Topic · CONSENT

Google Consent Mode v2

What Consent Mode v2 does, when it is required, and how regulators view "cookieless pings".

Google Consent Mode v2 (CMv2) is a JavaScript layer between your tag manager and Google Ads/Analytics that adjusts what data is sent based on the user’s consent state. It is not a consent management platform — it does not collect consent, does not show a banner, and does not satisfy ePrivacy by itself.

What CMv2 does

It defines four consent signals — ad_storage, ad_user_data, ad_personalization, analytics_storage — and modifies tag behavior accordingly. When all signals are denied, Google switches to “cookieless pings”: no cookies set, but a pseudonymous ping is still sent to model conversions.

When you actually need it

Required if you serve EEA, UK, or Swiss traffic and use Google Ads, GA4, Floodlight, or Display & Video 360. Without CMv2, Google will refuse to use the data for personalization and conversion modeling — but it will not block the tag from running. Google began enforcing CMv2 for ad personalization on March 6, 2024.

Not relevant for California CCPA opt-out (use IAB GPP signal instead) or jurisdictions outside the EEA/UK/CH that don’t require granular ad-tech consent.

The cookieless-ping question

Even when consent is denied, CMv2 still sends a pseudonymous ping with timestamp, IP-derived geo, and event metadata. The European DPAs disagree on whether this is lawful:

DSK (Germany), CNIL (France), Garante (Italy): The cookieless ping accesses terminal equipment by reading the page URL and event context — therefore ePrivacy Art 5(3) applies, requiring consent. CMv2 cookieless pings are not exempt.
ICO (UK): Pragmatic — not enforced against well-implemented cookieless pings.
DPC (Ireland): Has not ruled definitively.

Implementation pitfalls

The default command must fire before any Google tag — typically as the first thing in <head>. Setting it inside GTM after page load is too late: tags will already have fired with implicit granted.

Don’t set 'wait_for_update': 500 arbitrarily high — it delays all Google tags. 500ms is the typical limit.

Test with the GA4 DebugView or the Tag Assistant Companion: confirm analytics_storage=denied on first visit, =granted after Accept, and that no _ga cookie is set in the denied state.

Vendors

Most major CMPs (Cookiebot, OneTrust, Iubenda, Klaro, Usercentrics) wire CMv2 automatically once you select the Google integration. Roll-your-own implementations are common but error-prone.