- Why has Consent Mode 2 been introduced?
- What is the difference between consent mode and consent mode 2?
- Consent Mode 2 enables anonymous tracking if visitors decline tracking
- How can consent mode 2 be implemented?
- What changes do I have to make?
- What do you need to do for an advanced implementation of consent mode 2?
- What should I do next?
- How we can help you
Google’s consent mode has been around since 2020 and is a way for websites to give detailed information to Google about how a user has (or has not) consented to their data being used when clicking on a cookie consent popup on a website. However, many website owners didn’t know about consent mode and many websites are not currently sending consent information to Google because there’s been no real need to do so, until now.
This year both technology and the law are changing in ways which mean that Google and other similar organisations need to change the way that they work. Google has responded to this by introducing Consent Mode version 2 – an updated version of its consent model that allows it to understand the user’s wishes better whilst also allowing it to anonymously track the behaviour of your website visitors even when consent hasn’t been granted.
The main way this change affects website owners is that, whereas previously it was optional whether you reported your visitors’ consent status to Google or not, now you will have to report the consent status of your website visitors to Google, otherwise you will start to see some significant limitations in terms of the way you can use Google Ads and Google Analytics.
In this blog post I will explain in more detail why these changes have been made, specifically what has changed and, crucially, what you need to do to ensure that your website is compliant with Google’s new requirements.
Why has Consent Mode 2 been introduced?
Google originally introduced consent mode in response to privacy legislation such as GDPR, and it is enforced across the European Economic Area. The first iteration of consent mode required website owners to send Google two pieces of information (called ‘signals’ in Google’s terminology) about the consent status of visitors to their website: analytics_storage and ad_storage. These are effectively yes/no flags that tell Google whether a user has agreed that their information can be stored for Google Analytics purposes (yes or no) or for the targeting of Google Ads (yes or no). As mentioned above, whilst some website owners have complied with this and are sending this information to Google, many are not.
The new version of consent mode extends this functionality as a result of more recent changes in the law, specifically the introduction of the European Digital Markets Act (DMA) in November 2022. The European Digital Markets Act (DMA) places a duty on big companies like Google to be accountable for the information that they collect and how they use it and they face large penalties if they don’t follow the rules. There was a deadline for compliance with the DMA of March 2024, which is why you have probably been receiving emails from Google or seeing notifications in your Google Analytics account about the changes that you need to make this month.
What is the difference between consent mode and consent mode 2?
Consent mode v2 adds two additional new signals: ad_user_data and ad_personalization which provide Google with more information about the nature of the consent that a user has given. Broadly speaking, the original two signals tell Google whether it is ok to store a user’s information for Google Analytics or Google Ads, whilst the two new signals tell Google more about what that data can be used for. Ad_user_data tells Google whether the user consents to their data being used for remarketing, whilst ad_personalization tells it whether the user consents to their data being used for ad personalisation.
Signals sent to Google | What does it govern? | Google consent mode | Google consent mode 2 |
Analytics_storage | Does the visitor consent to their data being stored for analytics purposes? | Y | Y |
Ads_storage | Does the visitor consent to their data being stored for advertising purposes? | Y | Y |
Ad_user_data | Does the visitor consent to their data being used for remarketing? | N | Y |
Ad_personalization | Does the visitor consent to their data being used for advertising personalisation? | N | Y |
As you navigate the web you’re likely to start seeing more granular cookie consent bars on websites, such as the example below, which asks the visitor to specify precisely what type of cookies they consent to and how they are happy for their data to be used. This cookie bar then sends that information to Google which uses it to determine how the visitor’s data can be stored or used in Google Analytics and Google Ads.
Consent Mode 2 enables anonymous tracking if visitors decline tracking
There’s another change that’s relevant here too. Now, as more people are aware of the privacy implications of massive data collection, many are completely opting out of having their data sent to Google. Under the first iteration of consent mode, if a visitor to your website declines to be tracked using cookies then Google will not track them at all. You will have no information in your Google Analytics about visits from people who do not want to be tracked and you will not be able use any of that information in your Google Ads.
Google recognises this change in visitors’ behaviour and consent mode 2 is part of its attempt to fill those gaps to try and give website owners and ad buyers an idea of how many people are visiting sites and what they’re doing when they get onto the site even when it is not able to track specific identifiable individuals.
Consent mode v2 gives website owners the ability to send anonymous visitor information to Google without using cookies or other tracking information but instead using so-called “cookieless pings”. Google can then use this data to fill the gaps in its data about visitors and their on a website, and it can also be used with machine learning to model conversions and the kinds of visitors that might be interested in a site. This is particularly useful for advertising and remarketing campaigns.
How can consent mode 2 be implemented?
Google has defined two ways that consent mode 2 can be implemented – basic and advanced. The difference between the two is in the level of information that is shared with Google.
What is a basic implementation of consent mode 2?
A basic implementation of consent mode 2 is very similar to how consent works now: once the visitors gives consent then Google can track what they do on your website. However, if the visitor does not consent then no data is collected. To set up basic implementation you need to be asking visitors to your website if they consent to cookies, make sure that no cookies are fired if they say no, and have a consent flag that you communicate to Google, so that Google knows whether consent has been given or not. If you do not send this flag to Google then it will not track any data about any of your website visitors, whether they consent or not. It is not enough to simply ask people whether they consent – you have to then send that information to Google.
What is an advanced implementation of consent mode 2?
An advanced implementation allows for “cookieless pings” – bits of data that show that a user is on the site and enable some of their actions to be tracked anonymously. This data is sent without any information that can be used to identify who that user is. This is more work for website owners to implement but the advantage is that Google gets more information about visitors and owners get better information in tools like Google Analytics. This information can then also be used to enhance algorithms that model visitor users and audiences for Google Ads.
