Google Ads Consent Mode V2 & Privacy Compliance for EU Advertisers 2026 — Implementation Guide, Conversion Modeling & GDPR Requirements

What Is Google Consent Mode V2 — And Why It's Mandatory

Google Consent Mode V2 is the updated framework that controls how Google tags behave based on a user's consent status. For any advertiser running Google Ads campaigns targeting the European Union, European Economic Area, or the United Kingdom, implementing Consent Mode V2 is no longer optional — it is a hard requirement with direct consequences on campaign functionality, data access, and reporting accuracy.

The original Consent Mode (V1) was introduced in September 2020 as a voluntary tool that allowed websites to adjust the behavior of Google tags — primarily Google Analytics and Google Ads tags — based on whether a user consented to cookies. It operated on two parameters: ad_storage and analytics_storage. While useful, V1 lacked granularity and did not differentiate between consent for data collection versus consent for data use in advertising.

Consent Mode V2, announced in late 2023 and enforced from March 2024, introduced two additional consent parameters: ad_user_data and ad_personalization. These new signals allow Google to understand not just whether cookies can be set, but whether the user's data can be sent to Google for advertising purposes and whether that data can be used for personalized advertising. This distinction is critical under GDPR, which requires separate legal bases for different data processing activities.

"Consent Mode V2 is not an optional upgrade — it is the minimum technical requirement for running compliant, fully functional Google Ads campaigns in the EU. Without it, advertisers lose access to remarketing, audience building, conversion modeling, and enhanced conversions for EU traffic."

The enforcement timeline has been progressive but is now fully in effect as of 2026:

• March 2024: Consent Mode V2 became required for new audience list creation from EEA/UK traffic
• September 2024: Existing remarketing audiences from EEA/UK traffic stopped being populated without Consent Mode V2
• March 2025: Conversion modeling for non-consented users disabled for accounts without Consent Mode V2
• 2026: Full enforcement — accounts without Consent Mode V2 receive policy compliance warnings and face potential serving restrictions for EU-targeted campaigns

For advertisers operating in the EU, this is a high-risk compliance area. The intersection of GDPR legal requirements and Google's technical enforcement means that non-compliance creates both legal exposure and measurable performance degradation. For a broader view of EU regulatory requirements affecting digital advertising, see our European Union DSA Compliance Guide.

Consent Mode V1 vs V2 — Key Differences

Understanding the specific differences between Consent Mode V1 and V2 is essential for advertisers who may have implemented the original version and now need to upgrade. The changes are not merely cosmetic — they fundamentally alter how Google processes consent signals and what advertising features are available.

The key takeaway from this comparison is that Consent Mode V1 implementations are no longer sufficient. If your Google Tag Manager setup only passes ad_storage and analytics_storage signals, Google treats your EU traffic as non-consented for data sharing and personalization purposes, regardless of what the user actually consented to. Upgrading to V2 requires updating both your CMP integration and your GTM configuration to pass all four parameters.

Step-by-Step Implementation via Google Tag Manager

Implementing Consent Mode V2 through Google Tag Manager (GTM) is the most common approach for advertisers. The process involves configuring your Consent Management Platform, updating GTM consent settings, and verifying that consent signals are correctly passed to all Google tags. Below is the complete implementation workflow.

Step 1: Choose and Configure Your CMP

Select a Consent Management Platform that is certified for Google Consent Mode V2. Your CMP must be able to pass all four consent parameters to the Google consent API. Certified CMPs include Cookiebot by Usercentrics, OneTrust, Didomi, Quantcast Choice, Iubenda, CookieYes, and Commanders Act, among others.

Configure your CMP to map its internal consent categories to the four Google consent parameters:

• Marketing/Advertising cookies → maps to ad_storage
• Analytics cookies → maps to analytics_storage
• Data sharing with advertising partners → maps to ad_user_data
• Personalized advertising → maps to ad_personalization

Step 2: Enable Consent Mode in GTM

In your GTM container, navigate to Admin → Container Settings and ensure that the "Enable consent overview" option is activated. This unlocks consent-aware tag configurations throughout the container.

Next, for each Google tag in your container (Google Ads Conversion Tracking, Google Ads Remarketing, GA4 Configuration, etc.), open the tag settings and navigate to the Consent Settings section. Configure each tag to require the appropriate consent signals:

• Google Ads Conversion Tracking tag: Requires ad_storage and ad_user_data
• Google Ads Remarketing tag: Requires ad_storage, ad_user_data, and ad_personalization
• GA4 Configuration tag: Requires analytics_storage
• Google Ads Enhanced Conversions tag: Requires ad_storage and ad_user_data

Step 3: Set Default Consent State

This is the most critical step for compliance. You must set the default consent state to denied for all four parameters for EU users before any Google tags fire. This is done through a consent initialization trigger in GTM.

