ConsentPixel – Privacy · Verified

Google Requirement
⚠ Mandatory Since March 2024

Google Consent
Mode v2

Google Consent Mode v2 is not optional. Since March 2024, any website using Google Ads, Google Analytics, or Floodlight in the EEA or UK must implement all four GCM v2 parameters — or lose access to remarketing, conversion modelling, and smart bidding signals for their most valuable markets.

Mandatory March 2024
EEA & UK scope
4 required parameters
4
Required consent signal parameters
40–60%
Of EU traffic invisible without GCM v2 in high opt-out markets
Mar 2024
Mandatory deadline — EEA and UK ad features restricted without it
0
Remarketing audiences without GCM v2 for non-consenting visitors

What Is Google Consent Mode v2?

Google Consent Mode is a technical framework that tells Google's tags how to behave when a visitor has not consented to analytics or advertising cookies. Rather than simply blocking Google tags when consent is declined — which causes complete data loss — Consent Mode allows Google tags to run in a restricted, cookieless mode, collecting minimal non-identifying signals that feed Google's modelling algorithms.

Version 2 (v2), rolled out in late 2023 and made mandatory in March 2024, introduced two new parameters — ad_user_data and ad_personalization — in addition to the original analytics_storage and ad_storage. These four parameters together form the complete GCM v2 signal set that Google now requires for any website using Google advertising or analytics products in the EEA or UK.

🚫
Implementing only the v1 parameters is not sufficient. Many websites and CMPs implement only analytics_storage and ad_storage — the original Consent Mode v1 parameters. This is no longer compliant under GCM v2. Without the two new parameters (ad_user_data and ad_personalization), Google restricts access to enhanced conversions, audience features, and certain smart bidding signals. Check your implementation passes all four.

The Four Required Parameters — Explained

Each of the four GCM v2 parameters controls a distinct aspect of how Google tags collect and use visitor data. All four must be set to denied by default on page load, and updated to granted only when the visitor actively consents to the corresponding category.

Original — v1
analytics_storage

Controls whether Google Analytics (GA4) can set cookies and read/write cookie data for analytics purposes.

Denied → GA4 runs cookieless, sends minimal pings for modelling.
Granted → Full GA4 measurement including user ID, session data, and cross-device tracking.
Original — v1
ad_storage

Controls whether Google Ads tags can set cookies for advertising measurement including conversion tracking and frequency capping.

Denied → Ads tags run cookieless, conversion modelling active.
Granted → Full conversion measurement, click ID attribution, and remarketing cookies.
New in v2 ✦
ad_user_data

Controls whether user data can be sent to Google for advertising purposes — including enhanced conversions that use hashed email, phone, or address data for matching.

Denied → No user data transmitted to Google Ads for matching.
Granted → Enhanced conversions active — hashed first-party data sent for improved attribution.
New in v2 ✦
ad_personalization

Controls whether data can be used for personalised advertising — specifically remarketing audiences and personalised ad serving via Google Display Network.

Denied → Visitor excluded from all remarketing audiences and personalised ad targeting.
Granted → Remarketing lists populated, personalised ads served.
💡
Mapping parameters to consent categories. In practice, your consent banner categories map to GCM v2 parameters as follows: Analytics consent → grants analytics_storage. Marketing/Advertising consent → grants ad_storage, ad_user_data, and ad_personalization. All four are denied by default. The update fires immediately after the visitor's choice is recorded — not on the next page load.

How Google Consent Mode v2 Works — The Data Flow

Understanding the sequence in which GCM v2 fires is critical to implementing it correctly. The parameters must be set before any Google tag loads — not after, not on the next page view.

GCM v2 — Correct Page Load Sequence
1. ConsentPixel loads first
Fires GCM v2 default — all 4 parameters set to 'denied' in <head>
📦
2. GTM / GA4 / Ads load
Google tags read consent state — begin in restricted cookieless mode
🍪
3. Consent banner shown
Visitor sees banner, makes a choice — within wait_for_update window (500ms)
✓ Visitor Consents
ConsentPixel fires gtag consent 'update' with granted parameters. Google tags activate full measurement mode immediately.
✗ Visitor Declines
Parameters remain denied. Google tags continue in cookieless mode — sending minimal pings that feed conversion modelling without identifying the visitor.

