GA4 Consent Mode v2:
set up correctly, run GDPR-compliant.
Google Consent Mode v2 is the signal that tells Google whether and how a user has consented to measurement and advertising. We implement it correctly - Basic or Advanced, the four signals, your CMP - and combine it with server-side tracking so it is honoured end to end.
Hosted on German infrastructure (Hetzner). ISO/IEC 27001:2022. Technical guidance, not legal advice.
What is Google Consent Mode v2, and why is it required?
Consent Mode v2 is a Google framework that adjusts how Google tags (GA4, Google Ads) behave based on the consent a user has given. Instead of either firing fully or not at all, the tags read four consent signals and react accordingly - sending full data, modelled data, or nothing.
Version 2 added two new signals, ad_user_data and ad_personalization, specifically to satisfy the EU Digital Markets Act (DMA). Since 6 March 2024, Google requires these v2 signals to keep using audience lists, remarketing and personalised measurement in Google Ads and GA4 for traffic from the European Economic Area.
Without Consent Mode v2, EEA advertisers lose remarketing audiences, conversion modelling and personalised measurement. It is a Google platform requirement, not a German statute - but the consequence for your campaign data is immediate.
Consent Mode v2 Basic vs Advanced
This single choice determines how much data you recover and how conservative your setup is from a data-protection view. There is no universally correct answer - it is a documented trade-off.
| Aspect | Basic mode | Advanced mode |
|---|---|---|
| Tag behaviour before consent | Google tags are fully blocked. Nothing fires. | Tags load and send cookieless pings (no identifiers). |
| Data sent on rejection | None. Zero requests to Google. | Anonymous, cookieless pings with gcs/gcd flags. |
| Conversion modelling | Limited. Less data for Google to model from. | Up to 70%+ of rejected paths modelled (Google figure). |
| Data recovery | Lower. You keep only consented data. | Higher. Cookieless signal feeds the model. |
| DACH legal caution | Conservative. Nothing leaves before opt-in. | Contested. Cookieless pings before consent are debated. |
Choose Basic when
Legal caution outweighs data recovery. Nothing reaches Google before opt-in, which is the position many DACH data-protection specialists recommend for maximum defensibility. You accept a smaller modelled-data uplift in exchange.
Choose Advanced when
Data recovery is the priority and you have made an informed decision, with legal counsel, that cookieless pings before consent fit your risk appetite. Conversion modelling can then reconstruct over 70 percent of rejected paths (Google figure).
The four consent signals - and the two that v2 added
Consent Mode v2 reads four signals. Version 1 had two. The two new ones exist for the EU Digital Markets Act, and they are the ones most setups still get wrong.
analytics_storage Controls storage related to analytics, e.g. the GA4 cookie that holds a visit duration or measurement identifier.
Since v1ad_storage Controls storage related to advertising, e.g. cookies used for conversion measurement and ad attribution.
Since v1ad_user_data Controls whether user data may be sent to Google for advertising purposes. Added for the EU Digital Markets Act.
New in v2 (DMA)ad_personalization Controls whether data may be used for personalised advertising and remarketing. Added for the EU Digital Markets Act.
New in v2 (DMA)Wiring your CMP and the GTM default state
Consent Mode v2 needs a Google-certified consent management platform - Cookiebot, Usercentrics, Consentmanager and others. The brand matters less than the wiring. Here is the order that actually has to hold.
Set the default consent state
Before any Google tag can fire, the CMP must declare the default consent state (typically denied for all four signals in the EEA). This must run first in the page, in the GTM container, so no tag beats it.
Wire the CMP to the four signals
Map the CMP's consent categories (statistics, marketing) onto analytics_storage, ad_storage, ad_user_data and ad_personalization. A certified CMP that maps only two of four signals silently breaks your Google Ads measurement.
Update consent on user action
The moment a user accepts or rejects, the CMP must push an update command so tags react in the same page view. We test accept, reject and partial-consent paths against the dataLayer.
Verify end to end
Google Tag Assistant, the network tab and GA4 Consent Mode reporting confirm the gcs and gcd parameters arrive correctly. We document the verified state so you can re-check after any deployment.
Conversion modelling: what you realistically get back
Realistically around 40 percent of German users decline. Without a countermeasure, 30 to 50 percent of conversion data is missing.
Google states Advanced mode can reconstruct over 70 percent of conversion paths lost to rejection. A ceiling, not a guarantee.
Modelling only activates above a minimum daily traffic and conversion volume. Low-traffic sites see less uplift.
Conversion modelling is statistical reconstruction, not raw recovery. It estimates the conversions you cannot directly observe. That is why the realistic, observable uplift comes from combining Consent Mode with server-side tracking, which recovers events that browser-level blocking deletes outright.
GDPR, the TDDDG and Schrems II
Consent is the legal layer; Consent Mode is the technical layer
The German TDDDG (the law that replaced the TTDSG, in force since 13 May 2024) requires consent before storing or reading information on a user's device. Consent Mode v2 does not create that legal basis. It transmits the consent decision to Google. A correct Consent Mode setup with a missing or invalid consent banner is still non-compliant.
The Advanced-mode debate is real
Cookieless pings in Advanced mode still send some data to Google before consent. German and Austrian experts disagree on whether that constitutes processing without a legal basis. Present it to your counsel as an open question, not a solved one. We never claim a setup is "100 percent GDPR-compliant" - that is not a claim anyone can honestly make.
Schrems II and the EU-US transfer
Sending data to Google means a transfer to a US company. The EU-US Data Privacy Framework currently provides an adequacy basis, but it has been challenged and a residual risk remains. Keeping the measurement layer on your own German infrastructure reduces how much raw data leaves the EU in the first place.
