GTM Consent Mode v2 explained: the handshake between your banner and your tags

The thing it actually is

Consent Mode is a Google-defined API that sits between your cookie banner and anything that fires a Google tag — GA4, Google Ads, Floodlight, Campaign Manager. It isn't a product. It's a contract: before any Google tag does anything, it checks a small set of flags that say which categories of data the visitor consented to.

Version 2 (launched March 2024, mandatory for EEA advertisers using Google's ads products) extended the v1 vocabulary with two new signals specifically aimed at advertising personalisation. There are now four flags a consent banner must set:

• analytics_storage — "granted" / "denied": can GA4 read/write its cookie and send events
• ad_storage — can Ads/Floodlight read/write its cookie
• ad_user_data — can user identifiers be sent to Google for ads use
• ad_personalization — can the data be used for remarketing and personalised ads

The last two are the v2 additions, and they're the reason every CMP had to ship an update in early 2024.

Why March 2024 raised the stakes

Before v2, Consent Mode was a strong recommendation. After March 2024 it became a gate: if you're an advertiser serving EEA traffic through Google Ads or GA4, and you don't send Consent Mode v2 signals, Google will not process the data for remarketing, audience expansion, or enhanced conversions.

You won't see an error. You'll see your audiences quietly stop growing, and conversion reporting get noisier. That's the failure mode — silent data loss rather than a broken page.

For non-EEA traffic Consent Mode is still optional, but because most sites don't want to run two different tag stacks by geography, in practice everyone flipped the switch globally.

Basic mode vs advanced mode — the real decision

This is where CMPs diverge, and it's worth understanding before you pick one.

Basic mode: Google tags don't load at all until consent is granted. If a visitor denies, no pings, no cookies, no nothing. Simple and deterministic. The downside is you lose all data from denying visitors — including the denial itself, which means conversion modelling can't fill in the gap. Typical EEA consent rates of 40–70% translate directly into 40–70% measured data.

Advanced mode: Google tags load with all signals defaulted to denied. They fire cookieless pings — no identifiers, no cookies, just anonymised event data — before consent is resolved. When consent is granted, the signals update and the tag switches to full-data mode. If consent is denied, the cookieless pings continue, and Google uses them to statistically model the missing conversions.

Advanced recovers roughly 60–80% of the lost conversion signal, depending on traffic volume. The tradeoff is complexity: your banner must set the default state before gtag.js or the GTM container loads, and update it the moment the user clicks accept/reject. Get the ordering wrong and you either leak data pre-consent (regulator risk) or lose the modelling benefit (data-science risk).

The three mistakes we see every week

When a site fails a scan, nine times out of ten it's one of these:

1. The default state is set after gtag.js loads. Order matters. The Consent Mode default must appear in a synchronous <script> earlier in the <head> than anything that loads Google tags. CMPs that inject their config asynchronously blow this ordering.

2. The update call never fires — or fires with wrong granularity. Some banners set everything to granted when the user accepts "all", regardless of whether the user deselected Marketing. Others only update analytics_storage and forget the ads signals. Easy to miss because the banner UI still works — it's only the data pipeline that breaks.

3. Region wildcards mask the denied state. Consent Mode lets you set per-region defaults (e.g. default for EEA-only, granted elsewhere). A common misconfiguration is to set a global granted default, then selectively deny for EEA visitors — which means non-EEA visitors get tracked before any banner interaction, in jurisdictions that also require consent (UK PECR, for instance). The regulator pays attention to this.

How SmartConsent handles it

Four decisions flow from the above, and they're the shape of the integration in SmartConsent:

1. The default state is written inline in the SmartConsent script itself, not fetched from a remote config. By the time the first Google tag has a chance to run, gtag('consent', 'default', {...}) has already executed synchronously.

2. The update call is wired to every category change, not just accept-all. Deselecting Marketing but accepting Analytics produces the correct { ad_storage: 'denied', analytics_storage: 'granted', ad_user_data: 'denied', ad_personalization: 'denied' } signal. No silent full-opt-in.

3. Region defaults are derived from the jurisdiction engine, not hand-maintained. EEA + UK + Switzerland default to denied; CCPA opt-out states use denied for ad_storage/ad_user_data/ad_personalization but granted for analytics_storage (reflecting the opt-out-of-sale model); the rest match your configured strictness.

4. Advanced mode is the default, with an opt-out flag if you need basic. Most teams want conversion modelling; the ones who don't are usually regulated sectors who prefer the cleaner audit trail of basic.

How to verify it's working

Three checks, in order of effort:

• Google's Tag Assistant Chrome extension shows the Consent Mode state live. Load your page, open the extension, look for the "Consent" panel. It should show all four signals with their current values.
• GA4 DebugView (under Admin → DebugView) will tag events with gcs=G100 (all denied), G111 (all granted), or variations. If you see events arriving before a banner interaction with G111, something is setting default to granted.
• Our free scanner runs both checks plus a structural pass on your banner (default timing, update wiring, region handling) and surfaces the failures in plain English.

The rest

For the full pipeline — geo-detection, regulation lookup, banner render, Consent Mode signal, script gating — see how SmartConsent works. For side-by-sides on how other CMPs handle v2, see the alternatives hub.

Consent Mode v2 isn't the exciting part of the consent stack. It's the plumbing. But it's the plumbing that decides whether your analytics team has data to work with at the end of the quarter, so getting it right is a disproportionately high-leverage piece of the job.