CJakCiasteczko
Get started
← All articles
·12 min read·E-commerce · GCM v2 · ROAS

Consent Mode v2 for e-commerce in 2026: how to keep ROAS high without breaking the law

EEA conversion modeling, server-side tagging, and the four cookies you can ALWAYS set without consent — for Shopify, WooCommerce, and Magento operators.

E-commerce sites have it harder than content sites. You don't just need analytics — you need conversion tracking that survives a 30–50% reject-all rate, otherwise your Google Ads bidding goes blind and ROAS craters. Here's how the best operators are configuring Consent Mode v2 in 2026 to stay legal and keep their ad spend efficient.

The economics, briefly

On a typical European DTC store, ~40% of visitors reject marketing cookies. Without Consent Mode v2, all 40% become invisible to Google Ads. With Basic Consent Mode you recover approximately 50–60% of those conversions through modeling. With Advanced Consent Mode plus server-side enhanced conversions, you recover 75–85%. The difference between “no Consent Mode” and “Advanced + server-side” is roughly 25% effective ROAS.

1. Set the right defaults

Storefronts have one consent default that catches most teams off guard:functionality_storage and security_storage can — and should — be granted by default. They cover cart, checkout, fraud detection, and CSRF tokens. Without them, your storefront breaks for visitors who haven't consented.

gtag('consent', 'default', {
  // marketing & analytics off until user decides
  ad_storage:           'denied',
  ad_user_data:         'denied',
  ad_personalization:   'denied',
  analytics_storage:    'denied',
  // legitimate interest, always on
  functionality_storage:'granted',
  security_storage:     'granted',
  personalization_storage:'denied',
  wait_for_update: 500
});

2. The four cookies you can always set

Under GDPR's “strictly necessary” exemption, you don't need consent for:

  • Cart cookie — to remember items between page loads.
  • Session cookie — to keep the user logged in.
  • CSRF token — to prevent cross-site request forgery.
  • Load-balancing cookie — to keep affinity to a server.

Everything else needs consent — including marketing, analytics, and even “recently viewed products”.

3. Use Advanced Consent Mode if you can

Advanced mode loads Google's tags before consent (in cookieless mode), which gives Google more denied-consent data to model conversions from. It typically lifts modeled conversions by 15–25% versus Basic mode.

The catch: your DPO needs to be okay with a Google script loading on every page (even if it sets no cookies and sends no PII). Most DPOs are fine with this. The strictest German and French ones aren't.

4. Server-side tagging for the conversion tail

Server-side GTM (sGTM) lets you proxy Google's endpoints through your own subdomain. Combined with Consent Mode v2 and Enhanced Conversions, this is the maximum recovery configuration:

  1. Visitor consents → client-side gtag fires GA4/Ads as normal.
  2. Visitor rejects → client sends cookieless ping to your sGTM at tracking.yourstore.com.
  3. sGTM forwards a server-side conversion event with hashed customer email and order value to Google.
  4. Google models the rest using its own attribution.

Setting up sGTM on Cloud Run or AWS App Runner costs ~$30/month. For a store doing $500k/month in revenue, the recovered conversions almost always pay it back 30x.

5. Optimize the banner for conversion

Even small changes in copy and layout can move opt-in rates by 10–15 percentage points. A few patterns that work:

  • Modal in the center beats banner at the bottom by 8–12 pp on desktop, but loses on mobile — split-test by device.
  • Custom copy (“See products tailored to you”) beats generic legalese (“We use cookies”) by 5–10 pp.
  • Showing a category preview (“Analytics, marketing, preferences”) on the first layer slightly hurts opt-in but improves trust and reduces revocations.

CookieGuard's built-in A/B testing shows you the lift in real money: we display the modeled revenue impact based on your average order value.

6. Consent for marketplaces (Shopify, Etsy, eBay)

Shopify's storefront cookies are mostly necessary or analytics — categorize accordingly. Watch out for the _shopify_sa_p and _shopify_sa_t cookies, which are marketing despite the name. Some Shopify apps set their own cookies that won't be in any CMP's default library — run a scan before going live.

7. The 2026 deadline

Google has signaled that EEA traffic without Consent Mode v2 will be down-weighted in modeled conversions starting Q3 2026. By Q1 2027 we expect a full denial of remarketing audience targeting for non-compliant sites. If you haven't migrated yet, this is the last calendar quarter to do it cheaply.

The shortcut

CookieGuard ships every recommendation in this article on by default: Advanced Consent Mode toggle, default-granted necessary cookies, server-side compatible event payloads, and built-in A/B testing on the banner. Try it free for 30 days on a single store and run it side by side with your current setup.