Create a custom HTML tag or use your CMP's GTM template to fire the following consent default command on the Consent Initialization — All Pages trigger:

gtag('consent', 'default', {
  'ad_storage': 'denied',
  'ad_user_data': 'denied',
  'ad_personalization': 'denied',
  'analytics_storage': 'denied',
  'region': ['EU', 'EEA', 'GB']
});

The region parameter allows you to apply denied defaults only for EU/EEA/UK users while maintaining granted defaults for users in regions without consent requirements. This ensures you do not unnecessarily limit data collection for non-EU traffic.

Step 4: Configure Consent Update Commands

When a user interacts with your CMP banner and makes their consent choice, your CMP must fire a consent update command that reflects the user's choices:

gtag('consent', 'update', {
  'ad_storage': 'granted',
  'ad_user_data': 'granted',
  'ad_personalization': 'denied',
  'analytics_storage': 'granted'
});

This update must fire immediately upon user interaction — any delay between the user's choice and the consent update command creates a window where tags may behave incorrectly.

Step 5: Choose Basic or Advanced Mode

Decide whether to implement Basic or Advanced Consent Mode. In Basic mode, no Google tags fire until the user provides consent — this means zero data collection for users who dismiss the banner without choosing. In Advanced mode, Google tags fire immediately and send cookieless pings even before consent is granted, enabling conversion modeling for non-consented sessions. Advanced mode provides significantly better data quality but requires careful legal review — consult with your Data Protection Officer or legal counsel before selecting Advanced mode, particularly if you operate in Germany or France where DPA scrutiny is highest.

Step 6: Verify the Implementation

Use the following tools to verify your Consent Mode V2 implementation is working correctly:

• GTM Preview Mode: Enter preview mode and check the consent state on each tag — confirm that tags show "denied" before consent and update correctly after consent
• Google Tag Assistant: The browser extension shows real-time consent state for all Google tags on the page
• Browser Developer Console: Check for the gcs parameter in Google Ads network requests — a value of G111 indicates all four consent parameters are granted, while G100 indicates only ad_storage is granted
• Google Ads Diagnostics: In your Google Ads account, navigate to Tools → Diagnostics → Consent to see Google's assessment of your consent signal implementation

For a comprehensive walkthrough of your Google Ads compliance setup, use our Legal Compliance Scan Tool to identify gaps in your current configuration.

Consent Signals Explained — The Four Parameters

Each of the four Consent Mode V2 parameters controls a distinct aspect of data collection and use. Understanding exactly what each parameter governs is essential for both correct implementation and GDPR compliance.

The interaction between these parameters is important. A user might consent to ad_storage and analytics_storage (allowing cookies) but deny ad_personalization (preventing their data from being used for remarketing). In this case, Google can track the conversion but cannot add the user to a remarketing audience. This level of granularity is what GDPR requires — purpose-specific consent rather than blanket opt-in.

"The two new V2 parameters — ad_user_data and ad_personalization — are where most implementation errors occur. Many advertisers correctly pass ad_storage and analytics_storage from their CMP but fail to map the new parameters, resulting in Google treating all EU users as non-consented for data sharing and personalization."

Conversion Modeling — How Google Fills the Data Gaps

One of the primary benefits of implementing Consent Mode V2 is access to Google's conversion modeling, which estimates conversions from users who decline consent. Without conversion modeling, advertisers only see conversions from the fraction of EU users who actively opt in — typically 40-70% depending on the CMP design, industry, and country.

How Conversion Modeling Works

When Consent Mode V2 is implemented in Advanced mode and a user does not consent, Google tags send anonymized, cookieless pings that contain:

• Timestamp of the page view
• Aggregate page URL (without query parameters containing personal data)
• User agent and device category
• Referrer information (traffic source)
• Consent state for each of the four parameters

Google's machine learning models then use the behavioral patterns of consented users on the same site to estimate the conversion probability for non-consented sessions. The models factor in device type, geographic region, traffic source, landing page, time of day, and day of week. The resulting modeled conversions are added to your Google Ads reporting as a supplementary signal.

