Consent Mode v2—For Dummies

Blog
Google has released Google Consent Mode v2. Consent what? Let us break down the concept in human speak. And answer questions like: Is it a cookie banner? What happens if I refuse to implement it? Is this only valid in the EU or EES? And how does it correlate with that whole third-party-cookie death? OK, let's get to it.
Table of Contents
Google first released Consent Mode back in 2020. I will refer to this as Consent Mode v1 where needed. Google did this because it wanted to make it possible for website owners to respect their visitors’ consent choices while minimizing the effect of data loss in Google Analytics and Ads (Floodlight, etc.).
So, you, as a marketer, could get some useful data from visitors that answer no to cookies and tracking for analytics and/or advertising purposes.
But is that kosher?
We’ll get to that.
Let’s begin by looking at the forces that have influenced Google to develop Consent Mode v1 and Consent Mode v2.

Background: Privacy Regulations and Consumer Pressure

Before you collect and process any personal information about other human beings, you must have grounds for it. You are not allowed to keep registers of people – like folders in a cabinet or on your computer or servers. You must be able to explain, for example, why you have the information and what you are doing with it.

Why?

  1. Because it’s the law.
  2. Because consumers and citizens have low regard for websites and companies that track them, sell their data, and build profiles on them—without asking.
  3. Because Google requires you to do it.

With “the law,” I’m (mainly) referring to 2 legal frameworks:

  • The GDPR
  • The ePrivacy Directive

And with people having “low regard,” I’m referring to studies like this one from BCG, which states that a majority (71%) prefer to buy from brands that are honest about what data they collect and why. Or this one, from Google, which upholds that when people trust a brand, they are twice as likely to share their personal information.

While the GDPR came into force in 2018, the ePrivacy Directive has been with us since 2002. These two legislations clarify that you, as a website owner, must collect informed opt-in consent for cookies and similar technologies – if you target people in the European Union or the European Economic Area.
But most importantly, Google has its own EU User Consent Policy. The first version is from 2015 and reflects the requirements of the ePrivacy Directive and the GDPR. On January 18, 2024, Google declared that as of March 2024,they will enhance enforcementof this policy for the audience and measurement solutions, aka, Google Ads and Google Analytics.
Here, Google explicitly says:

If you fail to comply with this policy, we may limit or suspend your use of the Google product and/or terminate your agreement.

So, did Google Consent Mode v1 not meet those requirements?

Not like this. Consent Mode v2 enables you to be uncompromisingly compliant (if you use its basic mode). And if you want to continue optimizing your ads-campaigns, having consent mode is a must.
But then there’s the fine print.

Google Consent Mode v2 Comes In 2 Flavors

One of the ways Consent Mode v2 stands out, compared to its predecessor, is that it has 2 “modes,” which means that you can choose to implement it in either its “basic” version or its “advanced” version.
The basic mode is the one your lawyer (probably) would give compliance clearance to without further ado. The advanced version, though, would demand more “paperwork” before a lawyer signs off on it.
So, what does that mean?
In the basic version, Consent Mode v2 is calibrated like this:
  1. Website visitors come to your website.
  2. Some visitors say no to tracking, and others say yes.
  3. Only data from those visitors who say yes to tracking will be processed in GA4 and Google Ads.
In the advanced version, Consent Mode v2 is calibrated like this:
  1. Website visitors come to your website.
  2. Some visitors say no to tracking, and others say yes.
  3. Data from visitors who say yes to tracking will be processed in GA4 and Google Ads.
  4. Data from visitors that say no to tracking will be transferred to GA4 and Google Ads via “cookieless pings.”
But “only” data about:
  • device type,
  • conversion type,
  • time of day,
  • and country.
It will do this—load the tags or the SDKs—before the visitors consents.
As you probably understand, that 4th step in the advanced version complicates things. Google underlines that the information via these “cookieless pings” is non-identifying and aggregated.
But does that make the advanced version of Consent Mode v2 compliant?
I recommend you talk to a lawyer or your DPO to get clearance.
So why collect that data at all, then?
Because it enables Google to make the “modeling” so much better.

The upside of Consent Mode v2—Modeling

When you ask your app- and website visitors for consent—a fair amount will say no, making you “blind” on how those “nay-sayers” are performing. Where did they come from, an ad campaign? How many of them converted?
To make you less blind, Consent Mode v2 offers you modeling.
And that’s a “thing” where Google uses machine learning to estimate the behavior of users who said no to analytics and/or marketing cookies. It is a way for Google to say: well, based on how similar users who accept cookies have been and are acting, x amount of the nay-sayers has probably moved around like this.
Modeling is neat.
With the basic mode, modeling is truly this straightforward: You get an estimate for the no-to-cookies visitors based on those visitors that said yes-to-cookies. But with the advanced mode, on the other hand, you feed Google’s machine learning algorithm with more data—to make the modeling more accurate.

What kind of "more data"?

