Consent Mode v2: A Practical Guide for UK Websites
If you run a UK business website that uses Google Analytics, Google Ads, or any Google marketing service, Consent Mode v2 is not optional — it is the mechanism that keeps your tracking legal under UK GDPR while preserving as much marketing data as possible. The ICO has made it clear that analytics and advertising cookies require explicit user consent. Consent Mode v2 is Google's answer: a framework that respects user choices while sending anonymised, modelled data when consent is denied. Here is what UK businesses need to know, how to implement it, and where UK requirements differ from the EU.
What Consent Mode v2 Actually Does
Consent Mode v2 adds a communication layer between your consent management platform (CMP) and Google's tags. When a user lands on your site, the consent state is sent to Google before any tags fire. Google tags then behave differently depending on the consent state:
- Consent granted: Tags fire normally. Full cookies are set. All data flows to GA4 and Google Ads.
- Consent denied: Tags still fire — but in a "cookieless" mode. Google sends anonymised, non-identifiable pings that do not use cookies. GA4 uses behavioural modelling to fill gaps in your reports. Google Ads uses conversion modelling for bidding.
The key insight: Consent Mode v2 means you are never completely blind, even when users say no. Modelled data fills the gap — and Google's models have become surprisingly accurate, especially for sites with enough consented traffic to train the model.
The Two Versions: Basic vs Advanced
Consent Mode v2 offers two implementation levels:
Basic Consent Mode
Tags are blocked entirely until the user interacts with the consent banner. If they accept, tags load and fire. If they reject or ignore the banner, no tags fire at all — zero data flows to Google. This is simpler to implement but gives you no modelled data. For a UK e-commerce site, this can mean 30-40% of your traffic generates zero analytics or ads data.
Advanced Consent Mode
Tags load immediately on page load with consent defaulted to "denied." Google receives cookieless pings from the first pageview — even before the user sees the consent banner. When the user grants consent, tags transition to full mode. When they deny, cookieless pings continue. This is the version Google recommends and the version that preserves the most marketing data. For UK businesses, Advanced is almost always the correct choice — the ICO expects consent banners, but does not forbid loading tags in a consent-respecting default state.
UK vs EU: What Is Different?
Post-Brexit, the UK operates under UK GDPR — a near-identical but legally separate framework from EU GDPR. For Consent Mode v2, the practical differences are subtle but important:
1. The ICO Is Your Regulator, Not the EDPB
The European Data Protection Board (EDPB) does not regulate UK businesses. The Information Commissioner's Office (ICO) does. The ICO has taken a more pragmatic, business-friendly approach than some EU DPAs — it has issued fewer fines for tracking violations and has explicitly encouraged the use of tools like Consent Mode that balance privacy with business needs. That said, the ICO is not soft: it fined British Airways £20 million and Marriott £18.4 million for data breaches, and has signalled it expects websites to take consent seriously.
2. No DMA Obligations
The EU's Digital Markets Act (DMA) imposes additional consent and data-sharing requirements on large platforms designated as "gatekeepers" — including Google. UK businesses are not directly subject to the DMA, which means some of the more complex Consent Mode v2 requirements tied to DMA compliance (such as the "ad_user_data" consent signal) are EU-specific. However, if your UK business targets EU customers, DMA requirements apply to that traffic.
3. UK Adequacy and Data Flows
The EU has granted the UK adequacy status (reconfirmed in 2025), meaning personal data can flow freely from the EU to the UK without additional safeguards. For Consent Mode v2, this means UK businesses can use Google's standard global infrastructure without needing EU-specific data processing agreements — though you should still document your data flows for ICO audit readiness.
4. CMP Market Differences
Some CMPs popular in the EU (like Didomi and Axeptio) have less presence in the UK market. UK businesses tend to use Cookiebot, OneTrust, Silktide, or Civic — all of which support Consent Mode v2 natively. If you inherited a CMP from an EU parent company, verify it supports the UK-specific IAB TCF v2.2 framework, which has slightly different vendor lists than the EU version.