The wait_for_update parameter (typically set to 500ms) tells Google tags to pause briefly for a consent update before firing in their default denied state. This prevents a race condition where the banner loads slower than the tag and the tag fires in denied mode before the visitor has had a chance to consent on their current visit.

The Complete Implementation Code

The following code must be placed in the <head> of every page, before your GTM snippet, before GA4, and before any other Google tag. If it fires after these tags, GCM v2 has no effect.

Complete GCM v2 implementation — paste in <head> before all Google tags
<!-- Step 1: Load gtag.js --> <script async src="https://www.googletagmanager.com/gtag/js?id=G-XXXXXXXX"></script> <script> window.dataLayer = window.dataLayer || []; function gtag(){ dataLayer.push(arguments); } gtag('js', new Date()); // Step 2: Set ALL FOUR default consent states to denied gtag('consent', 'default', { 'analytics_storage': 'denied', // GA4 cookies 'ad_storage': 'denied', // Google Ads cookies 'ad_user_data': 'denied', // NEW in v2 — enhanced conversions 'ad_personalization': 'denied', // NEW in v2 — remarketing 'wait_for_update': 500 // ms to wait for consent banner }); // Step 3: Configure GA4 (replace G-XXXXXXXX with your Measurement ID) gtag('config', 'G-XXXXXXXX'); </script> <!-- Step 4: Fire consent update when visitor makes a choice --> <!-- (Your CMP handles this automatically — shown here for reference) --> <script> function onConsentAccepted() { gtag('consent', 'update', { 'analytics_storage': 'granted', 'ad_storage': 'granted', 'ad_user_data': 'granted', 'ad_personalization': 'granted' }); } function onConsentDeclined() { // Parameters remain 'denied' — no update needed // Google tags continue in restricted cookieless mode } function onAnalyticsOnlyConsent() { gtag('consent', 'update', { 'analytics_storage': 'granted', 'ad_storage': 'denied', 'ad_user_data': 'denied', 'ad_personalization': 'denied' }); } </script>
⚠️
If you use Google Tag Manager, your CMP must still fire GCM v2 before GTM loads. A common mistake is implementing GCM v2 inside a GTM tag. This does not work — GTM itself is a Google tag that reads the consent state. The default consent block must fire from your page source (or your CMP) before the GTM container snippet loads. ConsentPixel handles this automatically — it fires the default block in your page <head> before GTM and then passes the update via the GTM data layer.

Platform-Specific Implementation

Where exactly you paste the GCM v2 default block depends on your platform. Select yours below for the specific location.

WordPress
Shopify
WooCommerce
BigCommerce
Webflow
Any HTML
WordPress — child-theme/functions.php
// Add to child theme functions.php — priority 1 fires before all other wp_head hooks add_action( 'wp_head', function() { ?> <script> window.dataLayer = window.dataLayer || []; function gtag(){ dataLayer.push(arguments); } gtag('consent', 'default', { 'analytics_storage': 'denied', 'ad_storage': 'denied', 'ad_user_data': 'denied', 'ad_personalization': 'denied', 'wait_for_update': 500 }); </script> <?php }, 1 ); // Priority 1 = loads before Site Kit, GTM, all other plugins

ConsentPixel handles this automatically when installed with priority 1. If you use WPCode (Insert Headers and Footers), paste the script block in the Header section set as the first script.

Shopify — Online Store → Themes → Edit Code → Layout → theme.liquid
<!-- Paste inside <head> before {{ content_for_header }} --> <script> window.dataLayer = window.dataLayer || []; function gtag(){ dataLayer.push(arguments); } gtag('consent', 'default', { 'analytics_storage': 'denied', 'ad_storage': 'denied', 'ad_user_data': 'denied', 'ad_personalization': 'denied', 'wait_for_update': 500 }); </script> <!-- ConsentPixel pixel snippet goes here next -->

This block must appear before {{ content_for_header }}, which is where Shopify's Customer Privacy API and app scripts inject themselves. ConsentPixel's Shopify install handles this automatically.

