Loading tutorials…
Loading tutorials…
If your business serves EEA, UK, or Swiss visitors, Consent Mode v2 isn't optional anymore — Google requires it for personalized advertising. Done well, it also recovers 30-70% of the data ad blockers and consent rejections would otherwise lose.
Who this is forOwners whose site has any EEA, UK, or Swiss visitors and who use Google Ads, Google Analytics, or any Google personalization signals. If you've been getting 'Consent Mode v2 not detected' warnings in Google Ads or Search Console, this fixes it.
What you'll need
Step 1
Consent Mode v2 has two modes. Basic blocks all Google tags until consent is given. Advanced fires limited "consent signals" that recover most data while staying compliant.
Consent Mode is Google's framework for adjusting tag behavior based on user consent choices. v2 (launched March 2024) adds two new consent parameters: ad_user_data and ad_personalization. These are required for Google Ads personalization in the EEA.
Basic mode: if consent is not granted, Google tags don't fire at all. No data is sent. Simple to implement but loses 100% of non-consenting users.
Advanced mode: if consent is not granted, Google tags fire in a limited "cookieless ping" mode that sends behavioral signals without identifiers. GA4 uses these signals to model the missing conversions, recovering 30-70% of the data that would otherwise be lost.
For most businesses, Advanced is the right choice — but it requires more configuration in GTM and a CMP that supports it.
Compliance note: Both modes are GDPR/ePrivacy-compliant when configured correctly. The difference is data recovery, not legality.
Step 2
You need a CMP to actually show consent banners. Google has a list of certified CMPs that support Consent Mode v2 natively: Cookiebot, OneTrust, Iubenda, CookieYes, Termly, Usercentrics.
Pick a CMP based on your jurisdiction and budget: Cookiebot ($20-100/mo, easy setup, GDPR + CCPA), OneTrust (enterprise-grade, $$$), Iubenda (multi-region, $20-50/mo), CookieYes (free tier, $10-30/mo paid), Termly (free tier, $10/mo paid).
Sign up for the CMP. Most have a wizard that scans your site for tracking technologies and generates the right banner copy.
Install the CMP's script on your site. For GTM-based setups, install the script directly in the <head> of your site (NOT in GTM) so it loads before GTM and can set default consent states.
Configure the banner: language, position (banner vs popup), region detection (show in EEA only or globally), and the categories you'll ask consent for (Necessary, Analytics, Marketing, Preferences).
Save and publish the CMP configuration. You should see the banner on your site within 5 minutes.
Step 3
In GTM, install the official Consent Mode template. Configure default consent states (usually all denied except security_storage).
In GTM → Templates → Search Gallery → search "Consent Mode" or your specific CMP name. Install the Google-authored or CMP-authored Consent Mode template.
In GTM → Tags → New → choose the Consent Mode template you installed.
Configure default consent states. For EEA visitors, default everything to denied except security_storage (which must stay granted for security functions): ad_storage = denied, ad_user_data = denied, ad_personalization = denied, analytics_storage = denied, functionality_storage = denied, personalization_storage = denied.
For non-EEA visitors (region-based defaults), you can set defaults to granted if your jurisdiction allows implied consent. Use the Region field to scope defaults by country.
Set the tag to fire on Consent Initialization - All Pages (a built-in GTM trigger). This must fire BEFORE the Google Tag.
Step 4
When the user accepts/rejects on the CMP banner, the CMP should push consent updates to dataLayer. GTM listens for these and updates Consent Mode state.
Most certified CMPs auto-push consent updates via dataLayer. Verify by visiting your site, accepting the banner, and inspecting the dataLayer in DevTools Console: window.dataLayer.
You should see an entry like: {event: 'cookie_consent_update', consent: {ad_storage: 'granted', ad_user_data: 'granted', ...}}.
In GTM, the Consent Mode template you installed (step 3) should auto-listen for these updates. Verify in GTM Preview mode: after accepting consent, the Consent panel in the Preview UI should show the updated states.
