The new version of consent mode (consent mode v2) from the beginning of 2024 is a result of Google’s adaptation to the requirements of the Digital Markets Act.
The most significant change compared to the previous version is that the previously recommended consent mode will be mandatory for all users of Google Marketing Platform advertising tools, such as Google Ads, starting from March 2024.
Starting from March 2024, consent mode will be mandatory for companies utilising Google Ads.
The lack of consent mode will lead to the blocking of personalized ads, such as remarketing, and subsequently, Google plans to block conversion tracking as well.
Other changes can be characterized as minor technical modifications that shouldn’t significantly affect data quality.
For those who had implemented consent mode, adjusting to version v2 will require, at most, minor service adjustments – but it is also mandatory (see the Mandatory Consent Status paragraph).
Unless explicitly noted otherwise, the topics discussed in this article apply to consent mode in general (including its previous version).
Before we explore the topic further, let’s organize the terminology and differentiate between consent mode and consent management – these terms are frequently confused.
Consent management or Digital Consents Acquisition
Consent management involves the process of acquiring, storing, and handling user consent for the collection and processing of their data. This process adjusts the way data is processed to respect individual consents, refusals, and objections.
Typically, consent management processes make use of Software as a Service (SaaS) applications called Consent Management Platforms (CMP), such as Cookiebot implemented on this website. These platforms generate a consent request popup during website visits, allowing users to provide the necessary consents. Additionally, these systems control the operation of tracking codes, for example, through the Google Tag Manager.
The implementation of such a system is a response to legal requirements. The interpretation of these requirements in 2019 mandated obtaining explicit, prior consent for data processing, especially for purposes such as marketing. Until consent is obtained, data cannot be processed for these purposes.
Consent mode
Consent mode is a mechanism for activating Google tracking codes in a manner that communicates the current user consent status to the code. This ensures that the system, such as Google Ads, is aware of the permissible extent to process the data.
Consent mode is a mechanism for activating Google tracking codes in a manner that communicates the current user consent status to the code.
Consent mode allows us to avoid the complete blocking of data transmission when a user declines data processing for marketing purposes but does not object to data processing for analytical purposes. In this scenario, the consent status conveyed in the code instructs the system to utilize analytical functions for that user and refrain from using advertising functions.
Digital Markets Act
The Digital Markets Act is a European Union regulation designed to ensure fair regulation of digital markets in Europe while maintaining competitiveness (for more information, refer to the European Commission’s website).
It introduces a distinct category of entities referred to as gatekeepers, including major search engines, social media platforms, and messaging services. Due to their extensive scale, these gatekeepers will be subject to specific prohibitions and obligations.
As of January 2024, notable gatekeepers encompass Alphabet (including Google, YouTube), Amazon, Apple, ByteDance (TikTok), Meta (including Facebook, Instagram, WhatsApp), and Microsoft (Bing, LinkedIn).
Violating the regulations of the Digital Markets Act can result in severe penalties, potentially up to 20% of the annual revenue.
One of the obligations imposed on gatekeepers is to ensure that data is not processed without the required consent.
Mandatory Consent Status
To comply with the obligation of ensuring consent collection, Google expects the website owner to provide a clear declaration of the type of user consent they possess. In the absence of this information, Google will treat it as equivalent to a lack of consent.
Therefore, it is crucial to include parameters in the tracking code that define the consent status of each user.
This means that there will no longer be a situation where the site owner overlooks changes in regulations, fails to collect consents, and transmits data with outdated tracking code, where the consent status is undefined. Google will no longer accept such scenarios.
The tracking code will communicate four consent statuses pertaining to specific data processing scopes (or purposes):
- consent for analytics – analytics_storage
- consent for measuring ad effectiveness – ad_storage
- consent for Google to use user data for advertising purposes (enhanced conversions) – ad_user_data
- consent for personalized advertising (remarketing) – ad_personalization
The last two parameters were introduced in consent mode v2.
Image created using Google materials
In practical terms, this change on its own will not have a significant impact on the collected data and its quality, as users typically either agree to everything or provide a maximum refusal.
Advertisers who had previously implemented consent mode v1 on their websites using a Google partner consent management platform will generally not need to make major adjustments. The platforms will update the way they collect consents and transmit data to Google.
In some configurations, it may be necessary to manually initiate the update or supplement the code.
Therefore, it is advisable to confirm that consent mode is functioning correctly, for example, using the Analytics Debugger tool.
Consent status labels
The Google parameters gcs and gcd are utilized to convey consent status information.