WooCommerce — Same as WordPress (functions.php priority 1)
// WooCommerce runs on WordPress — same functions.php approach // Critical: must fire before WooCommerce's own tracking hooks add_action( 'wp_head', function() { ?> <script> window.dataLayer = window.dataLayer || []; function gtag(){ dataLayer.push(arguments); } gtag('consent', 'default', { 'analytics_storage': 'denied', 'ad_storage': 'denied', 'ad_user_data': 'denied', 'ad_personalization': 'denied', 'wait_for_update': 500 }); </script> <?php }, 1 );

Ensure WooCommerce's Google Listings & Ads plugin and any standalone GA4 plugins are configured to respect GCM v2 — or remove their snippet output and let ConsentPixel control Google tag firing.

BigCommerce — Script Manager: Essential, Head, All Pages
<!-- Script Manager → Create Script → Category: Essential → Location: Head --> <script> window.dataLayer = window.dataLayer || []; function gtag(){ dataLayer.push(arguments); } gtag('consent', 'default', { 'analytics_storage': 'denied', 'ad_storage': 'denied', 'ad_user_data': 'denied', 'ad_personalization': 'denied', 'wait_for_update': 500 }); </script>

Set script category to Essential — not Analytics or Consent — so it loads before BigCommerce's own scripts. For multi-storefront, add this as an Essential script on each storefront channel.

Webflow — Project Settings → Custom Code → Head Code
<!-- Project Settings → Custom Code → paste in Head Code section --> <script> window.dataLayer = window.dataLayer || []; function gtag(){ dataLayer.push(arguments); } gtag('consent', 'default', { 'analytics_storage': 'denied', 'ad_storage': 'denied', 'ad_user_data': 'denied', 'ad_personalization': 'denied', 'wait_for_update': 500 }); </script>

In Webflow, Project Settings → Custom Code → Head Code applies to all pages sitewide. If you use Webflow's built-in Google Analytics integration, disable it and let ConsentPixel manage GA4 loading conditionally.

Any HTML site — paste immediately after <head> opening tag
<head> <!-- GCM v2 default — must be FIRST script in head --> <script> window.dataLayer = window.dataLayer || []; function gtag(){ dataLayer.push(arguments); } gtag('consent', 'default', { 'analytics_storage': 'denied', 'ad_storage': 'denied', 'ad_user_data': 'denied', 'ad_personalization': 'denied', 'wait_for_update': 500 }); </script> <!-- Your CMP pixel goes here next --> <!-- Then GTM / GA4 snippet --> </head>

Basic vs. Advanced Consent Mode — Which Should You Use?

Google offers two implementation approaches for Consent Mode. The choice significantly impacts how much data you recover for non-consenting visitors.

🔒 Basic Consent Mode

Google tags are completely blocked until the visitor consents. No data — including cookieless pings — is sent for non-consenting visitors.

+
Simpler to implement — just block tags until consent
+
No data sent to Google at all without consent
Complete data gap for all non-consenting visitors
No conversion modelling — declined visitors invisible to campaigns
Smart bidding loses signal quality for every opt-out visitor
📊 Advanced Consent Mode ✦ Recommended

Google tags load on all visits but operate in restricted cookieless mode for non-consenting visitors, sending minimal modelling signals.

+
Conversion modelling fills gaps from non-consenting visitors
+
Smart bidding retains signal quality even with high opt-out rates
+
Remarketing audiences partially preserved through modelling
+
GA4 reports include modelled data for declined sessions
Requires more careful implementation — tags must fire in denied state

ConsentPixel implements Advanced Consent Mode. Google tags load in a cookieless denied state, and the update fires immediately on visitor consent. This preserves modelling signals for declined visitors — critical for stores in Germany, France, and other high opt-out markets where 40–60% of visitors may decline tracking.