If the CMP doesn't auto-push, you may need a custom Tag to call gtag('consent', 'update', {ad_storage: 'granted', ...}) on banner accept. Most certified CMPs handle this; only custom-built consent flows need manual wiring.
Test all paths: accept all, accept selective categories, reject all, change preferences mid-session. Each should update Consent Mode correctly.
Step 5
In GA4 → Admin → Data Streams → your Web stream → Configure tag settings, enable 'Allow ads_data redaction' and configure 'URL passthrough' for advanced mode.
In GA4 → Admin → Data Streams → click your Web stream.
Click Configure tag settings (gear icon).
Toggle Allow ad_user_data and ad_personalization parameters → ON.
Click Configure your URL parameters → enable Allow URL pass-through. This allows ad click IDs (gclid) to be passed via URL when cookies are blocked.
Under Configure your domains, verify your domains are still listed (cross-domain tracking from tutorial 6).
Save. Advanced Consent Mode is now enabled at the data stream level.
Wait 24-48 hours, then check Google Ads → Goals → Conversions → click your imported conversion → look for the new "Modeled conversions" metric. This shows the conversions Google is recovering via Consent Mode behavioral modeling.
Step 6
Use Google's Tag Assistant + the Consent Status check in Google Ads to confirm consent signals are flowing.
In Google Ads → Admin → Account settings → look for the Consent Mode v2 status. It should show "Consent Mode detected" with a green checkmark.
In Google Ads → Tools → Diagnostics, run the Consent Mode v2 check. It scans your site and reports whether Consent Mode is properly configured.
Use the Tag Assistant Chrome extension: visit your site, open the extension, look for the consent signals in the events panel. Each Google tag firing should show its consent context.
Use Google Search Console: under Settings → Crawl stats → check for Consent Mode warnings. Resolved warnings disappear within 48 hours.
If any of these show errors, the most common cause is the Consent Initialization tag firing too late (after the Google Tag). Re-check the trigger order in GTM.
Step 7
Keep a written record: which CMP you use, what consent states default to, how you handle EEA/UK/Swiss vs other regions, and when consent was last reviewed.
Create a wiki page documenting: CMP vendor, version installed, region scoping (EEA-only vs global), default consent states, list of tags governed by Consent Mode.
Include screenshots of the GTM Consent Mode tag configuration and the CMP banner UI.
Set a calendar reminder for annual review. EU consent rules evolve (especially around "legitimate interest" interpretation), and your CMP may release updates that need adoption.
If you ever face a GDPR inquiry or audit, this document is your starting point. It also helps when bringing in new team members or specialists.
Common mistakes
Not implementing Consent Mode v2 at all in the EEA
What goes wrong: Google Ads disables personalization for all EEA traffic. Conversion modeling stops. Smart Bidding loses signal. ROAS in those markets drops 20-40%. You also get "Consent Mode v2 not detected" warnings in Google Ads and Search Console.
How to avoid: Implement Advanced Consent Mode v2 via a certified CMP. Even Basic mode is better than nothing — but Advanced recovers significantly more data.
Defaulting to "granted" everywhere
What goes wrong: You set Consent Mode defaults to granted, thinking it'll save data. But this is non-compliant in the EEA without explicit user opt-in. Google can revoke your Ads account access or fine you under GDPR.
How to avoid: For EEA traffic (and UK/Swiss), default everything except security_storage to denied. Use Region scoping in GTM to set different defaults for non-EEA regions where implied consent is allowed.
Firing Google Tag before Consent Initialization
What goes wrong: Google Tag fires with no consent context, defaulting to ad_storage=undefined. Behavior is unpredictable: data might flow, might not, modeling might work, might not. The link between GA4 and Google Ads degrades silently.
How to avoid: In GTM, set Google Tag and any conversion-related tags to fire on the Initialization - All Pages trigger (not just All Pages). And ensure the Consent Mode tag fires on Consent Initialization - All Pages, which runs first.
Using a non-certified CMP
What goes wrong: You install a homegrown or unsupported consent banner. It works visually but doesn't push consent updates to dataLayer in the format Consent Mode v2 expects. Google never sees the consent signals.