The gcs parameter (e.g., G111) is associated with the ad_storage and analytics_storage statuses:
| Value | ad_storage | analytics_storage |
|---|---|---|
| G100 | Denied | Denied |
| G101 | Denied | Granted |
| G110 | Granted | Denied |
| G111 | Granted | Granted |
| G1– | Did not require consent | Did not require consent |
Additional variables introduced in version v2 (ad_user_data and ad_personalization) are defined by the gcd parameter (e.g., 11r1r1r1r5). It contains information about the default value and the value after the user’s refusal or consent (update). This variable has the following syntax:
The separator digits may also have a different value (e.g., 3 instead of 1). Consent statuses are denoted by letters, each signifying:
| Letter | Default status | Updated status |
|---|---|---|
| l (lowercase L) | No consent mode | No consent mode |
| m | No default status | Denied |
| n | No default status | Granted |
| p | Denied | No update |
| q | Denied | Denied |
| r | Denied | Granted |
| t | Granted | No update |
| u | Granted | Denied |
| v | Granted | Granted |
Using these values, Google determines whether the consent mode has been implemented and whether the site assumes default consent, which is currently not the correct setting for any data processing scope (as of January 2024).
How to check if you have implemented consent mode v2 correctly?
You can easily check if you have implemented consent mode v2 using just your browser.
- First, close all tabs (especially those with your website open).Then clear browsing data (especially cookies and other site data – in Chrome > Clear browsing data – select “all time”). This will ensure that your next visit to your site will be considered as a visit by a user who has not previously consented.
- Now open a browser tab and go to Developer Tools. In Chrome, you can find them in the menu View > Developer.
- In the Developer Tools, navigate to the Network tab.
- Now visit your website, but do not interact with the CMP window yet (do not accept or reject cookies). If your website is set as the browser’s homepage and you are already on it, refresh the page (if the cookie banner accidentally gets clicked, you’ll need to clear browsing data again).
- In the filter field, type “gcd” and open the Payload tab.
- Check the parameters gcs and gcd for each of the requests.
- Make a consent to cookies (or denia) in your site’s CMP and now check how the CMP request parameters look.
There will be requests to various Google services, e.g., analytics.google.com, googleads.g.doubleclick.net, google.pl/ads, etc. They will likely all have the same gcd, but it’s worth checking each of them.
In a correctly configured Advanced consent mode with default denial assumed, only values p, q, and r should typically appear on the first entry page, while the others require attention.
Before giving consent, each letter in gcd should be “p” (in some implementations it can be “q”; although it sends a signal about denial before it was given, in practice it means the same). After denial, these letters should change to “q”, and after consent – to “r”. If this is the case, it means you have correctly implemented consent mode v2.
What if you see different letters?
- The letter “l” (lowercase “L”) means that consent mode is not configured at all (if you have “l” only in the last two fields, it means you have the previous version of consent mode).
- The letters “t”, “u”, “v” indicate that a default consent has been defined in our consent mode, which is not correct under current legal conditions on the first entry page.
- The letters “m” and “n” indicate a lack of default consent status.
In the case of Basic consent mode, no requests will be sent to Google before consent is given. The default refusal status should be applied to all pages even in Basic consent mode, although there is currently no clear information on whether Google will consider “m” and “n” statuses in Basic consent mode as incorrect.
How does consent mode work for Google codes?
Consent mode in Google applies to Google Ads, Analytics, and Floodlight codes (Google Marketing Platform) and functions seamlessly with the conversion linker tag.
Beyond explicitly communicating the user’s consent status to Google, consent mode impacts how data is collected and processed, improving the quality and comprehensiveness of analytical data and refining the accuracy of ad optimization.
When consent is provided, the collected data undergoes full processing. The situation becomes more intriguing when consent is not given.
Advanced consent mode
Tracking codes in the Advanced consent mode will continue to send certain data even when consent is not given. However, they will refrain from using cookies or similar technologies that identify devices, ensuring that the data is not attributed to a specific user.
The Advanced consent mode is the new name for the standard consent mode. The term “advanced” has been added to distinguish it from the streamlined “basic” version.
Google gathers collective data on the activity of all users who haven’t granted consent, including the number of visits, pageviews, conversions, and generated revenue. This information is presented in segments based on browser type, country, and time of day, without being tied to specific users.
Source: Google materials
These data allow Google to gain additional insights into:
- The number of users who did not give consent.
- The overall activity of users who did not give consent, broken down into specific segments.