What You Lose Without Google Consent Mode v2

The practical impact of missing or partial GCM v2 implementation is direct and measurable. This is not a theoretical regulatory risk — it is live revenue impact on your Google Ads campaigns and analytics reporting today.

FeatureWithout GCM v2With GCM v2 (Advanced)
Conversion measurement (EEA/UK) Lost for all non-consenting visitors Modelled — estimated across declined population
Remarketing audiences Not built for declined visitors Partially preserved via modelling
Enhanced conversions Blocked — requires ad_user_data granted Active when marketing consent granted
Smart bidding signal quality Degraded — missing conversion data for opt-outs Maintained via cookieless pings and modelling
GA4 session reporting Blank for all declined sessions Modelled data fills gaps in reports
Google Ads access (EEA/UK) Audience features restricted by Google Full feature access maintained
Performance Max campaigns Reduced signal quality — lower performance Full signal set available for optimisation

Is your GCM v2 actually passing all four parameters?

ConsentPixel — Privacy · Verified includes a built-in GCM v2 compliance checker. Verify all four parameters, confirm correct firing order, and see exactly what Google receives per visitor consent state.

Verify My Implementation →

How to Verify Your GCM v2 Implementation

After implementing GCM v2, verification is essential. A misconfigured implementation — one that fires the default block after GTM loads, or that only passes two of the four parameters — looks correct from the surface but provides no benefit. There are three ways to verify.

Method 1 — Google Tag Assistant

Open tagassistant.google.com, enter your site URL, and navigate to the Consent tab after the page loads. You should see all four parameters present in the Default block, firing before any Google tag. Change your consent choice on the banner and confirm the Update block fires with the correct granted/denied values.

Method 2 — Browser DevTools Network tab

Open DevTools → Network → filter for gtm.js or gtag/js. The consent default block must appear in the waterfall before these requests. If GTM loads before your consent default fires, the implementation is incorrect regardless of what the code looks like.

Method 3 — ConsentPixel Compliance Checker

The ConsentPixel dashboard includes a dedicated GCM v2 checker that tests all four parameters, validates firing order, confirms the Update fires correctly on consent choice, and checks that your implementation matches the Advanced Consent Mode specification. It produces a pass/fail result with specific remediation steps for any gaps found.

How ConsentPixel — Privacy · Verified Handles GCM v2

Fires before every Google tag

ConsentPixel's pixel is designed to load as the first script in your page head — before GTM, before GA4, before any other Google tag. The GCM v2 default block fires as part of the pixel's initial execution.

🎯

All four v2 parameters — always

ConsentPixel always passes all four GCM v2 parameters — including the two new v2 parameters ad_user_data and ad_personalization. Never just two. Never just three.

📡

GTM data layer integration

For stores using Google Tag Manager, ConsentPixel passes consent updates via GTM's data layer using the consent command. GTM holds each tag until its required signal is received — no manual trigger modifications needed.

🔄

Advanced mode — modelling preserved

ConsentPixel implements Advanced Consent Mode. Tags load in cookieless denied state, cookieless pings fire for modelling, and the Update fires immediately on visitor consent choice — preserving conversion modelling for every opt-out visitor.

🌍

Geo-scoped to EEA and UK

GCM v2 in denied state only needs to apply to EEA and UK visitors. For all other regions, ConsentPixel can grant parameters by default — preserving full measurement for non-regulated markets while protecting EU/UK compliance.

Built-in verification checker

The ConsentPixel dashboard compliance checker validates your entire GCM v2 implementation — all four parameters, firing order, update timing, and Advanced vs Basic mode — with a clear pass/fail result.

