Google Consent Mode v2: The Complete Setup Guide for Developers (2026)

What Is Google Consent Mode v2?

Google Consent Mode v2 is a protocol for communicating user consent state to Google services. It sits between your CMP and Google's tags (Analytics, Ads, Tag Manager). GCM v2 is not a CMP. It doesn't show banners or store consent records. It's a signaling layer.

The protocol operates in two modes:

• Basic mode blocks Google tags entirely until the user grants consent. No data collection for non-consenting users.
• Advanced mode allows Google tags to send cookieless pings even when consent is denied. No cookies are set, no user identifiers attached, but Google uses these anonymous signals for conversion modeling, recovering a significant portion of conversion data that would otherwise be lost (Google's own documentation estimates vary, but directionally the recovery is substantial).

Recommendation: Advanced mode for most sites. The cookieless pings contain no personal data. The only scenario where Basic mode is clearly better is when your legal team has determined that even cookieless, anonymized pings require consent.

The 4 Consent Signals

`ad_storage` controls whether Google Ads cookies (_gcl_*) can be set.

`analytics_storage` controls whether Google Analytics cookies (_ga, _gid) can be set.

`ad_user_data` (new in v2) controls whether user data can be sent to Google for advertising. Even if ad_storage is granted, denying ad_user_data prevents Google from using personal data for ad targeting.

`ad_personalization` (new in v2) controls whether personalized advertising is allowed (remarketing lists, similar audiences, personalized ad delivery).

Since March 2024, GCM v2 is required for all EU/EEA/UK traffic. If your implementation only sends ad_storage and analytics_storage, you're running v1 whether you realize it or not.

Learn about GDPR cookie consent requirements

How GCM v2 Works Under the Hood

The Consent Flow

1. Page loads. Default consent state is set via gtag('consent', 'default', {...}). For EU visitors, all four signals default to 'denied'.
2. Google tags load. They check consent state. In Advanced mode, denied tags send cookieless pings. In Basic mode, they do nothing.
3. CMP renders the banner. User makes a choice.
4. CMP fires the consent update via gtag('consent', 'update', {...}).
5. Google tags react. Granted tags set cookies and begin full tracking.
6. Subsequent page loads. CMP reads stored preferences and fires the update immediately.

Critical: The default consent state must be set before Google tags load. If tags initialize without seeing a default, they assume consent is granted.

Code: Default Consent State

// This MUST run before any Google tag scripts load
window.dataLayer = window.dataLayer || [];
function gtag(){dataLayer.push(arguments);}

gtag('consent', 'default', {
  'ad_storage': 'denied',
  'ad_user_data': 'denied',
  'ad_personalization': 'denied',
  'analytics_storage': 'denied',
  'wait_for_update': 500
});

The wait_for_update value (500ms recommended) gives your CMP time to load saved consent preferences from returning visitors before tags proceed with denied defaults.

Code: Consent Update

gtag('consent', 'update', {
  'ad_storage': 'granted',
  'ad_user_data': 'granted',
  'ad_personalization': 'granted',
  'analytics_storage': 'granted'
});

Partial consent is valid. A user who accepts analytics but declines marketing:

gtag('consent', 'update', {
  'ad_storage': 'denied',
  'ad_user_data': 'denied',
  'ad_personalization': 'denied',
  'analytics_storage': 'granted'
});

How script blocking actually works under the hood

The 67% Failure Rate: What Goes Wrong

Mistake 1: Wrong Default Consent State

Setting defaults to 'granted' for EU visitors means Google tags set cookies before the user sees the banner. Not setting defaults at all is worse: Google treats consent as implicitly granted.

For sites with both EU and non-EU traffic, use region-specific defaults:

gtag('consent', 'default', {
  'ad_storage': 'denied',
  'ad_user_data': 'denied',
  'ad_personalization': 'denied',
  'analytics_storage': 'denied',
  'region': ['EU', 'GB', 'IS', 'LI', 'NO'],
  'wait_for_update': 500
});

gtag('consent', 'default', {
  'ad_storage': 'granted',
  'ad_user_data': 'granted',
  'ad_personalization': 'granted',
  'analytics_storage': 'granted'
});

Mistake 2: CMP Never Fires the Update

The user clicks Accept, but gtag('consent', 'update', {...}) never fires. Google tags stay in denied mode permanently. Your consent rates look healthy in the CMP dashboard, but Google Ads shows zero EU conversions.

Detection: Check the Network tab for the gcs= parameter on Google requests. gcs=G100 means all granted; if it always shows denied values after accepting, the update isn't firing.