Basic consent mode
For those who, for various reasons, do not wish to transmit any data to Google without user consent, we offer a streamlined consent acquisition mode – Basic consent mode.
In this mode, if the user declines, Google does not collect any data, and no information about the refusal is sent to Google.
The basic consent mode simply involves the Google tag not being triggered until consent is given. There are no additional parameters involved.
Data modeling in consent mode
Look at the illustration below – without consent mode, campaigns A and B report the same effectiveness based on user data who have given consent for tracking.
Source: Google materials
The actual success of the campaigns varies, partly due to potential differences in the percentage of refusals within these campaigns.
Modeling in Advanced consent mode
Users who have not provided consent usually exhibit lower conversion rates. In Advanced consent mode, Google doesn’t need to make educated guesses about this, as the total number of conversions without consent is a known factor. The only estimation required is determining the percentage of these conversions attributed to a particular source, which is facilitated by the known total number of visits without consent per source.
With this information, Google can effectively estimate the real conversions in each campaign:
Modeling conversions in Advanced consent mode. Source: Google Materials
The supplementary data gathered about users who have not granted consent, including information such as their country and browser, enables Google to enhance the precision of estimates regarding the behaviors of users who have not provided consent. This is achieved by drawing parallels to comparable users for whom data is collected.
All calculations are based on entirely anonymous data, ensuring user anonymity without individual tracking.
Modeling in Basic consent mode
In basic mode, Google will compare the total number of ad clicks to the number of visits from ads for users who have given consent. The difference will be an estimation of the number of users without consent.
This way, Google will be able to estimate, though less precisely, the number of conversions for users who did not provide consent and for whom no information was collected (see illustration below).
Modeling conversions in Basic consent mode. Source: Google Materials
In basic consent mode, modeling applies only to conversions reported in Google Ads (there is nothing to model in Analytics because even the percentage of refusals is not known).
Other modeled data
Advertising systems, including Google Ads and Facebook, as well as Google Analytics in default configuration, have been using modeled data for quite some time. This is because what we can measure with tracking systems that rely solely on cookies no longer fully reflects the user’s complete journey.
Why is tracking becoming less effective?
- Legal regulations compel website and app owners to obtain consent before initiating tracking activities. Platforms utilizing such data (Google, Meta, Microsoft, etc.) are mandated to enforce this obligation on the owners of these websites and apps.
- Conversion paths are becoming increasingly complex as users engage with a growing number of devices, applications, and browsers (cross-device, x-device).
- Technologies such as ITP (Apple) and ETP (Firefox), responding to users’ heightened expectations regarding privacy and concerns about data security, are restricting cookies and their duration. With the full implementation of Privacy Sandbox in Chrome in 2024, third-party cookies will practically be eliminated, parameters injecting click identifiers into first-party cookies will be increasingly truncated, and the files carrying them will be deleted.
Missing data must be supplemented using mathematical modeling, extrapolating those values that we can track. These are estimated values, but certainly closer to the truth than if we completely ignored the gaps in the data.
Through conversion modeling, we obtain an approximate but more realistic picture of the campaign’s effectiveness.
The described modeling in consent mode fills in the gaps resulting from user refusals.
However, regardless of this, Google models conversion data by supplementing it with approximate cross-device data and filling in gaps caused by cookie blocking technology, as shown in the table below.
Based on Google materials.
Google Ads assigns a value to modeled conversions that is equivalent to the default conversion value set in the conversion settings. It’s crucial to verify and ensure that the configuration is accurate.
Is the Advanced consent mode compliant with the law?
The Advanced consent mode is essentially an extension of the well-established ‘regular’ consent mode, maintaining the same functionality. The introduction of two additional consent statuses doesn’t bring anything fundamentally new to the table.
Even without user consent, the Advanced consent mode continues to trigger the script and transmit specific data to Google. The extent of data processing is contingent upon the scope of user refusal. Using this limited data, Google models the behavior of users who have opted not to give consent.
This article is not intended to provide legal advice but rather aims to illuminate the essence of the issue. For specific cases, it is recommended to seek guidance from a legal professional or an individual with the appropriate qualifications.
Can it be done without consent?
The relevant regulations in this domain encompass ePrivacy (via Telecommunications Law) and GDPR. These regulations pertain to the processing of personal data and user identifiers, devices, or applications, such as cookies, IP addresses, and serial numbers.
Processing identifiers essential for the website’s operation and ensuring its security and the services it offers is permissible even without explicit consent.
