Skip to content

Template · CONSENT MODE V2 SNIPPET

Consent Mode v2 init snippet · EU/EEA default-deny

Default-deny init. Paste as the FIRST script in <head>, before any Google tag (GTM, gtag.js, AdSense) loads. Your CMP must call gtag('consent', 'update', …) on user choice.

Scope law GDPR Last reviewed
Editorial research — not legal advice
Page lifecycle — universal across regions 1 Page load <head> begins parsing BEFORE GTM/gtag.js 2 Defaults set gtag('consent','default') denied for EU · granted for US 3 CMP banner shown consent banner renders user sees Accept / Reject 4 User decision Accept · Reject · Customise 5 CMP update fires gtag('consent','update') within wait_for_update ms 6 Tags fire GA4 / Ads / floodlights read final consent state Default-deny block must run BEFORE the Google tag If a tag fires before defaults are set, it inherits "granted" implicit consent. wait_for_update typically 500 ms Tags hold for the CMP to call update; longer windows = lost data, shorter = race risk.
Signal Default · EU/EEA/UK/CH Default · US After Accept After Reject What it controls
ad_storage denied granted granted denied Cookies for advertising (DoubleClick, etc.)
ad_user_data denied granted granted denied Send user data to Google for ad measurement
ad_personalization denied granted granted denied Personalised advertising (remarketing audiences)
analytics_storage denied granted granted denied Analytics cookies (GA4 _ga, _ga_<container>)
functionality_storage denied granted granted denied Functional cookies (UI state, language)
personalization_storage denied granted granted denied UI personalisation (recommendations, themes)
security_storage always always always always Strictly necessary (CSRF, auth, fraud detection)

granted denied Hover any cell or signal name for details. Editorial reading; not legal advice.

Consent Mode v2 — 7 consent signals across page lifecycle. EU/EEA/UK/CH visitors get default-deny; US visitors get default-granted (no state-level opt-in baseline). Editorial reading; not legal advice.

Template body

<!-- Consent Mode v2 default-deny — paste as the FIRST script in <head>, before GTM/gtag -->
<script>
  window.dataLayer = window.dataLayer || [];
  function gtag() { dataLayer.push(arguments); }

  // Default-deny for all consent signals (EU/EEA/UK/CH baseline)
  gtag('consent', 'default', {
    'ad_storage':           'denied',
    'ad_user_data':         'denied',
    'ad_personalization':   'denied',
    'analytics_storage':    'denied',
    'functionality_storage': 'denied',
    'personalization_storage': 'denied',
    'security_storage':     'granted',  // always granted — strictly necessary
    'wait_for_update':      500          // 500ms grace period for CMP to load and call update
  });

  // Set developer ID for Consent Mode v2 (replace XXXX with your value, optional)
  // gtag('set', 'developer_id.dXXXXXX', true);
</script>

<!-- After your CMP renders the banner and the user clicks Accept/Reject, your CMP must call: -->
<!-- (this is what your CMP does internally — for reference only)
<script>
  gtag('consent', 'update', {
    'ad_storage':         'granted',  // or 'denied' based on user choice
    'ad_user_data':       'granted',
    'ad_personalization': 'granted',
    'analytics_storage':  'granted'
  });
</script>
-->
How to use this template · Methodology

Adapt, then deploy. Editorial reading as of 2026-05-05; not legal advice. This template is a starting point — drafted against the named statute and the relevant regulator's published guidance, not your specific facts.

Substitute every placeholder. Tokens like {{controller_name}} must be replaced with your concrete values. Leaving placeholders unsubstituted is a recurring failure mode in published compliance documents; reviewers and regulators tend to read partially-completed disclosures as a documentation problem in itself.

Verify the assumptions. The "Assumes" block above lists the prerequisites we drafted against. If your facts differ — different processor list, different audience, different sub-processors — adapt the template, don't deploy it as-is.

Counsel review before going live. Templates are scaffolding, not finished artefacts. Route the final pass through counsel admitted in the jurisdiction where you operate.

Full methodology → · All templates → · Scope law: GDPR →

Editorial research, not legal advice. SetupAnalytics is a free, ad-free public utility maintained by independent editors. This template does not establish a lawyer-client relationship and is not warranted for accuracy or currency. Consult qualified counsel admitted in the relevant jurisdiction for any specific deployment. Report an inaccuracy →