Mistake 3: Missing v2 Signals

Only sending ad_storage and analytics_storage means Google assumes the worst for ad_user_data and ad_personalization. Remarketing audiences stop growing, Enhanced Conversions fail, and personalized ad delivery is disabled for EU traffic.

Mistake 4: Consent Update Fires Before Default

A race condition: the CMP fires the update before the default has been set. Google ignores consent updates that arrive before a default. The update is silently dropped.

Fix: Ensure the default consent call is the first gtag command in your page, placed in a <script> tag at the top of <head>.

Mistake 5: Tag Manager Misconfiguration

GTM has its own consent mode settings that must be enabled at the container level. Each tag needs consent requirements configured individually. Mixing GTM's automatic consent mode with manual gtag calls creates conflicts.

The Honda Case Study

The CPPA found that OneTrust was sending incorrect consent signals. Users who declined consent were still having their data collected. This establishes precedent: the CMP configuration is the compliance, not just the banner.

Why cookie consent banners destroy your Core Web Vitals

Implementation Guide

Option A: CMP with Native GCM v2 Support (Recommended)

ConsentStack's Google platform adapter handles the entire protocol automatically. The adapter sets denied defaults on initialization, maps consent categories to all GCM v2 signals, and enables ads_data_redaction and url_passthrough by default.

<!-- One script tag. Google Consent Mode v2 handled automatically. -->
<script src="https://cdn.consentstack.io/sdk/v1/cs.js"
        data-cs-site="your-site-id"></script>

Option B: Manual Implementation with gtag.js

Place this before any Google tag scripts:

<script>
window.dataLayer = window.dataLayer || [];
function gtag(){dataLayer.push(arguments);}

gtag('consent', 'default', {
  'ad_storage': 'denied',
  'ad_user_data': 'denied',
  'ad_personalization': 'denied',
  'analytics_storage': 'denied',
  'wait_for_update': 500
});

gtag('js', new Date());
gtag('config', 'G-XXXXXXX');
</script>
<script async src="https://www.googletagmanager.com/gtag/js?id=G-XXXXXXX"></script>

Then listen for your CMP's consent change event:

document.addEventListener('consent-updated', function(event) {
  const consent = event.detail;

  gtag('consent', 'update', {
    'ad_storage': consent.marketing ? 'granted' : 'denied',
    'ad_user_data': consent.marketing ? 'granted' : 'denied',
    'ad_personalization': consent.marketing ? 'granted' : 'denied',
    'analytics_storage': consent.analytics ? 'granted' : 'denied'
  });
});

Option C: Google Tag Manager

1. Enable "Enable consent overview" in Admin > Container Settings.
2. Create a Consent Initialization tag with all four signals set to denied and wait_for_update at 500ms.
3. Configure consent requirements on each tag (GA4: analytics_storage; Ads Conversion: ad_storage, ad_user_data; Ads Remarketing: ad_storage, ad_personalization).
4. Map CMP consent events to GTM consent updates via data layer pushes.

GTM consent configuration has multiple layers, and this is where most of the 67% failure rate comes from. If you're not heavily invested in GTM, Option A or B is less error-prone.

Verifying Your Implementation

1. Google Tag Assistant (tagassistant.google.com): Check consent state indicators in real time.
2. Browser Console: Filter for consent to see default and update calls.
3. Network Tab: Look for gcs= parameter. G100 = all granted, G111 = all denied.
4. Google Ads Diagnostics: Check for consent mode warnings under Tools > Diagnostics.
5. GA4 Admin: Data Streams > Configure Tag Settings to verify consent mode detection.

Test all consent states: initial load, accept all, reject all, and partial consent.

How to set up Meta Conversions API with consent

Consent Signal Mapping

The three ad signals should move together. ConsentStack maps all three to the marketing consent category, ensuring they're always granted or denied as a group.

Conclusion

Google Consent Mode v2 is a technical protocol, not a compliance checkbox. 67% of implementations are misconfigured. Honda was fined $632,000 because their CMP sent wrong signals. Regulators have moved from "do you have a cookie banner?" to "does your CMP configuration actually work?"

If you're implementing manually, set denied defaults before tags load, fire the update when consent changes, include all four v2 signals, and verify with Tag Assistant and the gcs= parameter.

If you'd rather not manage consent signals by hand, ConsentStack's Google adapter handles GCM v2 automatically, plus Meta, TikTok, Microsoft, Pinterest, and LinkedIn consent signals. One script tag, zero manual gtag code.

Start free with ConsentStack

Try ConsentStack free. No credit card. No sales call. Google Consent Mode v2 working correctly in under 10 minutes.