If the current version of the ePrivacy project is enacted (as of January 2024), explicit consent for self-owned analytics will not be necessary.
What information does Advanced consent mode process?
In the event of a lack of consent in Advanced consent mode:
- No cookies or similar identifiers will be stored in the browser’s memory.
- The transmission of gclid information to Google Ads can be blocked by using ads_data_redaction=true.
- Aggregated information about the browser, country, and time will be collected, but no fingerprint will be generated.
- The IP address will be removed after determining the country (this can also be independently done server-side and sent to Google with only the country).
- If url_passthrough=true is configured, additional parameters will be added to the URL within the website (when user click and internal link on the landing page and during further website exploration). These parameters make possible to associate separate pageviews to a single session without using cookies.
The activity of users who haven’t granted consent is grouped into broad categories, segmented in a very general manner.
Are there any doubts here?
The consent mode was designed to facilitate measurements and marketing endeavors while safeguarding user privacy and mitigating data distortion resulting from the necessity of honoring user refusals.
The recent updates aim to align Google systems with the Digital Markets Act, thereby reducing the risk of penalties for Google due to data processing without the required consent. This may suggest that, to some extent, legal risks for companies utilizing these technologies are constrained.
However, it is crucial to acknowledge that, in Advanced consent mode, transmitting information to Google servers without user consent remains a factor that might raise concerns.
IP address
The IP address is an identifier that can identify a user, device, or network subscriber. Google asserts that, in consent mode, the IP address is used to determine the location and is subsequently destroyed. However, it does not change the fact that the IP address is transmitted.
There is the possibility of processing the IP on the user’s server (server-side) and sending only the location to Google. Yet, even if it is an in-house hosted server, and Google receives only the location, there is still the processing of the IP address for a non-essential purpose. After all, the website can function without analytics.
Regulators are increasingly acknowledging analytics as a legally justified and somewhat essential purpose for website administration. Similar changes are also being contemplated in the upcoming revisions to ePrivacy directive. It’s essential to note that, concurrently, we will process IP for the purpose of displaying the website.
Click identifiers
URLs may contain identifiers such as gclid or fbclid, and processing them without consent can be problematic.
Nevertheless, it’s feasible to configure consent mode to exclude processing these identifiers (as previously mentioned using the ads_data_redaction parameter). However, this won’t hinder the processing of identifiers external to Google (like fbclid or first-party identifiers such as marketing automation click parameters). Such data must be blocked separately.
User ID
Consent mode doesn’t impact the blocking of User ID functionality (first-party data) either. This implies that if the website passes User ID-related data in the tag parameter, it will still be collected in Analytics.
To address users who decline consent for data processing for analytical purposes, it’s essential to block the transmission of these parameters to the tracking tag. This can be achieved, for instance, by establishing additional conditions (consent status) in GTM for transmitting this value from the data layer to the tag.
Fingerprinting
In addition to capturing location data, Google gathers information about the pages visited, conversion events, and browser parameters.
Precise device details, particularly in smaller localities, can form what is known as a fingerprint. A specific combination of parameters in a given location may be uniquely distinctive, essentially serving as an identifier nearly as precise as a cookie.
The more of these parameters collected, within a larger user group and across a broader geographical area, the potential for them to constitute a distinctive identifier increases.
Google asserts that in the context of consent mode, a fingerprint identifier is not generated, and the location is utilised solely for modeling purposes at the country level (refer to Google’s help article). It is important to note that IP processing for data collection in Analytics, administered by the website owner, adheres to standard protocols.
What data does Analytics collect?
Here is the information available in BigQuery data for Analytics with consent mode for users who did not provide consent as of December 2023:
- The smallest towns have several thousand residents.
- Although gclid was mostly replaced by wbraid, there were cases where gclid was still present, either as a parameter or in the saved URL.
- Identifiers from sources other than Google, such as fbclid or mscclkid, are not removed from the URL.
It is possible that, in the case of a small portion of users, such collected data could create a fingerprint.
Moreover, processing identifiers without consent may raise legal questions. The wbraid identifier, as declared by Google, does not identify the user (specific click) and complies with Apple’s privacy standards (which are quite high), but this does not necessarily align with legal regulations.
However, it is important not to equate data collected in Google Analytics with data processed by Google under consent mode for advertising purposes – they are separate systems.
In the case of data in Analytics, the data controller is the website owner, and Google processes this data as a processor under the terms of data processing agreement.