Those mentioned in the previous section:
  1. Device Type
  2. Conversion Type
  3. Country
  4. Time of Day
  5. Browser Type
As stated, this data is picked up and sent in with “cookieless pings.” Cookieless in this context means that no cookies are being set in the visitor’s browser to collect the information. Because that’s how cookies usually roll, and thus how they can collect so-called “online identifiers,” which (without consent) is a big no-no from a data protection perspective.
So the point, according to Google, is that the data collected and sent to Google’s services with these pings becomes minimal and can not be used to identify a person.
Again, if you have questions regarding whether the advanced mode is GDPR-compliant, please talk to your DPO (Data Protection Officer).

Which version of Consent Mode v2, should you choose?

What’s worth underlining here is that the unconsented data isn’t displayed in Google’s reports—you will not be able to see it or identify the users in GA4 or Ads. But can Google? The notion is no because it is sent directly into the modeling machine and processed without “anyone” looking.
If you are a hard-core digital marketer set to get as much as possible from your ads campaigns, you would probably want to go for the advanced implementation of Consent Mode v2.
Consent Mode’s value for a digital marketer lies in its modeling power.
If you are deciding between the basic mode or the advanced mode, the question you need to ask yourself is:
  1. How much do you value the modeled data?
  2. Is it worth getting additional data from users who did not say yes to this?
With this clarified, let’s consider what you need to get Consent Mode v2 in place.

Consent Mode v2 is not a Cookie Banner

Since Consent Mode is about, well, “consent,” how you collect consent from your website visitors and app users is very central.
To collect consent in a legally compliant way means you must have a consent mechanism that does that by the book—with a compliant banner and a mechanism that can collect and store consent.
This means several things, for example;
  1. Having a no-option with the same weight as the yes-option on the first layer,
  2. Giving granular transparency where all trackers are displayed and accounted for,
  3. Storing all consents so you can document that you have processes for collecting consents and adhering to them when asked by the enforcement authorities.
  4. And more.

And double down on the subject here, where the European Data Protection Board (EDPB) clarifies what cookie compliance is. And to repeat myself, Google has its own EU User Consent Policy, which mirrors the GDPR and the ePrivacy.

Hence, Consent Mode v2 is not a cookie banner from Google. But it needs one to compute.
And for the record:
A cookie-banner is not “just” a cookie-banner; that’s “just” the interface facing the website visitors. The engine running it is a Consent Management Platform.
So, if you need to get Consent Mode v2 in place, you need to either build your own CMP solution or choose one of the Google CMP-certified platforms, for example, Cookie Information’s CMP.
With that said, how does the communication from the visitor’s consent choice on the cookie banner on a website or mobile application to Google work?
With tags and flags.

And why is this knowledge worth having?

Because it illustrates how Consent Mode v2 is part of the bigger Google puzzle, where Chrome has phased out the third-party cookie and replaced that logic with new privacy-friendly APIs.
Let’s break it down.
implement consent mode v2

How does Consent Mode v2 Work?

In Consent Mode v1, there were/are two flags. In Consent Mode v2, there are 4. So, two more.
And what’s that about?
Well, the first version of consent mode could send two signals from the website (via the cookie-banner/CMP), telling Google:
  1. Does the user consent to their personal data being used for analytics purposes?
  2. Does the user consent to their data being used for marketing purposes?
*Technically called analytics_storage
**Technically called ad_storage
Hence, this version of consent mode could (still can if you got it installed) signal to Google if a user was OK with cookies being set for analytic purposes and/or marketing purposes – or if the user was not.
And, as previously mentioned, in Consent Mode v1, there was no basic implementation – only the advanced one.
With Consent Mode v2, two more signals have been added + the ability to choose a setup that blocks tags before consent – aka basic mode. But the flags are not one more per category – like one for the analytics storage and one for ads purposes—they are both additions to the ads-/marketing-category.
The two new flags signal: 
  1. Does the user consent to their personal data being used for advertising purposes?*
  2. Does the user consent to their personal data being used for remarketing?**
*Technically called ad_user_data
**Technically called ad_personalization
Confused? Totally understandable.
What is the difference between these new parameters?
From a website user’s perspective?
“Nothing”, because the cookie-banner stays as good as the same, with no extra toggle for remarketing, at least for now.
But from Google’s perspective, they signal that the user grants or denies consent for personal ads and remarketing, highlighting that there is a distinction that Google considers.
Like this. 
If the user says yes to marketing cookies:
  1. The first new flag (ad_user_data) allows Google to collect personal data for online advertising.
  2. The second new flag (ad_personalization) allows Google to use personal data for remarketing.

So why does Google need two new flags for that? Isn't it enough with the ad_storage flag in the Consent Mode v2 part?

Here’s where we get smack in the middle of what version 2 of Consent Mode is about.
These two new flags give Google the information it needs to enable remarketing and personalized advertising.
So you see, this is why, without Consent Mode v2, this happens:
  1. Personal data collection for online advertising is disabled.
  2. No user_id
  3. No enhanced conversions
  4. Google Ads, Display & Video 360, and Search Ads 360 will not receive data.
  5. No personalized advertising with Google’s advertising products
So, when you take a closer look at these new flags, it becomes clear that Google is—actually—stepping up its enforcement of Consent Mode through these two additions. If you stay with Consent Mode v1 (or don’t implement Consent Mode at all), Google will know.
Thus, Google has made Consent Mode v2 a requirement, which means that you, as a digital marketer and website owner, must collect consent for your visitors and users AND send those signals to Google. And this can ONLY be done via Consent Mode v2—after Mars 6th, 2024.

