GDPR Consent Mode v2: The Compliance Checklist
Consent Mode v2 became mandatory for all European Economic Area (EEA) advertisers in March 2024, and enforcement has only tightened since. If your GA4 data or Google Ads conversions have gone suspiciously quiet, there is a high chance your consent setup is misconfigured. Here is the practical, step-by-step checklist to verify compliance.
1. Default Consent: Start Denied
Before any user interaction, your site must set ad_storage, analytics_storage, ad_user_data, and ad_personalization to 'denied'. This tells Google: "do not set cookies, do not send personal data, do not personalize ads" — until the user explicitly opts in. If your consent banner loads after your GTM container, you are already leaking data.
The correct setup places the consent default script above the GTM container in your page's <head>:
<script>
window.dataLayer = window.dataLayer || [];
function gtag(){dataLayer.push(arguments);}
gtag('consent', 'default', {
'analytics_storage': 'denied',
'ad_storage': 'denied',
'ad_user_data': 'denied',
'ad_personalization': 'denied',
'functionality_storage': 'granted',
'personalization_storage': 'granted',
'security_storage': 'granted',
'wait_for_update': 500
});
</script>2. Consent Update: Grant On Interaction
Once the user clicks "Accept All" on your consent banner, you must fire an update command that flips the relevant flags from 'denied' to 'granted'. Google then models the missing data for users who declined — this is what keeps your reports useful even with opt-in rates below 50%.
Most Consent Management Platforms (Cookiebot, CookieYes, Usercentrics, Silktide) handle this automatically via their GTM template. If you are using a custom banner, you must fire the update command manually when the user interacts with it.
3. The Four Signals You Must Track
Consent Mode v2 introduced two new signals beyond the original analytics_storage and ad_storage. All four must be managed:
| Signal | Controls | Default |
|---|---|---|
analytics_storage | GA4 cookies and measurement | denied |
ad_storage | Google Ads conversion tracking cookies | denied |
ad_user_data | Sending user data to Google for ads | denied |
ad_personalization | Personalizing ads based on user data | denied |
4. Verify With Tag Assistant
Open Google Tag Assistant (tagassistant.google.com), connect to your site, and open the Consent tab. You should see all four signals cycling from denied → granted (or staying denied) as you interact with the consent banner. If any signal stays stuck at denied, your consent update mechanism is broken.
5. Language Preference Cookies Are Exempt
Under GDPR Article 5(3) and the ePrivacy Directive, cookies that are "strictly necessary" for a service explicitly requested by the user do not require prior consent. If you offer a language switcher (like we do — Polish and English), the cookie that remembers the user's language preference (nd_lang_pref) is exempt. This means you can set it before the user interacts with your consent banner. Just make sure it is categorised as functionality_storage: 'granted' in your consent defaults — the snippet above already does this.
Need someone to audit your consent setup? Book a compliance check with North Digital.