Google Consent Mode

Google Consent Mode

Data privacy laws usually cover data that you gather through a third party. This can make it trickier to be certain you have (and can show you have) consent for data processing, something that's often required by data privacy laws.

Google's new "consent mode" feature will make it much easier to comply, and even though it will only cover some of your data use, is well worth considering.

Let's take a deeper look at consent mode from Google.


Google consent mode is a new pair of settings for websites that use Google's advertising or analytics services. Switching the settings will affect what data Google collects from customers.

In simple terms, the effect of the setting depends on the way customers accept or reject cookie settings on your site.

With both advertising and analytics, if the user has accepted the relevant Google cookies, Google will collect the data as normal. If the user has rejected the relevant cookies, Google will collect non-identifying information only.

The Rationale Behind Google Consent Mode

Consent mode is Google's way of offering the most useful data and services while still complying with the law on customer consent. It avoids having to choose between breaking consent rules or completely losing out on services.

For example, if a customer has rejected analytics cookies, Google Consent mode means Google can still give you some basic, anonymized details. You won't know anything about the individual user, but they will contribute towards overall data such as how many visitors you had, where in the world they came from, or how long they spend on a site.

Similarly, if a customer rejects advertising cookies, Google will still be able to display advertising. This won't be based on the customer's profile or activity, but can include some targeting by taking into account the nature and topic of your website. You'll still earn revenue from ad clicks, even if (in theory at least) users may be less likely to click on ads that aren't personally targeted.

As noted, one benefit of consent mode is that you can still get some use from Google's analytics and advertising.

Another benefit is that you can be more confident about complying with laws. Technically most of Google's cookie and script use involves Google collecting the data from your site visitor. However, you receive data in analytics reports or in reports on the performance of ads on your site.

Many privacy laws, most notably the General Data Protection Regulation (GDPR), have a broad definition of processing that effectively covers any receipt or possession of personal data.

You therefore need to be certain that either the site visitor has indeed consented to data collection and use or the data has been collected in an anonymized manner that doesn't require the consent.

Google consent mode only applies to Google's advertising and analytics services.

It won't affect any other third-party services such as rival analytics or advertising. This means it's an important consent management tool (given Google's huge market share) but not necessarily sufficient to cover all your consent requirements.

Consent mode will only work if you have an existing consent management system, for example for handling and remembering cookie preferences of users.

To use consent mode, you need to choose options in your consent management system for two new Google tag settings: ad_storage and analytics_storage. These affect how Google interacts with the user's chosen cookie settings for the respective types of data.

Your IT department will need to consult your Google account team on how to incorporate consent mode settings into your chosen consent management platform. As a general principle you will want to choose settings where the default is to act as if the user has denied the relevant cookies, not collecting any identifiable data until they have actively accepted the cookies.

Laws That Require Consent

Privacy laws around the world tend to take three approaches to data collection and processing:

  • Some laws say you can use personal data as long as you tell people about it
  • Other laws say you can use personal data as long as you tell people about it, but you must stop if they opt out
  • Other laws say you cannot use personal data unless you have advance consent

Sometimes the rules will depend on the type of data or the age of the user.

Let's run through some of the laws where Google consent mode can help you gather data while still complying with the rules.

General Data Protection Regulation (GDPR)

This European Union law applies if you or the data subject (the person the data is about) are in a European Union member country or the data processing itself takes place in the EU.

Under the GDPR, a cookie counts as personal data if it identifies an individual or can combine with other information to identify an individual.

The GDPR says you can only process data when a lawful basis applies. A commonly used lawful basis is consent. This must be meaningful consent gathered in advance of the data collection or use.

Data regulator rulings have clarified that this consent must be active and unambiguous. You cannot use a pre-filled checkbox or treat somebody scrolling through a Privacy Policy as meaningful consent.

Children's Online Privacy Protection Act (COPPA)

COPPA is a U.S. federal law that says that you must get parental or guardian consent before collecting or using personal data about somebody you know to be aged under 13. It also applies where you aim your site at people aged under 13.

Personal Information Protection and Electronic Documents Act (PIPEDA)

PIPEDA is a Canadian federal law that applies to most businesses in Canada. The main exemptions are if your data use already comes under a provincial or territorial privacy law.

Under PIPEDA you must get meaningful consent before collecting, using or sharing personal data.

Lei Geral de Proteção de Dados Pessoais (LGPD)

The LGPD is a Brazilian law that's heavily influenced by the GDPR. It applies if you or the data subject is in Brazil. It also applies if you process data while offering goods or services to people in Brazil or if you collect the data in Brazil.

If the LGPD applies, you can only process data if a legal basis applies. Again, one of the most common legal bases is advanced, meaningful consent to use data for a specific purpose.

California Privacy Rights Act (CPRA)

The CPRA is a California state law that takes effect in 2023 and applies if your annual revenue is more than $25 million; if you buy, sell or share data about 100,000 Californian consumers or households or devices in a year; or if at least half your revenue in a year is from selling or sharing data about California consumers.

The CPRA's predecessor, the CCPA, only requires consent for selling personal data and even then, advance consent is only needed for data subjects aged under 16.

However, the CPRA will introduce an advance consent requirement for using personal data classed as sensitive. This includes data such as ethnic origin, health status, sex life and genetic data. Generally this shouldn't be an issue with cookies for advertising and analytics, though the CPRA does class precise geolocation as sensitive personal information.

Addressing Google Cookies in Your Privacy Policy

Addressing Google Cookies in Your Privacy Policy

It's possible to argue that you don't need to address Google cookies in your Privacy Policy and related documents because it's not you collecting the data. This stretches the letter of many privacy rules and certainly doesn't comply with their spirit.

The way Google advertising and analytics works means in many cases you will access or use data that Google has collected through its cookies as a result of people using your site.

This means that at a minimum it's good practice to mention the cookies in your policies, as well as in your consent management tool.

Try to strike a reasonable balance between being informative and giving excessive detail. You simply need to address the fact that Google collects the data and explain why and how it's used.

Criteo covers Google cookies clearly and concisely:

Criteo Privacy Policy: Data Collection and Use clause - Search Engine Marketing section with Google cookies highlighted

Age UK lists Google Analytics among its third-party cookies:

Age UK Cookie Policy: What Third Party cookies does the Age UK Website use chart with Google Analytics highlighted

Summary

Let's recap what you need to know about Google's consent mode:

  • Consent mode is a pair of settings that tell Google what to do in response to cookie choices by your site visitors. It affects site analytics and advertising.
  • The idea of the consent mode is that Google can collect anonymized, non-identifying data where site users have rejected the relevant cookies. This means you can still get some benefit from analytics and advertising while respecting the user's choices.
  • Consent mode will help you comply with data privacy laws that require advance consent to collect or process personal data. These laws may apply in cases where Google collects the data from your site visitors but then passes it on to you as part of its services.
  • To use consent mode you must already be using a consent management system. You then need to set options for two new tag settings, ad_storage and analytics_storage.
  • Laws that require consent for data processing include the following:

    • GDPR (European Union, all users)
    • COPPA (U.S., under-13s)
    • PIPEDA (Canada, all users)
    • LGPD (Brazil, all users)
    • CPRA (U.S., starts 2023, sensitive personal data including precise location)
  • Mentioning the fact Google uses cookies on your site will meet the spirit and sometimes the letter of privacy laws.