Reading time: 10 min · Last updated: February 2026
Google’s Consent Mode v2 became mandatory for EU advertisers in March 2024. If you’re running GA4 or Google Ads in Europe and haven’t implemented it yet, you’re losing data — and possibly violating regulations.
I migrated 12 European clients to Consent Mode v2 last year. This guide walks you through the implementation step by step, including the pitfalls that documentation doesn’t mention.
What Changed in Consent Mode v2
The original Consent Mode had two signals: analytics_storage and ad_storage. Version 2 adds two more:
| Parameter | Purpose | Version |
|---|---|---|
analytics_storage |
Controls analytics cookies (_ga, _ga_*) |
v1 |
ad_storage |
Controls advertising cookies | v1 |
ad_user_data |
Consent for sending user data to Google for ads | v2 — new |
ad_personalization |
Consent for remarketing and personalized ads | v2 — new |
Without ad_user_data and ad_personalization, Google Ads cannot use your conversion data for audience building or remarketing in the EU. GA4 behavioral modeling also degrades because Google needs these signals to estimate what denied users would have done.
Prerequisites Before Implementation
Before you touch any code, make sure you have:
- A Consent Management Platform (CMP) — Cookiebot, OneTrust, Usercentrics, or CookieYes. It must be IAB TCF 2.2 compatible.
- Google Tag Manager — Consent Mode is possible with gtag.js directly, but GTM makes testing much easier.
- A signed Data Processing Agreement with Google (check GA4 Admin → Account Settings).
- GA4 data retention set to your chosen period (Admin → Data Settings → Data Retention).
Important: If you’re already running Consent Mode v1, don’t assume your CMP handles v2 automatically. I found that 4 out of 12 clients’ CMPs were sending the old signals only — they needed a CMP update or reconfiguration.
Step 1 — Configure Your Consent Banner
Your CMP needs to collect granular consent for at least these categories:
| Consent Category | Maps to | Must be separate? |
|---|---|---|
| Analytics / Statistics | analytics_storage |
Yes |
| Marketing / Advertising | ad_storage, ad_user_data, ad_personalization |
Can be grouped |
| Functional | functionality_storage |
Optional |
Most CMPs let you map their consent categories to Google’s consent parameters in their dashboard. In Cookiebot, this is under Settings → Google Consent Mode. In Usercentrics, it’s in the Service Settings for each Google service.
Step 2 — Set Default Consent State
This is the most critical step. Before any tags fire, you must declare what the default consent state is for EU visitors. Add this to GTM as a Consent Initialization tag (triggers on “Consent Initialization – All Pages”):
gtag('consent', 'default', {
'analytics_storage': 'denied',
'ad_storage': 'denied',
'ad_user_data': 'denied',
'ad_personalization': 'denied',
'region': ['EU'],
'wait_for_update': 500
});The region parameter is important — it means non-EU visitors get full tracking by default while EU visitors start in denied mode. The wait_for_update gives your CMP 500ms to load and send the actual consent state.
Pro tip: Setwait_for_updateto 500ms, not higher. I tested this across 8 client sites — anything above 500ms delays the firstpage_viewevent noticeably and can cause data loss if the CMP is slow.
Step 3 — Update Google Tags for Consent Mode
In GTM, your Google tags need built-in consent checks enabled. For each GA4 Configuration and Event tag:
- Open the tag → Advanced Settings → Consent Settings
- Select “Require additional consent for tag to fire”
- Add
analytics_storagefor GA4 tags - Add
ad_storage+ad_user_datafor Google Ads tags
When consent is denied, GA4 tags fire in cookieless mode — they send pings to Google without setting cookies or reading identifiers. Google uses these pings for behavioral modeling to estimate what denied users would have done.
