Google Consent Mode

Written by John Lister (FreePrivacyPolicy Legal writer) and last updated on 11 April 2024.

Google Consent Mode

Website owners that use Google services in order to track online behavior and activities of EU/EEA users must implement Google's Consent Mode v2 by March of 2024. This is in order to better protect consumers, and is part of Google's steps to align with privacy and consumer protection laws in the EU.

If you don't implement Consent Mode v2 and are required to, you risk losing access to Google features including ad remarketing and personalization.

Here's what you need to know about Google Consent Mode and the v2 integration.



Google consent mode is a new pair of settings for websites that use Google's advertising or analytics services. Switching the settings will affect what data Google collects from customers.

In simple terms, the effect of the setting depends on the way customers accept or reject cookie settings on your site.

With both advertising and analytics, if the user has accepted the relevant Google cookies, Google will collect the data as normal. If the user has rejected the relevant cookies, Google will collect non-identifying information only.

The Rationale Behind Google Consent Mode

Consent mode is Google's way of offering the most useful data and services while still complying with the law on customer consent. It avoids having to choose between breaking consent rules or completely losing out on services.

For example, if a customer has rejected analytics cookies, Google Consent mode means Google can still give you some basic, anonymized details. You won't know anything about the individual user, but they will contribute towards overall data such as how many visitors you had, where in the world they came from, or how long they spend on a site.

Similarly, if a customer rejects advertising cookies, Google will still be able to display advertising. This won't be based on the customer's profile or activity, but can include some targeting by taking into account the nature and topic of your website. You'll still earn revenue from ad clicks, even if (in theory at least) users may be less likely to click on ads that aren't personally targeted.

As noted, one benefit of consent mode is that you can still get some use from Google's analytics and advertising.

Another benefit is that you can be more confident about complying with laws. Technically most of Google's cookie and script use involves Google collecting the data from your site visitor. However, you receive data in analytics reports or in reports on the performance of ads on your site.

Many privacy laws, most notably the General Data Protection Regulation (GDPR), have a broad definition of processing that effectively covers any receipt or possession of personal data.

You therefore need to be certain that either the site visitor has indeed consented to data collection and use or the data has been collected in an anonymized manner that doesn't require the consent.

Google consent mode only applies to Google's advertising and analytics services.

It won't affect any other third-party services such as rival analytics or advertising. This means it's an important consent management tool (given Google's huge market share) but not necessarily sufficient to cover all your consent requirements.

Google Consent mode uses tags to keep track of user consent and control the data that websites can collect. The aim is to make Google’s data collection as useful as possible for sites while still respecting the user’s choices on consent.

Two of the tags enable storage of data, for example cookies:

  • ad_storage (for advertising)
  • analytics_storage (for analytics such as visit duration)

The other two tags set consent (or the absence of consent):

  • ad_user_data (for sending ad-related data to Google)
  • ad_personalization (for showing personalized ads)

Google will check these tags and provide personalized data or anonymous signals as appropriate.

For example, if a user has consented to personalized ads, Google will provide the data necessary for a site to produce and show the ads. If the user has not consented, Google will simply send a signal (a ping) to give the site anonymized information. This will help produce data such as the percentage of visitors to a page who follow a link to a purchase screen.

Consent Mode V2 added the tags for ad_user data and ad_personalization, which weren’t part of V1. This was a big change, put in place to better comply with data protection laws such as the GDPR while still giving you the most useful and detailed data that is still legally compliant.

Somewhat confusingly, “Advanced Consent Mode” is actually the default setting for Consent Mode V2. It means that Google collects data from users even when they’ve refused consent. That’s because Google can collect (and in some cases pass on) data about users that doesn’t breach the rules on consent.

You can opt to instead use a “Basic Consent Mode” option that won’t collect any data unless the user has consented. Note there isn’t a simple switch to enable Basic Consent Mode. Instead you’ll need to manually get it by editing the settings for each tag in Google Tag Manager.

Additional Consent Mode is separate to Google Consent Mode. It’s designed to help comply with the Transparency & Consent Framework. This is a voluntary program operated by IAB Europe.

IAB already makes it possible to send transparency and consent signals to anyone on its “Global Vendor List”. Additional Consent Mode is Google’s way to send similar signals to companies that are part of its Ad Tech Providers list but are not on the IAB Global Vendor List.

Consent mode will only work if you have an existing consent management system, for example for handling and remembering cookie preferences of users.

To use consent mode, you need to choose options in your consent management system for two new Google tag settings: ad_storage and analytics_storage. These affect how Google interacts with the user's chosen cookie settings for the respective types of data.

Your IT department will need to consult your Google account team on how to incorporate consent mode settings into your chosen consent management platform. As a general principle you will want to choose settings where the default is to act as if the user has denied the relevant cookies, not collecting any identifiable data until they have actively accepted the cookies.

If you use Google Ads, you’ll likely want to get the most useful data possible while still respecting user consent (particularly when that’s a legal requirement.) To do this, you’ll need to take two steps:

  • Use a cookie consent notice that lets users give or withhold consent for different types of cookies. This means you can still collect and use a range of data through cookies even when the user has withheld consent for advertising cookies.
  • Use Google Consent Mode to make sure Google gives you some data (such as aggregated data) while still respecting the user’s choice on consent for personal data. This works through Google Consent Mode’s ad_storage tag.

