Google Consent Mode v2 — what it is and how to deploy it correctly
Since March 2024 Google requires Consent Mode v2 for every site using Google Ads or Google Analytics 4 in the EEA. Without it — data loss in reports, no personalised remarketing, regulator-fine risk. Here's what you actually need to do.
What Google Consent Mode v2 is
Google Consent Mode is a mechanism that lets Google's tags (gtag.js, GTM) behave differently depending on the user's cookie consent decision. Version 2, announced in November 2023 and required for the EEA from March 2024, introduced two new signals:
ad_user_data— whether Google may collect user data for advertising purposes (e.g. enhanced conversions)ad_personalization— whether Google may personalise ads based on this user's data (remarketing audiences, similar audiences)
Without these two signals Google stopped supporting full personalised remarketing for the EEA. Audience lists don't fill, conversion modeling degrades.
The four signals you need to know
| Signal | Default | What it controls |
|---|---|---|
ad_storage | denied | Whether Google may store an advertising identifier on the device |
ad_user_data | denied | Whether Google may send user data for advertising purposes (NEW in v2) |
ad_personalization | denied | Whether Google may use this user for remarketing (NEW in v2) |
analytics_storage | denied | Whether GA4 may store _ga and _ga_* cookies |
By default all four must be denied in the EEA. After the user clicks “Accept all” in the consent banner, the CMP sends gtag('consent', 'update', { all granted }) and the tags unblock.
When exactly you must deploy
Per Google's policy for the EEA & UK from 6 March 2024:
- No Consent Mode v2 → no access to new audiences (Google Ads custom audiences, Floodlight, remarketing lists)
- No Consent Mode v2 → degraded conversion measurement quality in GA4 and Google Ads
- Plus political risk — the EU Commission and local DPAs are watching CMPs. Improper implementation = potential GDPR art. 6 fine
Practically: if you use gtag.js or Google Tag Manager and run ads in the EEA, Consent Mode v2 is mandatory.
How to deploy — order matters
The most common mistake: people paste the GA/GTM tag in head, then the CMP a bit lower. Result — tags fire before the CMP sets consent default. Tens of milliseconds of tracking-without-consent before the banner appears. That's a data leak.
Correct order in <head>:
- Inline script:
gtag('consent', 'default', { ...denied }) - Async load CMP (consent banner)
- Async load
gtag.js/ GTM
Or simpler — a good CMP does step 1 for you. CJakCiasteczko sets consent default first, BEFORE any Google tag loads. Just paste our two lines before any other scripts in head.
How to verify it works
Three free tools, each checks something slightly different:
- CookieHub Consent Mode Checker — checks for consent default + update
- UniConsent Consent Mode V2 Audit — Google CMP standard + IAB TCF + GPP
- Our free audit — /sprawdz — 6 concrete checks: default present, defaults denied, v2 signals (ad_user_data + ad_personalization), wait_for_update, update mechanism. First test of the day with no email.
For comparison: a recent audit of sprzętly.pl (a customer using our script) — all 6 green, score 100/100.
What's beyond Consent Mode v2
Consent Mode v2 alone is just one layer. Full GDPR compliance also requires:
- Consent banner — with reject option (rejecting cookies must be as easy as accepting)
- Floating reopen button — after the first decision, the visitor must be able to come back to preferences (GDPR art. 7(3))
- Hash-chained audit trail — provable during a DPA inspection that a specific visitor actually consented
- Privacy policy linked from the banner
- url_passthrough + ads_data_redaction in gtag — preserves Google Ads attribution for rejecting visitors
CJakCiasteczko has all of the above out of the box in 8 KB gzip. Configuration via panel, the head snippet is 2 lines.
Audit whether your site is compliant
Free 30-second audit. 6 checks, readable report.