Consent Mode v2
Privacy regulation and data quality are usually treated as opposites — tighten one, lose the other. Most sites "handle" consent by dropping a cookie banner on top of their existing tags and calling it compliant. The tracking either still fires when it shouldn't, or it stops firing entirely and half your data disappears the moment someone clicks "reject." Neither is actually solving the problem.
Consent Mode v2 done properly isn't a banner. It's a signaling layer between your site, Google Tag Manager, and Google's platforms — and getting it right is what lets you stay compliant without flying blind.
What proper implementation actually means
- Correct consent signal wiring —
ad_storage,ad_user_data,ad_personalization, andanalytics_storageset and updated in real time as the user interacts with your consent banner, not just at page load. - Modeled conversions, so when a user declines cookies, Google can still statistically model the gap instead of leaving a hole in your reporting and a blind spot in your bidding algorithms.
- Regional configuration that respects the actual legal requirements of GDPR, ePrivacy, and other regional frameworks — not a single global on/off switch applied everywhere regardless of where the visitor is.
- Tag-level consent checks built directly into your Tag Manager container, so every tag — GA4, Ads, Meta, whatever else is firing — respects consent state individually instead of relying on the CMP alone to gate everything.
- Consent-aware default states, so tags behave correctly for the split second before a user makes any choice at all, which is where most "compliant" setups quietly leak data or silently break tracking.
Why it matters
Get this wrong in one direction and you're non-compliant, exposed to fines and platform penalties that can turn off your ad accounts overnight. Get it wrong in the other direction and you're technically safe but flying without instruments — your reporting undercounts conversions, your bidding algorithms start optimizing on incomplete signals, and nobody notices until performance quietly degrades for reasons that don't show up anywhere.
The regulation isn't going away, and neither is the expectation that your data holds up. The businesses that get ahead of this are the ones treating consent as an architecture decision, not a legal checkbox bolted on after launch.
How I approach it
- Audit your current consent setup — what signals exist, what's actually respected by your tags, and where compliance and data integrity are quietly working against each other.
- Map your regulatory footprint — where your users actually are, and what that legally requires versus what's just best practice.
- Architect the consent signal flow in Google Tag Manager, wired into your CMP and every downstream tag, tested against every consent state a user can land in.
- Configure conversion modeling so declined consent doesn't mean lost visibility, just modeled visibility.
- Validate and document, so what's compliant today stays compliant as tags get added later by someone who isn't me.
This sits right alongside GA4 and Google Ads conversion tracking — consent architecture is the layer that decides whether the data underneath either of those can be trusted at all.
Privacy compliance and data integrity aren't actually in tension. They're only in tension when nobody's architected the system properly. Let's fix that.