Here's an example of a cookie consent notice that lets users give or withhold consent for different types of cookie including one for consent-based personalized ad targeting:

Cookie Consent Notice example

Some of your site users may be happy to have their data used for website analytics but not for personalized advertising (or vice versa). That’s where the different tags in Google Consent Mode come in.

You can use cookie settings to decide tag settings with Google Analytics. It’s a similar process to the one we described above for Google Ads:

  • Use a cookie consent notice that lets users give or withhold consent for different types of cookies, including one for “analytics.”
  • Use Google Consent Mode to make sure Google gives you some data (such as aggregated data) while still respecting the user’s choice on consent regarding personal data. This time it works through Google Consent Mode’s analytics_storage tag.

Here's an example of a specific cookie consent setting for analytics cookies

ICO cookie consent notice with analytics cookies button highlighted

Privacy laws around the world tend to take three approaches to data collection and processing:

  • Some laws say you can use personal data as long as you tell people about it
  • Other laws say you can use personal data as long as you tell people about it, but you must stop if they opt out
  • Other laws say you cannot use personal data unless you have advance consent

Sometimes the rules will depend on the type of data or the age of the user.

Let's run through some of the laws where Google consent mode can help you gather data while still complying with the rules.

General Data Protection Regulation (GDPR)

This European Union law applies if you or the data subject (the person the data is about) are in a European Union member country or the data processing itself takes place in the EU.

Under the GDPR, a cookie counts as personal data if it identifies an individual or can combine with other information to identify an individual.

The GDPR says you can only process data when a lawful basis applies. A commonly used lawful basis is consent. This must be meaningful consent gathered in advance of the data collection or use.

Data regulator rulings have clarified that this consent must be active and unambiguous. You cannot use a pre-filled checkbox or treat somebody scrolling through a Privacy Policy as meaningful consent.

Children's Online Privacy Protection Act (COPPA)

COPPA is a U.S. federal law that says that you must get parental or guardian consent before collecting or using personal data about somebody you know to be aged under 13. It also applies where you aim your site at people aged under 13.

Personal Information Protection and Electronic Documents Act (PIPEDA)

PIPEDA is a Canadian federal law that applies to most businesses in Canada. The main exemptions are if your data use already comes under a provincial or territorial privacy law.

Under PIPEDA you must get meaningful consent before collecting, using or sharing personal data.

Lei Geral de Proteção de Dados Pessoais (LGPD)

The LGPD is a Brazilian law that's heavily influenced by the GDPR. It applies if you or the data subject is in Brazil. It also applies if you process data while offering goods or services to people in Brazil or if you collect the data in Brazil.

If the LGPD applies, you can only process data if a legal basis applies. Again, one of the most common legal bases is advanced, meaningful consent to use data for a specific purpose.

California Privacy Rights Act (CPRA)

The CPRA is a California state law that takes effect in 2023 and applies if your annual revenue is more than $25 million; if you buy, sell or share data about 100,000 Californian consumers or households or devices in a year; or if at least half your revenue in a year is from selling or sharing data about California consumers.

The CPRA's predecessor, the CCPA, only requires consent for selling personal data and even then, advance consent is only needed for data subjects aged under 16.

However, the CPRA will introduce an advance consent requirement for using personal data classed as sensitive. This includes data such as ethnic origin, health status, sex life and genetic data. Generally this shouldn't be an issue with cookies for advertising and analytics, though the CPRA does class precise geolocation as sensitive personal information.

Addressing Google Cookies in Your Privacy Policy

Addressing Google Cookies in Your Privacy Policy

It's possible to argue that you don't need to address Google cookies in your Privacy Policy and related documents because it's not you collecting the data. This stretches the letter of many privacy rules and certainly doesn't comply with their spirit.

The way Google advertising and analytics works means in many cases you will access or use data that Google has collected through its cookies as a result of people using your site.

This means that at a minimum it's good practice to mention the cookies in your policies, as well as in your consent management tool.

Try to strike a reasonable balance between being informative and giving excessive detail. You simply need to address the fact that Google collects the data and explain why and how it's used.

Criteo covers Google cookies clearly and concisely:

Criteo Privacy Policy: Data Collection and Use clause - Search Engine Marketing section with Google cookies highlighted

Age UK lists Google Analytics among its third-party cookies:

Age UK Cookie Policy: What Third Party cookies does the Age UK Website use chart with Google Analytics highlighted

Summary

Let's recap what you need to know about Google's consent mode:

  • Consent mode is a pair of settings that tell Google what to do in response to cookie choices by your site visitors. It affects site analytics and advertising.
  • The idea of the consent mode is that Google can collect anonymized, non-identifying data where site users have rejected the relevant cookies. This means you can still get some benefit from analytics and advertising while respecting the user's choices.
  • Consent mode will help you comply with data privacy laws that require advance consent to collect or process personal data. These laws may apply in cases where Google collects the data from your site visitors but then passes it on to you as part of its services.
  • To use consent mode you must already be using a consent management system. You then need to set options for two new tag settings, ad_storage and analytics_storage.
  • Laws that require consent for data processing include the following:

    • GDPR (European Union, all users)
    • COPPA (U.S., under-13s)
    • PIPEDA (Canada, all users)
    • LGPD (Brazil, all users)
    • CPRA (U.S., starts 2023, sensitive personal data including precise location)
  • Mentioning the fact Google uses cookies on your site will meet the spirit and sometimes the letter of privacy laws.