Google Consent Mode Basics: the What and the How

The push to protect users’ privacy online has given rise to new tools that try to interpret and respect user’s choice for privacy while balancing reasonable data expectations for businesses.

This balance between user privacy and reasonable data for business is painfully tough to get correctly, if at all possible – users want total privacy yet expect personalized experiences; businesses seem to want to record every data point possible, many times without understanding how far reaching these technologies can go: and lawmakers across the world are crafting regulation that in many cases seem ambiguous, unreasonable or nearly impossible to enforce.

Nonetheless, the industry is making moves and Google Consent Mode is the latest in Google’s arsenal supporting users privacy on the web. In this blog post we review Google Consent Mode, what it is, how it works, and how you can take advantage of it.

We have to say it… this post is not meant to be legal advice. Rather, the intention is to shine light on the ways this technology can help teams align with their organization’s legal requirements, whatever they may be.

What is Google Consent Mode?

In a nutshell, Google Consent Mode could be described as a Google Tag Manager feature that allows you to adjust how tags behave based on the consent status of your users. Google Consent Mode works with both web and mobile apps – in this post we’ll be focusing on web.

One common misconception is thinking Google Consent Mode is what surfaces the consent banner we’re so used to seeing (Accept All Cookies?). No, that is not Google Consent Mode. That is the role of the CMP.

There are three very different technological components you should be familiar with when approaching Google Consent Mode: The Consent Management Platform (CMP), Google Consent Mode’s out-of-the-box behaviours, and the tags settings in Google Tag Manager. One common misconception is thinking Google Consent Mode is what surfaces the consent banner we’re so used to seeing (Accept All Cookies?). No, that is not Google Consent Mode. That is the role of the CMP.

We’ll explore these three areas below with the hope you will have enough information to roll out your upgraded user privacy environment.

The Consent Management Platform (CMP)

We’ve found many people confuse Google Consent Mode, a Google Tag Manager feature, with a CMP, the one responsible for the user-facing consent pop-up we often see.

Arguably, a CMP is more important than Google Consent Mode when it comes to protecting your users’ privacy. Organizations can leverage a CMP to be compliant with the different regulations without Google Consent Mode. However, Google Consent Mode will help you get some benefits that a CMP alone cannot provide like consent attribution modeling.

Thus it is a good idea to explore, understand and implement the CMP of your choice before digging into Google Consent Mode. Consider a CMP will do more than just show a pop-up to your users, different CMPs have different reports that allows an understanding of how users interact with consent message, cookie scanning, different levels of permissions for users, templates for different regional laws like GDPR and CCPA, etc..

Take a moment to understand what you need, and see if you can match your needs to what the different CMPs can offer. Google has outlined a list of CMPs that integrate with Google Tag Manager and Google Consent Mode.

Google Consent Mode Default Consent Types

Once a CMP is in place, it is time to look at basics of what Google Consent Mode can do – the Consent Types. We’re finding a lack of understanding consent types is becoming a pitfall for many organizations. Many teams start planning for user consent as a binary choice, yes or no. This is setting teams up for frustrating conversations since there is a lot more nuance behind the different options site owners can provide users.

Let’s clarify a confusing point in this space. Most of the time consent is not about cookies, is about tags. Tags may set or read cookies, or may work all together without the need of cookies. Also, all sites need a variety of cookies to function properly – this can sometimes be confusing.

Most of the time consent is not about cookies, is about tags.

Google Consent Mode offers a good level of flexibility for organization to classify tags into different privacy levels for site visitors. In Europe, the General Data Protection Regulation (GDPR) encourages this multiple levels of tag classification – required, performance, personalization, etc.. In contrast, the California Consumer Privacy Act (CCPA) encourages a binary setup of opt-in or opt-out.

Google Consent Mode offer the following consent types:

  • ad_storage
  • analytics_storage
  • functionality_storage
  • personalization_storage
  • security_storage

When thinking about offering different levels of privacy an organization can use these classification types to group tags. This enables some choice for the consumer and improves an organization’s chances for collecting valuable data.

One point to notice when thinking about classifications is that CMPs that integrate with Google Consent Mode typically do not use this particular wording for their classifications. Instead, they map Google Consent Mode’s classifications to their default classification types.

Here are some examples of CMP’s classification types:

Commanders Act
Cookiebot

Ibuenda

It is important to understand the different vendors as well as scoped tags in the site’s Google Tag Manager container. There may be some tags that do not make sense to have in scope – i.e. a script that loads a coupon or site functionality. This is fine, but all tags must be accounted for.

Tag Settings in Google Tag Manager

Once a CMP has been selected, the tags in Google Tag Manager identified and classified, it is time to do the actual setting in Google Tag Manager. This is the part many teams want to execute, but it should be the last and easiest part. Like painting a wall in a house or building any software – most of the work is done before the painting or coding.

The final step is enabling “Consent Settings” for each tag in scope. Enabling this option is fairly simple. Google Tag Manager admins can find this setting under “Advanced Settings”

This setting is available for all tags. However, some tags in the Google Marketing Platform universe (Google Analytics, Google Ads and Floodlights) have built-in consent checks. Rather than dictating if a tag fires or not, tags with build-in consent modify their behavior based on the consent granted. (This introduces the controversial behavior explained in the next section.)

Ensuring All Tags Are Accounted For

Google Consent Mode added this nifty feature to Google Tag Manager that quickly allows you to understand what tags have been configured and which not. If you are using Google Consent Mode across most of your tags, this feature can become handy.

Consent Mode Modeling – Controversial?

There is one point with Google Consent Mode that many find somewhat controversial. If a user denies consent for analytics purposes, Google Consent Mode still sends a “ping” to Google Analytics servers for “basic measurement and modeling purposes.” In other words, the browser always sends a hit to Google Analytics servers.

If a user denies consent for analytics purposes, Google Consent Mode still sends a “ping” to Google Analytics servers for “basic measurement and modeling purposes.”

as per observed and documented on google’s website

Many user privacy advocates see this as a problem and would rather have Google Tag Manager prevent the tag from firing altogether just like other tags – understandably.

But Google Analytics servers does not mean Google Analytics reports. Google adds a parameter to the outgoing hit to signal the type of consent the user has given. Based on that parameter, Google Analytics processes the data differently. If the user has denied analytics, the data will be used for modeling purposes that fit a specific criterion (link to Google’s site explaining this), but not shown in Google Analytics reports or data exported to Big Query.

For those of you wondering, the parameter key is “gcs” and the possible values are “G100”, “G110” and “G111”. Where “G1” are fixed values; the second number (binary) represents if the user has given analytics consent “1” or not “0” (analytics_storage granted or not); and the third number represents ad related info granted “1” or not “0” (ad_storage granted or not).

Conclusion

Google Consent Mode is an interesting proposition. It ads value to organizations using the Google Marketing Platform to get some type of aggregated data even when their users have signaled not to be tracked. In this sense, Google Consent Mode is quite valuable.

Some organizations may have a stricter interpretation of the user’s choice for privacy and will likely not be onboard Google Consent Mode. For these organizations keeping a Consent Management Platform to fire or block tags as required may be the best fit.

On a personal note, protecting online user’s privacy is a tough cookie to crack (pun). Striking a balance between what the law makers across the world think they want (GDPR, CCPA, etc.), what the users think they want (both privacy and relevant content) and what the businesses think they need (campaign attribution, user insights for all, etc.) can be very elusive.

We like Google Consent Mode as a powerful weapon in the privacy sphere and look forward to its evolution.

Jose Uzcategui

Global Lead / Sr. Analytics Consultant