4 and Ads.

So you see, it’s all connected. Consent Mode v2 is part of Google’s new, more privacy-focused ecosystem.

Do you need to get Consent Mode v2?

If you are an active user of Google Ads and GA4 and want to keep it that way—then you do. If you don’t, you will not be able to do remarketing, optimize your campaigns, and get modeled data to fill in the gaps from all those visitors who say no to cookies.
Consent Mode v2 is also extra relevant for companies that target consumers in the EU/EEA.

How do you get Consent Mode v2?

This is pretty straightforward if you run with what Google recommends—using certified CMP solutions, such as Cookie Information.
  1. You can do it by inserting the Consent Mode v2 script directly onto your website.
  2. You could implement it through Google Tag Manager by choosing the Cookie Informations template.
You can also choose to do it via our WordPress plugin. If you already have Consent Mode v1, updating it to CMV2 like this is just one click.

Are you keen on getting Consent Mode v2 in place?

Then try out our platform for free and easily get Consent Mode v2 in place.

Try Consent Mode For Free

Købmagergade 19
1150 Copenhagen K, Denmark
VAT: DK-38758292 

Contact
Facebook Cookie Information Linkedin Cookie Information Youtube Cookie Information

PRODUCTS

RESOURCES

COMPANY

COMPARE

LEGAL