Requirements for Conversion Modeling Activation

Conversion modeling does not activate automatically. Google requires the following minimum thresholds:

• Minimum traffic volume: At least 100 daily ad clicks from the region where consent mode is active
• Minimum consent rate: A measurable percentage of users must consent, providing the baseline behavioral data that models are trained on
• Consistent implementation: Consent Mode V2 must be implemented consistently across all pages of the conversion funnel — partial implementation breaks the modeling
• Conversion tracking active: Standard conversion tracking must be functional for consented users
• Minimum history: Google typically requires 7-14 days of consistent data before conversion modeling activates for a new implementation

Data Gap Estimation

Even with conversion modeling, there is a data accuracy gap compared to full consent tracking. The following table shows typical data availability scenarios:

The key insight is that Consent Mode V2 with conversion modeling significantly reduces — but does not eliminate — the data gap created by GDPR consent requirements. Advertisers should treat modeled conversions as directional estimates rather than precise measurements, and adjust their performance benchmarks and ROAS targets accordingly.

Enhanced Conversions & Consent Mode V2

Enhanced Conversions is a Google Ads feature that supplements standard conversion tracking by sending hashed first-party customer data — typically email addresses or phone numbers — to Google for more accurate conversion attribution. In the context of Consent Mode V2, enhanced conversions are directly gated by the ad_user_data consent signal.

When ad_user_data is granted, enhanced conversions can transmit hashed user data to Google, where it is matched against Google's logged-in user data to attribute conversions that might otherwise be lost due to cross-device journeys, browser cookie restrictions, or other tracking gaps. When ad_user_data is denied, enhanced conversions are blocked entirely — no hashed data is sent.

Setting Up Enhanced Conversions with Consent Mode V2

• Via GTM: Enable enhanced conversions in your Google Ads Conversion Tracking tag settings. Configure the tag to collect user-provided data (email, phone, name, address) from form fields or a data layer variable. Ensure the tag's consent settings require ad_user_data — GTM will automatically block data transmission when this consent is denied.
• Via Google Ads tag (gtag.js): Add the enhanced conversions configuration to your conversion tracking snippet. The ad_user_data consent signal from Consent Mode V2 will automatically gate data transmission.
• Via Google Ads API: For server-side enhanced conversion uploads (offline conversions), you must include the user's consent state at the time of the conversion event. Upload calls must include the consent field with the user's ad_user_data and ad_personalization states.

The combination of Enhanced Conversions and Consent Mode V2 provides the most complete conversion picture available under GDPR constraints. For consented users, you get both cookie-based tracking and first-party data matching. For non-consented users, you get conversion modeling. Together, these mechanisms can recover 85-95% of total conversion visibility depending on your consent rate.

Impact on Remarketing, Audiences & Attribution

Consent Mode V2 fundamentally changes how remarketing, audience building, and attribution work for EU traffic. Advertisers who have not adapted their strategies to account for these changes are likely seeing significant underperformance in EU campaigns without understanding the root cause.

Remarketing Impact

Remarketing lists for EU users are now populated only from sessions where the user granted both ad_storage and ad_personalization consent. This typically reduces the size of EU remarketing audiences by 30-60% compared to pre-GDPR baselines. The practical consequences include:

• Smaller audience pools: EU remarketing audiences are significantly smaller, which can push audience sizes below the minimum thresholds required for ad serving (1,000 users for display, 1,000 for search)
• Audience composition bias: Your remarketing audiences now over-represent users who consent to tracking — this group may have different demographic and behavioral characteristics than the full visitor population
• Frequency capping challenges: With incomplete audience coverage, frequency capping across channels becomes less effective for EU users
• Customer Match remains viable: First-party data uploaded through Customer Match is not affected by Consent Mode (the consent was obtained at data collection time), making it an increasingly important audience source for EU campaigns

Audience Building Impact

Similar Audiences (now called "Lookalike Segments" in Google Ads) and In-Market Audiences are affected by reduced signal availability from EU users. Google's audience modeling uses aggregated behavioral signals, so the impact is diluted across the total user pool, but advertisers targeting EU-specific audience segments may notice reduced segment accuracy and reach.

Attribution Impact

Attribution models — particularly data-driven attribution — rely on observing the full user journey across touchpoints. When 30-60% of EU user journeys are partially or fully unobserved due to consent denial, attribution models become less accurate for EU campaigns:

• Last-click attribution is least affected because it only requires observing the final converting touchpoint
• Data-driven attribution is most affected because it requires cross-touchpoint journey data that is fragmented by consent gaps
• Cross-device attribution degrades significantly because device graph matching requires user-level data that is blocked when ad_user_data is denied

Advertisers should consider supplementing Google's attribution with incrementality testing, media mix modeling, or geo-based lift studies for EU markets to validate campaign performance independent of user-level tracking. For a detailed overview of Google Ads policy requirements and how they interact with privacy regulations, see our Google Ads Policy Guide.

GDPR Alignment — Legal Requirements & Compliance

Consent Mode V2 is a technical implementation — it does not by itself ensure GDPR compliance. Advertisers must ensure that their overall consent and data processing framework meets the legal requirements of the General Data Protection Regulation, and that Consent Mode V2 is one component within that framework.