How to avoid: Switch to a Google-certified CMP: Cookiebot, OneTrust, Iubenda, CookieYes, Termly, Usercentrics. Migration takes 1-2 hours and is worth the data recovery.
Not testing the reject path
What goes wrong: You test 'accept all' and it works. You assume 'reject all' also works. But the reject flow has a bug — consent is never actually set to denied for some categories. Your reject button is non-compliant and you're collecting data on users who explicitly rejected.
How to avoid: Test all consent paths: accept all, accept categories, reject all, change preferences. For each, verify in GTM Preview that consent states match the user choice.
Forgetting non-Google tags also need Consent Mode
What goes wrong: You set Google tags to respect Consent Mode. But Meta Pixel, TikTok Pixel, and LinkedIn Insight Tag still fire on user reject. You're compliant with Google but in violation of GDPR for the other platforms.
How to avoid: In GTM, use the built-in Consent settings (Additional consent checks) on every tag — not just Google ones. Block Meta/TikTok/LinkedIn tags until ad_storage = granted.
Recap
Done — what's next
How to install GA4 via Google Tag Manager
Read the next tutorial
Hand it off
Consent Mode v2 sits at the intersection of GDPR compliance, Google's product requirements, and ad-platform optimization. Setting it up wrong has both legal and revenue consequences. A vetted GA4 + privacy-aware specialist on EverestX can scope, install, and validate the full setup in 1-2 weeks for $500-1,200 total at $14-16/hr — and recover the modeled-conversion data on day one.
See specialist rates
Technically no — US visitors are not subject to GDPR/ePrivacy. But if you have any EEA, UK, or Swiss visitors at all (even 1-2% of traffic), Google requires Consent Mode v2 to enable personalized advertising features. CCPA and state-level US laws (Virginia, Colorado, California) have similar requirements with their own nuances.
v2 added two consent parameters specifically for Google Ads: ad_user_data (controls whether user data is sent to Google for advertising) and ad_personalization (controls whether the data is used for personalized advertising). v1 only had ad_storage and analytics_storage. v2 is required for Google Ads personalization in the EEA as of March 2024.
Technically yes — you can implement Consent Mode manually via gtag() calls. But you still need a consent banner to legally collect user consent under GDPR. A CMP gives you the banner + the consent-storage logic + the dataLayer pushes for Consent Mode all in one package. Not worth DIYing the banner part.
Depends on your audience. EEA users reject consent on 60-80% of banners (varies by industry). With Basic mode, you lose 100% of that rejected traffic from analytics and ads. With Advanced mode, modeled conversions recover 30-70% of the lost data. Net: Advanced typically loses 10-30% vs no Consent Mode at all.
No — Consent Mode is designed to integrate seamlessly with GA4. With Advanced mode, you'll see a small "modeled" indicator on some metrics in reports, which is GA4 telling you part of the data comes from behavioral modeling rather than direct tracking. Standard reports continue to function.
Yes — GDPR applies to all tracking, not just Google. Block Meta, TikTok, LinkedIn, and other ad pixels until consent is granted, using GTM's Additional consent checks setting on each tag. Consent Mode v2 specifically governs Google's behavior; you need parallel consent gating for other vendors.
Google Analytics 4
GTM is the right install path for any site that runs more than one tracking pixel. It's also where most DIY installs go sideways — wrong trigger, wrong variable, wrong fire order. Here's the path that actually works.
Google Analytics 4
Linking these two correctly is what makes Google's stack actually function as a stack. Done wrong, you'll have two systems that disagree about reality for years. Here's the right setup, in order.
Google Analytics 4
If your funnel crosses domains — marketing site to app, storefront to external checkout, landing page to booking platform — every cross-domain hop loses attribution unless you configure this. Most sites haven't.
Google Analytics 4
DIY GA4 is a great idea — until it isn't. This is the honest framework: when the cost of unreliable data exceeds the cost of hiring help, and how to tell which side you're on.