GCM v2 Implementation Checklist

✅ Google Consent Mode v2 — Implementation Checklist 10 items
All four parameters present in the default blockanalytics_storage, ad_storage, ad_user_data, ad_personalization — all four, all denied by default
Default block fires before GTM, GA4, and all Google tagsVerify in Tag Assistant or DevTools Network tab — consent default must appear first in waterfall
wait_for_update set to 500ms or higherPrevents race condition where Google tag fires in denied state before banner has loaded
Update block fires immediately on visitor consent choiceNot on next page load — the update must fire in the same session after banner interaction
Update passes correct granted/denied values per category choiceAnalytics-only consent: grant analytics_storage only. Marketing consent: grant all four.
Advanced Consent Mode implemented (not Basic)Google tags must load in cookieless denied mode — not be blocked entirely — to enable conversion modelling
GCM v2 is not implemented inside a GTM tagThe default block must be in page source or CMP pixel — not inside the GTM container
Geo-scoped to EEA and UK visitors where appropriateGCM v2 denied defaults only need to apply to regulated markets — other regions can default granted
Verified in Google Tag Assistant — Consent tab shows all four parameterstagassistant.google.com → Consent tab → confirm default block and update block both visible
Consent banner presents genuine GDPR-compliant choice before GCM update firesGCM v2 is not a substitute for a GDPR-compliant consent banner — both are required

Frequently Asked Questions

Google Consent Mode v2 is Google's framework for adjusting how Google tags behave based on visitor consent choices. When a visitor declines cookies, GCM v2 allows Google tags to run in a restricted cookieless mode — collecting minimal signals that feed Google's modelling to estimate conversions and behaviour across the non-consenting population. Version 2 introduced two new parameters (ad_user_data and ad_personalization) on top of the original analytics_storage and ad_storage, making four required signals in total.
Yes — Google made GCM v2 mandatory in March 2024 for all websites using Google Ads, Google Analytics, or Floodlight in the EEA or UK. Without it, sites lose access to remarketing audiences, conversion modelling, enhanced conversions, and certain smart bidding features for non-consenting EEA and UK visitors. The requirement applies regardless of which CMP vendor you use — your consent banner must pass all four parameters to Google's tags before they fire.
The four required parameters are: (1) analytics_storage — controls GA4 cookies and analytics data collection; (2) ad_storage — controls Google Ads cookies for conversion tracking; (3) ad_user_data (new in v2) — controls whether user data can be sent to Google for advertising including enhanced conversions; (4) ad_personalization (new in v2) — controls whether data can be used for personalised advertising and remarketing. All four must default to denied and update to granted only when the visitor consents to the relevant category.
Without GCM v2, any EEA or UK visitor who declines consent disappears from your Google data entirely — no modelling, no conversion estimation, no smart bidding signals. In high opt-out markets like Germany and France, this means 40–60% of your traffic is invisible to your campaigns. Your remarketing audiences shrink, smart bidding loses signal quality, apparent conversion rates drop (they haven't — you just can't see the full picture), and ROAS calculations become unreliable. Google also restricts certain ad features for non-compliant accounts.
No. GCM v2 is Google's commercial measurement framework — it does not replace your GDPR obligations. You still need a fully compliant consent banner that blocks non-essential scripts before consent, presents granular category choices, provides a genuine Reject All option, logs consent events, and honours the GPC browser signal. GCM v2 is what you implement in addition to GDPR compliance so your Google campaigns continue to function when visitors decline consent.
Basic Consent Mode blocks Google tags entirely until consent is given — simple to implement but creates a complete data gap for non-consenting visitors with no modelling. Advanced Consent Mode allows Google tags to run in a restricted cookieless mode for non-consenting visitors, sending minimal signals that feed conversion modelling and smart bidding. Advanced mode preserves measurement quality even in high opt-out markets. Google recommends Advanced mode — ConsentPixel implements Advanced by default.
Google Consent Mode v2 — Handled Automatically

Stop losing EU conversions.
Implement GCM v2 correctly.

ConsentPixel — Privacy · Verified automatically fires all four GCM v2 parameters before any Google tag loads, implements Advanced Consent Mode for maximum measurement preservation, and verifies correct implementation in your dashboard.

Start Free 14-Day Trial Verify My GCM v2 →
Scroll to Top