The Two New Flags Are Not What They Seem

Interestingly, the two new flags do not impact how/if the consent tags fire on the website. This is still “only” controlled by the two first/original flags (analytics_storage and ad_storage). Because those are the only consent states that actually alter how the tag code works. The two new flags (ad_user_data and ad_personalization) are URL flags, which automatically get added to the Google request.
One way to look at the new tags is like “specifications”; they get added to the two original/actual “flags” like stickers in the form of URL parameters.
So when a user consents or denies consent for certain types of data usage, this information is sent to Google’s servers.
Google’s servers then read these parameters and process the user’s data according to their consent preferences, i.e., if the user has said yes or no to cookies.
So, these URL parameters are specified instructions sent along with the user data to Google’s servers, indicating how the data can be used based on the user’s consent.
To summarize:
  1. A user comes to your website.
  2. The user clicks on the cookie banner to grant consent or not.
  3. The two genuine/original flags react and signal either, “OK, we’re good to go,” or “Stop, no consent here, fellas.”
  4. If it’s OK, we’re good to go”. The two specifications-flags get added to these signals to instruct Google on processing and using the consented data sent to them.
Now, let’s examine how Consent Mode v2 fits into the bigger picture.
The Digital Services Act is setting global precedence

Consent Mode v2 & The "Death" of The Third-Party Cookie

2024 is a big year for digital marketers. In part because Google’s web browser Chrome is phasing out third-party cookies. Other browsers, like Safari and Firefox, already did this a couple of years ago. But the stakes are higher with Chrome because Chrome owns about 60% of the global web browser market. Chrome is also NOT going cold turkey, as other browsers have. Instead, it has deployed a couple of new “privacy-friendly” APIs to take the third-party cookies’ place.
As you probably know, the third-party cookie is essential for granular remarketing, where advertisers build user profiles to target visitors with “relevant ads.” The back side to this kind of tracking and profiling consists of dire privacy concerns. The new APIs in Chrome enable a more privacy-friendly remarketing and advertising ecosystem—and the different APIs are helping with this in different ways, according to Google.
But one way to summarize the new logic in Chrome is contextual marketing—where users are not targeted as individuals but as groups of people interested in specific topics.
Much is to be said about the depreciation of the third-party cookie and what this means for digital marketers and companies that now need to adapt to the changes. But from a Consent-Mode-v2-perspective, the point is:
Consent Mode v2 is crucial for website owners who want to optimize their ad campaigns and for building audiences in the Google ecosystem. It is also an update adapted to (long-term) work and service website owners in the third-party cookie-less reality of Chrome.
How? This is not 100% clear yet. Chrome is, as we speak, (2024) successively removing the third-party cookie and deploying the new API:s. And testing and adjusting as they move along.
But what we can see thus far is the following:
  1. One of the new APIs—Protected Audience API—is connected to features in Google Ads and also rolled out in GA4.
  2. This API “knows” if a user belongs to a specific “context.” For example, if the user is interested in cars or other themes or topics. This API also enables conversions.
  3. Both these aspects are predominantly Google Ads features. But since you usually work with Google Ads and GA4—in tandem—these aspects are also deployed in GA4. So you, for example, can see conversions in GA4 without logging back into Google Ads.
And then we have Consent Mode v2, which complements what Google is enabling in Chrome and directly sends signals into GA4 and Ads:
  1. Consent Mode v2 ensures that data collection for processing comes in with instructions explaining whether the user has said yes or no to statistical and/or marketing purposes.
  2. The two new add-related flags in Consent Mode v2 instruct Google what the visitor is OK with and, thus, what Google can do with it in the third-party-cookie-less Chrome-ecosystem, and within the reporting in GA4 and Ads.

So you see, it’s all connected. Consent Mode v2 is part of Google’s new, more privacy-focused ecosystem.

Do you need to get Consent Mode v2?

If you are an active user of Google Ads and GA4 and want to keep it that way—then you do. If you don’t, you will not be able to do remarketing, optimize your campaigns, and get modeled data to fill in the gaps from all those visitors who say no to cookies.
Consent Mode v2 is also extra relevant for companies that target consumers in the EU/EEA.

How do you get Consent Mode v2?

This is pretty straightforward if you run with what Google recommends—using certified CMP solutions, such as Cookie Information.
  1. You can do it by inserting the Consent Mode v2 script directly onto your website.
  2. You could implement it through Google Tag Manager by choosing the Cookie Informations template.
You can also choose to do it via our WordPress plugin. If you already have Consent Mode v1, updating it to CMV2 like this is just one click.

Are you keen on getting Consent Mode v2 in place before the March deadline?

Then, try out our free platform with a limited offer.
DID YOU HEAR?
We’re offering an exclusive, limited time only discount for new customers just like you.