Google states that only aggregated data that does not allow user identification is used for modeling conversions under consent mode for advertising effectiveness measurement purposes.
Source: Google
It’s worth noting that the consent mode modeling only kicks in after surpassing a certain threshold of users, reducing the likelihood that utilizing this information could effectively mean tracking an individual user or a small group.
Therefore, it seems reasonable to trust Google’s intentions in preserving privacy rules within consent mode. However, larger entities might consider fortifying this system through server-side tracking, which allows for unrestricted data editing before sending it to Google.
See Google’s help article on consent mode for more information.
Does consent mode respect users privacy?
The core of privacy protection lies in guarding against uncontrolled information gathering concerning individual users. As long as identifiers or fingerprints are not utilized (country and browser being non-identifying information), we are not infringing on any principles.
Imagine a crowd walking down the city streets. Tracking is like attaching a label with a number (cookie), checking identification (device ID), or taking pictures (fingerprint) of each person and documenting it all. Doing this without consent is an invasion of privacy.
What consent mode does can be likened to counting people walking on different streets, categorised by gender, hair colour, and eye colour.
However, it is important to recognize that the legal and technical or ethical definitions of privacy do not align perfectly.
For those who find concerns in this (whether legal or ethical), there is the Basic consent mode, which straightforwardly blocks the script in the absence of consent. No information about unconsented visits is collected and data modeling is very limited.
Illustration based on Google materials. Modeled data is approximate estimates. Google declares that it strives to recover as much data as possible by applying safeguards that prevent overly optimistic estimates.
Do you need to implement consent mode?
Consent mode is designed to minimize data distortions that may arise due to the necessity of obtaining user consent for tracking. Its implementation aims to improve the quality of analytical data and enhance the precision of conversion optimization in Google Ads.
Furthermore, businesses using Google Ads are obligated to implement tracking codes in consent mode. Failure to comply may lead to the suspension of remarketing and conversion tracking from March 2024. Without conversion tracking, optimising campaigns for anything other than maximising click-throughs or ad visibility becomes a considerable challenge.
The imperative to prioritize user privacy and secure consent for data processing has become a standard in digital services, indicating an irreversible trend in this domain.
Integrating consent management and solutions such as consent mode is crucial, particularly for those looking to execute efficient marketing strategies and optimise their outcomes.
If you require assistance with implementing consent management and consent mode, don’t hesitate to get in touch with us.
What does the implementation of consent mode involve?
The most straightforward method for implementing consent management with consent mode v2 involves utilising a consent management platform (CMP) recommended by Google. Ensure that the platform installation on the website follows the provided documentation accurately.
Subsequently, integrate the CMP with Google Tag Manager, where all tracking tags will be housed. This integration can be facilitated using a template available in the Tag Manager Community Template Gallery that aligns with the chosen consent management platform.
Within the settings of individual tags, incorporate the appropriate consent configurations.
For tags supporting consent mode (such as Google tags), opt for the “No additional consent required” setting. Conversely, for other tags, select “Require additional consent for tag to fire”, specifying the necessary consents for tag to fire.
To implement Basic consent mode, you should choose the option “Require additional consent for tag to fire” also for tags that support consent mode.
Using a consent management platform is optional. The fundamental setup guidelines are explained in this Google video:
How does the future of consent management look?
The European Commission recognizes that the existing regulations in this domain have resulted in an overwhelming number of “cookie consent” requests, causing fatigue among users who often accept them without comprehension.
Conversely, this hinders the adoption of legitimate technologies that respect privacy and imposes significant costs on website owners.
As of January 2024, the current form of the ePrivacy regulation project suggests a centralized approach to consent collection through web browsers.
Nevertheless, this doesn’t imply that consent management and consent mode will lose their relevance – quite the contrary.
What about Meta Pixel and Microsoft Tag?
Other tech giants are adopting comparable solutions. There’s a possibility that they may soon demand the unequivocal transmission of consent status with each tag invocation, even though this isn’t a requirement as of January 2024.
It appears that the term ‘consent mode’, originally coined by Google for its technology, may find application in relation to other solutions as well.
Facebook consent mode
Meta Pixel (Facebook) has its own consent status transmission mode (refer to Meta’s help article). Currently (January 2024), it functions in a basic manner – if consent is not given, no data is transmitted to Meta’s servers.
Microsoft UET consent mode
You can also configure Microsoft tracking code in consent mode. See Microsoft Advertising’s help article for more information.
Worth reading
Article by Simo Ahava on consent mode v2 – which provides additional technical and implementation details.