What changes do I have to make?
Google suggests that website owners use a certified Consent Management Platform (CMP). This is a piece of software that takes care of consent management on your website for you. However, many of the CMPs charge a fee for using their software or service and that might be too much for many sites. Also many site owners are already managing consent correctly, in a way that is compliant with Google’s Consent Mode 2 so they just need a way of telling Google that and sending the extra information that Google requires.
The first step therefore is to make sure that you understand what signals your existing consent set up is sending to Google (if any) and then the second step is to understand what further steps you have to take to comply with consent mode 2, either with a basic or advanced implementation.
If you load a Google Analytics tag on your website, then your site will be in one of the following groups:
Sites that are running the Google tag without consent
There are many websites on which the Google tag is run without consent, with or without a popup. If you’re in this group you might have a popup, but it probably says something like “we’re using cookies on this site” and the visitor is not given an option to decline them. You may or may not be sending consent information to Google but the chances high that you’re not.
If you are in this group then you will have to implement a popup that gives users an option to opt-out and you will have to send the appropriate signals to Google in order to be compliant with a basic implementation of consent mode.
Sites that get consent to run the Google tag but don’t send the signals to Google
In this group there are sites on which the Google tag is only run once consent is given, but no signals are sent to Google so Google still does not know whether visitors to the site have consented or not. Sites in this group can achieve a basic implementation by sending the appropriate signals with their Google tag.
Sites that get consent and pass the signals to Google
Finally, there are sites on which the Google tag is only run once consent is given and the website owners are already passing one or both of the ad_storage and analytics_storage consent signals to Google. Sites in this group are most likely already compliant with the requirements of a basic implementation of consent mode 2.
What do you need to do for an advanced implementation of consent mode 2?
If you’re currently loading the Google Tag irrespective of whether visitors consent or not it may be because you don’t want to lose visitor numbers from your Google Analytics data. You want to track the behaviour of all site visitors, not only those who consent to being tracked. Advanced implementations are likely to be good in this situation because the anonymous “pings” can be counted instead, meaning you still get information about site visits even from users who have declined cookies.
There are three parts to an advanced implementation:
- Telling Google that there is no consent when someone arrives on your site and has not yet consented to tracking
- Then sending the appropriate signals to Google once consent has been granted
- Or sending anonymous event “pings” to Google in cases where cookie consent hasn’t been granted
Making the changes
How you actually implement the changes needed will depend on what you already have. If you have a CMS like WordPress then you might use a plugin to include the Google tag. Alternatively, you might send the data using Google Tag Manager or have the code directly in your page header or footer. Either way, you’ll have to understand how you include the tag before making any changes.
How will Google know if I’ve made the change?
Whenever you send information about your website visitors to Google Analytics or other services such as Google Ads, Google will be able to see if that data has been annotated with the correct consent signals.
Sending unconsented data is unlikely to get you kicked off Google services. However, if the consent signals are not visible on your data and if it comes from a part of the world that requires consent, then that data will most likely be silently ignored by Google meaning that your Google Analytics data becomes significantly less accurate and valuable, and you’re no longer able to use personalisation and targeting features in Google Ads.
You’re likely to see the effect of this most quickly if you’re using features such as audiences in Google Analytics, and particularly if you’re using those audiences to target ads in Google Ads. Google has said that it will honour any website visitors that have been added to your audiences before 6 March 2024 but that it will not allow any new visitors to be added to audiences after this date unless the consent signals have been properly set.
Will Google warn me if I haven’t made the change?
We’re starting to see messages in Google Analytics warning users that they need to check their consent. You might see a banner like this across the top of your Google Analytics.
You might also see a warning notice like the one below if you’re looking at your data stream set up in Google Analytics.
If you click through to manage your consent settings then you’ll see something like the panel below which tells you what consent settings you currently have.
In the example above we can see that website is sending some signals to Google (the Ads personalisation signals) but not the measurement signals so the website owner would need to check the consent management settings on their site accordingly.
Clicking on the “Manage data” button takes you to a configuration window (see below) where you can choose what Google services can use the consented data. It defaults to “All Google Services” but you may choose to limit what services receive the data.
What should I do next?
The first thing to do is to check if your site currently complies with CMv2. Your browser sends consent information along with the Google tag data and it’s encoded as a ten digit string which can be difficult to decode and track without technical knowledge. Instead, if you’re using Chrome or a Chromium based browser you can use a browser extension to check the consent status of a site.
A plugin that we’ve found useful is the Consent Mode Inspector. This plugin shows the current state of the consent signals at any point when a page is loading, and makes it easy to tell if you’re sending the right information.
To install the extension, just follow the link and click the “Add to [browser]” button. When the extension is loaded you should see a new icon in the browser:
The red square shows that consent mode is inactive. Click on the icon and a box will appear showing the state of the page consent:
Now navigate to your website and see what is in the popup. Is it set to “unknown” like the image above? If so you probably need to change your settings. If you see something like the image below then you’re most likely sending the right information to Google:
In this example, the page is telling google that the page default is for no cookies from anywhere, and then the page sends information to say that cookies are allowed. Hence the red column for “denied” and the green column for “granted”.
How we can help you
We also have a video demo on our site which takes you through the process of configuring Consent Mode 2 on a WordPress site using the Easy Cookie Consent plugin.
If you’re struggling with this then get in touch – we can help you. Firstly, we can help you determine what your existing consent settings are and whether you’re compliant with the basic implementation of consent mode 2 or not. Secondly, we can help you do whatever work is needed to ensure that you are compliant.