This is a technical assessment, not legal advice. The contested points above should be decided with your own data-protection counsel. For the full legal picture, see our GDPR-compliant conversion tracking hub.
Consent Mode plus server-side tracking
Consent Mode governs whether data may be collected. Server-side tracking governs whether it actually arrives. You need both.
Consent Mode alone
Honours the consent decision and unlocks modelling - but client-side events are still deleted by ad-blockers, Safari ITP and iOS restrictions before they ever leave the browser.
Consent Mode in server-side GTM
The consent signal is enforced on your own server container. Events bypass browser-level blocking, yet rejected users still send nothing they have not agreed to. Compliance and recovery in one path.
Server-side is not a consent bypass. When a user rejects, a correctly configured server container must not forward data without a legal basis, not even anonymised. The full architecture lives on our server-side tracking page.
The four most common setup mistakes
Most Consent Mode v2 setups look fine in the GTM preview and leak data in production. These are the failures we find most often.
Tags fire before the default state
A Google tag that loads before the CMP sets denied-by-default leaks data on every first page load. The most common and most expensive error.
Only two of four signals mapped
Many setups built before March 2024 map analytics_storage and ad_storage but never added ad_user_data and ad_personalization. Google Ads quietly degrades.
Advanced mode chosen without a legal decision
Advanced is switched on for the data, without anyone deciding whether cookieless-before-consent fits the company's GDPR risk appetite.
No update on consent change
Consent is read once on load but never re-read when the user changes their mind, so the signal goes stale.
Not sure which of these is costing you?
In a free initial consultation we map what your current Consent Mode and tracking setup is silently losing - then outline a prioritised fix roadmap.
Book a free consultationFrequently asked questions
Consent Mode v2, Basic vs Advanced, CMP and GDPR
What is the difference between Consent Mode v2 Basic and Advanced?
In Basic mode, Google tags are blocked entirely until a user gives consent: no requests reach Google before opt-in, and rejected users send no data at all. In Advanced mode, the tags load immediately but send cookieless pings (no identifiers) when consent is missing, which lets Google model the conversions you lose to rejection. Advanced recovers more data; Basic is the more conservative choice from a data-protection standpoint because nothing is sent without consent. The trade-off is data recovery versus legal caution.
Is Google Consent Mode v2 mandatory?
For European Economic Area traffic, yes, in practice. Since 6 March 2024 Google requires Consent Mode v2 signals to keep using audience lists, remarketing and personalised measurement features in Google Ads and GA4. This is driven by the EU Digital Markets Act. Without v2, you do not lose Google Ads itself, but you lose remarketing audiences, conversion modelling and personalised measurement for EEA users. It is not a German law: it is a Google platform requirement.
Is Advanced mode GDPR-compliant in Germany?
This is genuinely contested, not settled. Advanced mode sends cookieless pings even from users who have not consented, and several German and Austrian data-protection experts argue that transmitting any data to Google before consent can constitute processing without a legal basis. For maximum legal caution, many DACH specialists recommend Basic mode, where nothing is sent until opt-in. This is a documented trade-off rather than a verdict. We give you a technical assessment so you can make an informed decision with your own legal counsel. This is not legal advice.
Which CMP do I need for Consent Mode v2?
You need a Google-certified consent management platform that natively supports Consent Mode v2. The most common in the DACH region are Cookiebot, Usercentrics, and the open-source Consentmanager and Klaro options. What matters is not the brand but the wiring: the CMP must set the four consent signals before any Google tag fires, push them into the dataLayer, and update them when the user changes their choice. A certified CMP that is incorrectly configured still leaks data, which is the most common failure we find.
What are ad_user_data and ad_personalization?
They are two of the four consent signals introduced by Consent Mode v2. ad_user_data governs whether user data may be sent to Google for advertising purposes; ad_personalization governs whether that data may be used for personalised advertising and remarketing. They were added on top of the original two signals (analytics_storage and ad_storage) specifically to satisfy the EU Digital Markets Act. If these two are not transmitted correctly, Google Ads degrades remarketing and personalised measurement for your EEA audience.
How do I check whether my Consent Mode v2 is working correctly?
Use Google Tag Assistant and the browser network tab to confirm that no Google requests fire before consent (Basic) or that cookieless pings carry gcs and gcd parameters (Advanced). Check that all four signals (analytics_storage, ad_storage, ad_user_data, ad_personalization) update the instant a user accepts or rejects. In GA4, the Consent Mode reporting and the modelled conversions panel confirm the signal is reaching Google. The single most common silent failure is a tag that fires once before the CMP has set the default state.
How many conversions does conversion modelling recover?
Google states that conversion modelling in Advanced mode can reconstruct over 70 percent of the conversion paths lost to cookie rejection. That figure is Google's own and applies only to Advanced mode with sufficient data volume; modelling needs a minimum traffic threshold to activate. Real recovery varies by site, traffic and consent rate, so treat 70 percent as a ceiling, not a guarantee. In Germany, where roughly 40 percent of users reject cookies, the recoverable gap is large enough to matter.
Do I need server-side tracking in addition to Consent Mode?
They solve different problems and work best together. Consent Mode governs the legal signal: whether and how data may be collected. Server-side tracking governs the channel: it moves measurement to your own server so ad-blockers, Safari ITP and iOS restrictions stop deleting your events. Consent Mode without server-side still loses data to browser-level blocking; server-side without correct Consent Mode is a compliance risk. The robust setup combines both: consent enforced on the server, and the signal honoured end to end.
Related services
The rest of the tracking and consent stack
Consent Mode v2,
done right.
Start with a free initial consultation: we map exactly what your current Consent Mode and tracking setup loses, then implement the fix - Basic or Advanced, your CMP, server-side enforced.