What Consent Mode Is, and Why You Can't Skip It
Google Consent Mode is a signalling layer. Your CMP tells Google's tags (GA4, Google Ads, Floodlight) whether the visitor has consented, and the tags adjust what they do, either behaving normally or dropping into a limited, cookieless mode. Since March 2024, Consent Mode v2 has been required to keep advertising features like remarketing, audiences, and conversion measurement working for users in the EEA and UK. Without it, Google throttles those features regardless of what your banner shows.
Consent Mode is separate from blocking scripts. Prior blocking stops a tag from loading at all; Consent Mode lets the tag load but constrains it based on consent. Most sites use both. This guide is the CMP-to-Google wiring, if you want the GTM template internals instead, see Google Tag Manager and consent.
The Seven Signals
Consent Mode v2 uses seven named parameters. Your CMP sets each to granted or denied:
ad_storage, advertising cookies and identifiers.ad_user_data, sending user data to Google for advertising.ad_personalization, personalized advertising and remarketing.analytics_storage, analytics cookies (for example the GA4 client ID).functionality_storage, storage that supports site functionality, like language.personalization_storage, personalization such as recommendations.security_storage, authentication and fraud prevention.
The two v2 additions, ad_user_data and ad_personalization, are the ones that gate EEA advertising features, so a v1 setup that omits them is out of date. Full field reference: Consent Mode v2 parameters.
Default Denied, Then Update
The model has two phases. First a default command sets the starting state before the visitor chooses. For EEA traffic this should be denied across the advertising and analytics signals:
gtag('consent', 'default', {
ad_storage: 'denied',
ad_user_data: 'denied',
ad_personalization: 'denied',
analytics_storage: 'denied',
wait_for_update: 500
});Then, when the visitor makes a choice, the CMP fires an update reflecting it:
gtag('consent', 'update', {
ad_storage: 'granted',
analytics_storage: 'granted'
});The wait_for_update value tells Google's tags to pause briefly so the update can arrive before they decide how to behave. A CMP with native Consent Mode, like CookieBeam, emits both commands for you and applies deny-by-default per region, so you're not hand-writing gtag calls.
Wiring it up
Turn on Consent Mode in your CMP
Enable Google Consent Mode in the CMP settings. This tells it to emit the default and update commands instead of only blocking scripts.
Set region-aware defaults
Default to denied for regions that require opt-in (EEA, UK). You can set different defaults for opt-out regions. A region-aware CMP handles this per visitor, see running one banner across a global audience.
Map your categories to the seven signals
Your banner's marketing category should drive ad_storage, ad_user_data, and ad_personalization; your analytics category drives analytics_storage. Get this mapping right or the signals won't match the toggles.
Fix the load order
The default command must run before your Google tags configure. That means the CMP loads first in the <head>. If gtag configures before the default arrives, the tag has already decided.
Choose Basic or Advanced
Advanced Consent Mode loads Google tags in cookieless mode pre-consent and sends anonymous pings for modelling; Basic blocks the tag entirely until consent. The trade-off is data recovery versus zero pre-consent contact, decided in Advanced vs Basic.
Verify with Tag Assistant
Load the site with Google Tag Assistant and confirm the default fires denied, the update fires on your choice, and the parameters match the buttons. Debugging steps are in how to debug Consent Mode v2.
Basic vs Advanced, in One Paragraph
Basic mode holds Google's tags until consent, so nothing reaches Google before the visitor opts in, and you recover no modelled data from those who decline. Advanced mode loads the tags immediately in a restricted, cookieless state, sending anonymous signals Google uses to model conversions from non-consenting users. Advanced recovers more measurement; Basic makes a stronger pre-consent privacy claim. If your legal posture is strict opt-in, Basic is easier to defend. The full decision, including the pre-consent contact question, is in Consent Mode v2: Advanced vs Basic.
Where Setups Break
Four mistakes account for most broken Consent Mode implementations, and all four pass a casual glance:
- Load order. The default command fires after gtag has already configured, so the tag never saw "denied." The CMP has to be first in the
<head>. This is the single most common failure. - Missing v2 signals. An older setup sets
ad_storageandanalytics_storagebut notad_user_dataandad_personalization, so EEA advertising features stay throttled even for consenting users. - Mapping drift. The banner's marketing toggle doesn't drive all three ad signals, so a visitor who accepts marketing still shows
deniedfor personalization. - Untested regions. Defaults are correct for the EU but the site was only tested from a US IP, where nothing is denied, so the denied path never got exercised. Test with a VPN or your CMP's region simulator.
Each of these is invisible until you open Tag Assistant and watch the actual parameter values change. Don't ship on the assumption that the banner appearing means the signals are flowing.
Consent Mode Is Not a Substitute for Blocking
Consent Mode governs how Google's own tags behave. It does nothing for the Meta pixel, TikTok, LinkedIn, or your chat widget, those still need prior blocking. Treat Consent Mode as the Google-specific layer inside a broader consent setup, not the whole thing.