Skip to content
Last reviewed: 2026-05-04 Methodology Report inaccuracy

Topic · CONSENT

Google Consent Mode v2

What Consent Mode v2 does, when it is required, and how regulators view "cookieless pings".

Page lifecycle — universal across regions 1 Page load <head> begins parsing BEFORE GTM/gtag.js 2 Defaults set gtag('consent','default') denied for EU · granted for US 3 CMP banner shown consent banner renders user sees Accept / Reject 4 User decision Accept · Reject · Customise 5 CMP update fires gtag('consent','update') within wait_for_update ms 6 Tags fire GA4 / Ads / floodlights read final consent state Default-deny block must run BEFORE the Google tag If a tag fires before defaults are set, it inherits "granted" implicit consent. wait_for_update typically 500 ms Tags hold for the CMP to call update; longer windows = lost data, shorter = race risk.
Signal Default · EU/EEA/UK/CH Default · US After Accept After Reject What it controls
ad_storage denied granted granted denied Cookies for advertising (DoubleClick, etc.)
ad_user_data denied granted granted denied Send user data to Google for ad measurement
ad_personalization denied granted granted denied Personalised advertising (remarketing audiences)
analytics_storage denied granted granted denied Analytics cookies (GA4 _ga, _ga_<container>)
functionality_storage denied granted granted denied Functional cookies (UI state, language)
personalization_storage denied granted granted denied UI personalisation (recommendations, themes)
security_storage always always always always Strictly necessary (CSRF, auth, fraud detection)

granted denied Hover any cell or signal name for details. Editorial reading; not legal advice.

Consent Mode v2 — 7 consent signals across page lifecycle. EU/EEA/UK/CH visitors get default-deny; US visitors get default-granted (no state-level opt-in baseline). Editorial reading; not legal advice.

Google Consent Mode v2 (CMv2) is a JavaScript layer between your tag manager and Google Ads/Analytics that adjusts what data is sent based on the user’s consent state. It is not a consent management platform — it does not collect consent, does not show a banner, and does not satisfy ePrivacy by itself.

What CMv2 does

It defines four consent signals — ad_storage, ad_user_data, ad_personalization, analytics_storage — and modifies tag behavior accordingly. When all signals are denied, Google switches to “cookieless pings”: no cookies set, but a pseudonymous ping is still sent to model conversions.

When you actually need it

Required if you serve EEA, UK, or Swiss traffic and use Google Ads, GA4, Floodlight, or Display & Video 360. Without CMv2, Google will refuse to use the data for personalization and conversion modeling — but it will not block the tag from running. Google began enforcing CMv2 for ad personalization on March 6, 2024.

Not relevant for California CCPA opt-out (use IAB GPP signal instead) or jurisdictions outside the EEA/UK/CH that don’t require granular ad-tech consent.

The cookieless-ping question

Even when consent is denied, CMv2 still sends a pseudonymous ping with timestamp, IP-derived geo, and event metadata. The European DPAs disagree on whether this is lawful:

Implementation pitfalls

The default command must fire before any Google tag — typically as the first thing in <head>. Setting it inside GTM after page load is too late: tags will already have fired with implicit granted.

Don’t set 'wait_for_update': 500 arbitrarily high — it delays all Google tags. 500ms is the typical limit.

Test with the GA4 DebugView or the Tag Assistant Companion: confirm analytics_storage=denied on first visit, =granted after Accept, and that no _ga cookie is set in the denied state.

Vendors

Most major CMPs (Cookiebot, OneTrust, Iubenda, Klaro, Usercentrics) wire CMv2 automatically once you select the Google integration. Roll-your-own implementations are common but error-prone.