Here’s what GA4 collects in denied vs granted mode:
| Data Point | Consent Denied | Consent Granted |
|---|---|---|
| Cookieless ping | ✓ | ✓ |
| Page URL / referrer | ✓ | ✓ |
| User agent / browser info | ✓ | ✓ |
client_id (cookie) |
✗ | ✓ |
| Session data | ✗ | ✓ |
| Conversion tracking | Modeled | ✓ |
Step 4 — Test and Validate Consent States
Testing is where most implementations break. Here’s my validation workflow:
1. Use GTM Preview mode. Fire the preview, deny all consent, and verify:
- Default consent state loads with all parameters “denied”
- GA4 tags show “fired” but with consent mode indicators
- No
_gacookies appear in Application → Cookies
2. Check Network requests. Filter Chrome DevTools → Network for google-analytics.com. Look at the gcs parameter in the request URL:
gcs=G100— analytics denied, ads deniedgcs=G110— analytics granted, ads deniedgcs=G111— everything granted
3. Grant consent and re-check. Accept analytics in the banner. Verify:
_gaand_ga_*cookies now appear- Subsequent requests show
gcs=G110orgcs=G111 - The
consent updateevent fired between denied and granted states
For a more thorough validation process, see the Event Tracking QA Checklist.
Impact on Your GA4 Data (What to Expect)
Let’s be honest about what happens to your data after implementing Consent Mode v2 properly:
Short term (first 2 weeks): Your reported traffic will drop. This isn’t a bug — you’re now seeing only consented traffic plus Google’s modeled estimates. Expect a 15-30% drop in reported sessions for most European sites.
Behavioral modeling quality depends on your traffic volume. Google needs at least 1,000 daily events to model effectively. My experience across 12 client sites:
| Daily Traffic | Modeling Quality | Data Recovery |
|---|---|---|
| 10,000+ sessions | Good | ~70-80% |
| 1,000-10,000 sessions | Moderate | ~50-65% |
| Under 1,000 sessions | Unreliable | ~20-40% |
For smaller sites, consider supplementing GA4 with a cookieless analytics solution to get accurate traffic baselines.
Common Implementation Mistakes
1. Default consent set to “granted” for EU. This defeats the purpose. Always default to “denied” for EU regions.
2. Missing wait_for_update. Without it, tags fire immediately in denied mode and the CMP’s consent update never reaches the tags in time for the first page view.
3. Not testing on mobile. CMP behavior differs on mobile browsers. I’ve seen CMPs that work perfectly on desktop Chrome but fail to send consent signals on Safari iOS.
4. Forgetting ad_user_data and ad_personalization. If your CMP only sends the v1 signals, Google treats the new parameters as “denied” by default. Your Google Ads conversions in the EU will drop to near zero.
5. Not updating the consent banner text. GDPR requires your banner to explain what data you collect and why. If you added advertising consent categories, your banner text needs to reflect that.
FAQ
What is the difference between Consent Mode v1 and v2?
Consent Mode v2 adds two new parameters: ad_user_data and ad_personalization. These give Google more granular signals about user consent for advertising purposes. V2 is required for EU advertisers using Google Ads since March 2024.
Does Consent Mode v2 affect GA4 reporting accuracy?
Yes. When users deny consent, GA4 uses behavioral modeling to estimate conversions and traffic. Google claims modeling recovers 70-80% of lost data, but accuracy varies by site traffic volume. Sites under 1,000 daily users see less reliable modeling.
Do I need Consent Mode v2 if I only use GA4 without Google Ads?
Technically, Consent Mode v2 requirements are tied to Google advertising products. But implementing it for GA4 is still recommended because it enables behavioral modeling for denied consent and future-proofs your setup.
Which consent management platforms support Consent Mode v2?
Most major CMPs support it including Cookiebot, OneTrust, Usercentrics, CookieYes, and Complianz. Check that your CMP sends both ad_storage and the new ad_user_data and ad_personalization signals.
Next Steps
Consent Mode v2 is the foundation for GDPR-compliant event tracking in the Google ecosystem. Once implemented:
- Monitor your consent rates — aim for 50%+ analytics consent by optimizing banner UX
- Set up a cookieless baseline — compare GA4 modeled data against a privacy-first analytics tool
- Document your implementation — your DPO will need this for the Records of Processing Activities
- Test quarterly — CMP updates, browser changes, and Google tag updates can break consent flows silently
For the complete event naming conventions to use with your consent-gated tags, see the GA4 Event Naming Conventions guide.