SecureSpellsSecureSpells
    6 min read
    Google Consent Mode V2 and GDPR: consent state and tracking control

    AI-generated (Gemini Pro)

    Google Consent Mode V2: What It Means and How to Stay GDPR Compliant

    Google Consent Mode V2: What It Means and How to Stay GDPR Compliant

    Google Consent Mode V2 affects EEA/UK/CH consent signaling for Google Analytics and Google Ads use cases under Google policy requirements. This guide explains what it does, why misconfiguration creates GDPR risk, and how to verify your implementation.

    Google Consent Mode V2
    Google’s framework that adjusts how Google tags (e.g. Analytics, Ads) behave based on the user’s consent state. For certain Google ads and measurement use cases in the EEA/UK/CH, Google requires consent signaling under its EU User Consent Policy; it does not by itself make you compliant — you must still block tracking until consent and set the consent state correctly.
    Consent state
    The signal you send to Google (e.g. via gtag or GTM) indicating whether the user has granted consent for analytics, ads, etc. If the state is wrong or tracking runs before consent, you can still violate GDPR.
    Runtime verification
    Checking in a real browser what actually loads and when. Consent Mode is only compliant if your implementation ensures no non-essential tracking runs before consent; runtime testing confirms that.

    Google Consent Mode V2 controls how Google Analytics and Google Ads behave based on consent, and Google requires consent signaling for specific EEA/UK/CH use cases under its policy framework. When configured correctly, tracking waits for consent; when misconfigured, tracking can still run early and create GDPR violations. Many sites misconfigure it — tracking fires early, consent is not enforced, or the implementation is incomplete. This article covers what Consent Mode does, why it matters, and how to test your implementation with a runtime compliance scanner. For product and pricing, see SecureSpells and pricing.

    This article is for educational purposes and does not constitute legal advice. For compliance decisions, consult a qualified legal or privacy professional.

    What Consent Mode does

    Consent Mode controls whether and how Google tags (e.g. Google Analytics, Google Ads) run based on the consent state you provide. If configured correctly, tracking waits for consent and only runs after the user has accepted. If configured incorrectly — for example, tags fire on page load before the consent state is set to “denied”, or the state is never updated when the user rejects — tracking may still occur before consent. That creates GDPR violations: non-essential processing without a lawful basis.

    Many websites misconfigure Consent Mode

    Common problems we see:

    • Tracking fires early — Google tags load or fire before the user has accepted cookies, often because the default state is not “denied” or the tag is not gated on consent.
    • Consent not enforced — The banner updates the UI but does not update the Consent Mode state, or the state is set too late (after tags have already run).
    • Incorrect implementation — Missing or wrong parameters (e.g. ad_storage, analytics_storage), or Consent Mode not implemented at all while Google tags are still on the page.

    These are technical issues that can be fixed, but first you must detect them. Learn more: Top consent mistakes.

    Why this matters

    Google now enforces stricter requirements for Consent Mode in the EU, and regulators treat consent-before-tracking as a core obligation. Compliance matters more than ever: fines and enforcement actions continue to target sites that track before consent. Getting Consent Mode right — and verifying that behaviour matches your configuration — reduces risk and aligns with both Google’s and regulators’ expectations.

    How to test your implementation

    Manual testing (e.g. opening DevTools once) is easy to get wrong: different pages, consent flows, or tag manager changes can behave differently. A runtime compliance scanner runs your site in a real browser and reports whether tracking fires before consent and whether consent is respected. SecureSpells detects:

    • Consent violations — Non-essential Google (or other) tags loading or firing before the user has accepted.
    • Tracking before consent — Requests to Google Analytics, Google Ads, or other Google endpoints on first load without consent.

    Verify your Consent Mode: See if Google tags fire before consent. Misconfiguration is common; a runtime scan shows what actually happens.

    Run a free audit: SecureSpells.

    Fact basis

    Final takeaway

    Consent Mode is not automatic compliance. It is a mechanism you must implement correctly and then verify in practice. Set the consent state based on user choice, gate Google tags on that state, and test with a runtime scanner to confirm that no tracking runs before consent. That is how you stay GDPR compliant with Google Consent Mode V2.

    Frequently asked questions

    What is Google Consent Mode V2?

    Google Consent Mode V2 is Google’s way of adjusting how its tags (e.g. Google Analytics, Google Ads) behave based on the user’s consent. For certain EEA/UK/CH ad and measurement use cases, Google requires consent signaling under its EU User Consent Policy. You send a consent state (e.g. granted/denied for analytics and ads); Google tags are supposed to respect it. It does not replace the need to block tracking until consent — you must still implement that.

    Does Consent Mode V2 make me GDPR compliant?

    No. Consent Mode V2 is a technical framework. You are only compliant if you (1) obtain valid consent before non-essential tracking and (2) correctly implement and enforce the consent state so that no tracking runs before consent. Misconfiguration is common; you must verify behaviour with testing or a runtime audit.

    Why do many websites misconfigure Consent Mode?

    Common reasons: tags are not gated on consent state, the default state is not “denied”, the consent state is updated after tags have already run, or the implementation is incomplete (e.g. wrong or missing parameters). A runtime compliance scan can show whether Google requests happen before consent.

    How do I test if my Consent Mode is correct?

    Use a runtime compliance scanner: load your site without accepting cookies and check whether any Google (or other) tracking requests are sent. If they are, Consent Mode (or your implementation) is not correctly preventing tracking before consent. SecureSpells runs this check for you: Run free audit.

    Related articles

    Share:

    Share:
    SecureSpells

    SecureSpells

    Find GDPR risks on your live site before regulators do

    Check it out on Product Hunt →

    Read Next

    Continuous Privacy Monitoring

    Stop Privacy Violations
    Before They Happen

    Don't wait for a privacy violation to cost you thousands. Your privacy spells need a little work... but we've got the magic to fix them instantly.

    Create Free AccountView Agency Plans
    Free audit included
    Risk score report
    No credit card