Key GDPR Requirements for Consent Mode V2

• Freely given consent: Your CMP must present a genuine choice — consent banners that make it significantly easier to accept than to reject (e.g., hiding the reject button, using dark patterns) do not produce valid consent under GDPR. Several EU DPAs have issued fines for manipulative consent banner designs.
• Specific consent: Consent must be obtained for each specific purpose. Consent Mode V2's four parameters align well with this requirement, but your CMP must present these as separate choices (or clearly grouped) rather than a single "accept all" toggle.
• Informed consent: Users must be told what data will be collected, who will receive it (including Google), and how it will be used. Your privacy policy and cookie banner text must specifically reference Google Ads, Google Analytics, and the data processing that occurs.
• Withdrawable consent: Users must be able to withdraw consent as easily as they gave it. Your CMP must provide a persistent mechanism (footer link, settings panel) for users to modify their consent choices at any time.
• Documentation: You must maintain records of consent — who consented, when, to what, and what information they were presented with. Most CMPs provide consent logging functionality that satisfies this requirement.

Advanced Mode and GDPR — The Legal Debate

The most contentious legal question around Consent Mode V2 is whether Advanced mode — which sends cookieless pings to Google before consent is obtained — is GDPR compliant. The argument in favor is that these pings do not contain personal data: no cookies are set, no user identifiers are transmitted, and the data is aggregated at the server level. The counterargument, raised by some DPAs and privacy advocates, is that the combination of timestamp, IP address (even if truncated), user agent, and page URL could constitute personal data under the GDPR's broad definition, and that processing this data without consent violates Article 6.

As of 2026, no EU DPA has issued a formal enforcement action specifically against Advanced Consent Mode, but the French CNIL and German DSK have published guidance suggesting that the safest approach is to avoid any data transmission before consent. Advertisers should make the Basic vs. Advanced mode decision in consultation with legal counsel, weighing the data quality benefits against the residual legal risk.

"GDPR compliance is not a checkbox — it is a continuous obligation. Consent Mode V2 provides the technical infrastructure, but the legal compliance depends on your CMP configuration, banner design, privacy policy content, and data processing agreements with Google."

Common Implementation Mistakes & How to Avoid Them

After auditing hundreds of Consent Mode V2 implementations, the following errors are the most frequent and impactful. Each of these mistakes can silently degrade your data quality or create compliance gaps without any visible error messages.

• Missing ad_user_data and ad_personalization parameters: The most common error. Advertisers upgrade their CMP for Consent Mode V2 but only pass the original two parameters. Google treats the missing V2 parameters as "denied" by default, silently blocking enhanced conversions and remarketing for all EU traffic. Always verify all four parameters are present in both the consent default and consent update commands.
• Consent default fires after Google tags: If the consent default command fires after the initial Google tag execution (due to tag firing order issues in GTM), the tags fire in a fully granted state for a brief moment before the denied defaults are applied. This creates a compliance violation and can result in cookies being set before consent. Always use the Consent Initialization trigger, which fires before All Pages.
• Region parameter misconfiguration: Setting the denied defaults globally (without a region parameter) blocks data collection for all users worldwide, not just EU users. Conversely, using incorrect region codes (e.g., "Europe" instead of the individual country codes) can cause the defaults to not apply correctly.
• CMP template outdated: If you use a CMP's GTM template, ensure it is updated to the V2-compatible version. Older CMP templates only pass two parameters and may not support the consent update format that Google requires.
• Not testing with consent denied: Many advertisers only test the "accept all" path. Test the "reject all" and partial consent scenarios to ensure tags behave correctly — verify that no cookies are set, no personal data is transmitted, and that cookieless pings fire correctly in Advanced mode.
• Server-side tagging without consent forwarding: If you use server-side GTM, consent signals must be forwarded from the web container to the server container. Without explicit consent forwarding, the server container has no visibility into the user's consent state and may process data that should be blocked.
• Ignoring consent for offline conversion imports: When uploading offline conversions via the Google Ads API, you must include the user's consent state at the time of the original online interaction. Uploading conversions without consent signals causes Google to reject or misattribute the conversion data.

EU Advertiser Compliance Checklist

Use this checklist to verify your Consent Mode V2 implementation is complete and compliant. Each item represents a critical requirement — a failure in any single item can undermine your entire consent framework.

For an automated assessment of your compliance setup, run our Legal Compliance Scan to identify any gaps in your current Consent Mode V2 implementation.

Frequently Asked Questions

Below are the most common questions from EU advertisers about Google Consent Mode V2 implementation, compliance, and performance impact. For additional guidance on regional compliance requirements, visit our EU DSA Compliance resource.