Implementation: The 5-Step UK Setup
Step 1: Choose a CMP That Supports Consent Mode v2
Not all consent banners are equal. You need a CMP that calls the gtag('consent', 'update', {...}) API when users change their preferences. Cookiebot, OneTrust, Silktide, Civic, CookieYes, and Termly all support this natively. Avoid custom-built banners unless you are prepared to implement the gtag consent API yourself.
Step 2: Set Default Consent to Denied
Before GTM loads, place a consent default script in your <head>. This must fire before any Google tags:
<script>
window.dataLayer = window.dataLayer || [];
function gtag(){dataLayer.push(arguments);}
gtag("consent", "default", {
ad_storage: "denied",
ad_user_data: "denied",
ad_personalization: "denied",
analytics_storage: "denied",
functionality_storage: "denied",
personalization_storage: "denied",
security_storage: "granted",
wait_for_update: 500,
});
gtag("set", "ads_data_redaction", true);
gtag("set", "url_passthrough", true);
</script>Note that security_storage is granted by default — this is for security cookies like reCAPTCHA and CSRF tokens that do not require consent under UK GDPR's "strictly necessary" exemption.
Step 3: Load GTM After the Default Consent Script
The GTM container snippet loads immediately after the consent default. Because consent defaults to "denied," Google tags fire in cookieless mode by default. When the CMP updates consent to "granted," the tags transition automatically — no tag reload required.
Step 4: Configure Your CMP Callback
Your CMP must call the consent update API when the user makes a choice. Most CMPs handle this automatically, but verify in GTM Preview that the consent state updates when you click "Accept All" or "Reject All" in the banner.
Step 5: Test in Incognito Mode
Open your site in an incognito/private window. Before interacting with the banner, open GTM Preview and check the consent tab — all fields except security_storage should show "denied." Accept all cookies and check again — they should flip to "granted." If any field stays denied, your CMP callback is not wired correctly.
UK-Specific Watch-Outs
Implied Consent Does Not Work in the UK
Some EU regulators have tolerated "implied consent" banners where continuing to browse counts as acceptance. The ICO has explicitly rejected this: consent must be a positive, affirmative action. Your banner must have clear "Accept All" and "Reject All" buttons of equal prominence — no pre-ticked boxes, no "by using this site you agree" language.
The ICO Expects a Reject-All Option
Unlike some jurisdictions where a "reject all" button is optional, the ICO's guidance requires it. Your CMP banner must offer a one-click way to reject all non-essential cookies. Hiding "reject all" behind a settings menu or making it harder to find than "accept all" will not satisfy ICO expectations.
Analytics Cookies Are NOT Strictly Necessary
Some UK businesses argue that GA4 cookies are strictly necessary for website operation and therefore exempt from consent. The ICO disagrees. Analytics cookies require consent in the UK — full stop. If your banner defaults analytics to "on," you are not compliant. Consent Mode v2 handles this correctly by defaulting to denied.
What Happens If You Ignore It?
The ICO has the power to issue fines of up to £17.5 million or 4% of annual turnover for serious GDPR breaches. In practice, the ICO tends to issue warnings, improvement notices, and enforcement orders before levying fines — but the direction of travel is toward stronger enforcement of cookie consent rules. In 2024, the ICO issued guidance specifically calling out non-compliant cookie banners, and has indicated that enforcement action will follow. Implementing Consent Mode v2 now is far cheaper than dealing with an ICO investigation later.
Need Help Getting Set Up?
North Digital has implemented Consent Mode v2 for UK businesses of all sizes — from single-page brochure sites to multi-brand e-commerce platforms. We handle CMP selection, consent default scripting, GTM configuration, and ICO-aligned cookie policy drafting. Get in touch and we will have your consent setup compliant within the week.