User privacy remains a hot topic that requires your attention as a marketing professional in 2022. Browser developers, martech vendors, and ad tech vendors alike are all making changes to how they collect and handle data in their products.
Browsers are moving away from third-party cookies, and some would say we’re even moving away from cookies altogether soon. Authorities are increasingly enforcing privacy laws, and lawmakers are working on expanding them as big tech tries to work around them.
To us, as marketing data specialists, the road ahead is clear. As the owner of your website or app, you will need complete control over the data you collect and the companies you share it with. Without this granular control, you will not be able to live up to the law, but most importantly, you will not be able to live up to the customer’s expectations.
That being said, this is easier said than done for most companies. You’re stuck with a lot of ‘essential legacy’ technology in your marketing stack that you can’t just chuck overboard. One of the essential pieces of software is your Tag Manager software and your Consent Management software. That’s where Google’s “consent mode” comes in.
What is Google Consent Mode?
Google Consent mode was launched in September 2020, and it is Google’s answer to the data privacy regulatory requirements. When integrated, it allows websites to monitor conversions and use analytics tools while maintaining compliance with GDPR and other privacy regulations. Consent mode creates a ‘best of both worlds’ scenario while maintaining granular control over every marketing script we fire.
First of all, it’s essential to realize that Consent mode is not preventing different requests from being constructed and sent from the user’s browser to different endpoints. Instead, it changes when a specific type of “cookie storage” can be accessed (either reading of, or writing to, these different types of storage). As a result, requests are being sent, but the form of that hit might be altered based on the visitor’s consent.
Google Consent mode recognizes five different types of storage:
- ad_storage
- analytics_storage
- personalization_storage
- security_storage
- functionality_storage
The two most important storages are analytics_storage and ad_storage, mainly because only these two are currently set as required for different Google tags to run in their usual way.
How does Google Consent Mode work?
It’s important to note that Google consent mode does not replace the functionality of the consent management platform (cookie banner). Google Consent mode expects a proper CMP installation in the first place. Consent mode got quickly integrated into the most popular Consent management platforms (including Cookiebot, Usercentric, OneTrust – a list of CMPs that integrated consent mode can be found here). However, if you are using your own cookie banner, it is possible to create the integration with Google Consent mode and get all benefits of its integration.
Setting the default consent values
First of all, setting the default consent levels is required. This piece of code should be placed before you load your CMP or GTM. If the gtag(“consent”, “default”, {}) function is not called, access to all storage is considered granted by default (which, in our opinion, should not be the case).
It’s up to you, what the default consent levels are going to be, but we recommend an explicit opt-in setup, where access to every storage is by default denied, as this setup is in line with GDPR. Here is what that code would look like:
window.dataLayer = window.dataLayer || [];
function gtag() { window.dataLayer.push(arguments); }
gtag("consent", "default", {
ad_storage: "denied",
analytics_storage: "denied",
functionality_storage: "denied",
personalization_storage: "denied",
security_storage: "granted",
wait_for_update: 500
});
gtag("set", "ads_data_redaction", true);
Restricting the consent levels for specific regions
There’s also the possibility to restrict access to different storages only for certain regions. This can be useful if you wish to have different default consent levels for different countries or regions. If the same rules apply for multiple regions, you can add them within the same gtag() function call (example below will set default consent levels for ad_storage and analytics_storage to ‘granted’ for US and Canada).
window.dataLayer = window.dataLayer || [];
function gtag() { window.dataLayer.push(arguments); }
gtag('consent', 'default', {
ad_storage: 'granted',
analytics_storage: 'granted',
wait_for_update: 500,
region: ['US', 'CA']
});
If you want to set different consent levels for different regions, you can do it by calling the gtag() function multiple times. Example below shows how to set default consent levels for ad_storage and analytics_storage to ‘granted’ for US and Canada, but to ‘denied’ for all other regions:
window.dataLayer = window.dataLayer || [];
function gtag() { window.dataLayer.push(arguments); }
gtag('consent', 'default', {
ad_storage: 'granted',
analytics_storage: 'granted',
wait_for_update: 500,
region: ['US', 'CA']
});
gtag('consent', 'default', {
ad_storage: 'denied',
analytics_storage: 'denied',
wait_for_update: 500
});
Updating consent values
After the user interacts with the cookie consent banner, an additional gtag() function should be called that updates the values of the consent for different storages. For example:
gtag('consent', 'update', {
ad_storage: 'granted',
analytics_storage: 'granted'
});
Integrating Consent mode with Google Tag Manager
Within GTM, Google consent mode is currently fully integrated only with Google tags. These include Universal Analytics, Google Analytics 4, and Google Ads and Floodlight tags (Google Optimize doesn’t require access to any storage, thus is unaffected by consent mode). These tags behave differently based on the consent levels.
ad_storage
ad_storage is required for all Google tags (including Google Analytics).
If the ad_storage is denied, the following happens:
- First-party advertising cookies can’t be written or read.
- Requests are sent through a different domain to avoid previously set third-party cookies from being sent in request headers.
- Google Analytics will not read or write Google Ads cookies, and Google Signals features will be disabled.
- Full page URL is collected (including ad-click information, e.g. GCLID / DCLID)
If the ad_storage is denied, there’s an option to turn ads_data_reduction on as well. If ads_data_reduction is on, ad-click identifiers (e.g. GCLID / DCLID) are redacted from the full URL.
analytics_storage
analytics_storage is required for Google Analytics tags (both Universal and Google Analytics 4) on top of ad_storage, which we already discussed above.
If the analytics_storage is denied, the following happens:
- first-party analytics cookies can’t be written nor read.
- Cookieless pings will be sent to Google Analytics for future measurement. Google Analytics 4 will use cookieless pings for modeling (in the future).
All Google tags adapt their behavior based on the consent level that is set when these tags are fired. However, if the tag was fired without full consent (that means it was fired with limitations described above), if that consent is given later, the request is sent again, but this time with the upgraded consent mode activated.
For example, if the page view hit is sent to Google Analytics without analytics_consent, no _ga cookie is written. However, suppose the user grants access to the analytics_storage later on that page. In that case, the hit is resent again, and _ga cookie is created, which will be used for all next Google Analytics hits to stitch user data together based on the client identifier in the _ga cookie.
Integration of Non-Google tags with Consent Mode in GTM
It is possible to add requirements for consent levels for non-Google tags as well. By adding consent requirements to non-Google tags, you are pretty much adding a “blocking trigger” – if the conditions in the firing trigger are met, but the consent is not sufficient (the consent to the storage that was defined in the tag is not granted), the tag won’t fire.
Also, it’s important to note that this tag won’t fire again once sufficient consent is granted.
That means that for now, only Google tags are changing their behavior in a way to bypass the access to the storage. It is possible that in 2022 more vendors will update their GTM tag templates so these tags can still run in cookieless alternatives. (That’s what we would hope!)
Adding our Custom Variable to push Consent State
Adding consent mode to your GTM setup is quite straightforward once the website uses a CMP that is well integrated with the consent mode. All Google tags have the consent mode already built-in, so we don’t need to worry about those – we still need to add required consent to all non-Google tags. This can be added in tag settings for every single tag.
Since the consent levels are not available in the form of a variable (and it’s not readable from dataLayer either, unless CMP pushes these levels), you can download our variable template that returns the consent levels for different types of storage.
This simple variable uses the Consent mode API to get the consent level for the selected storage type – it will return ‘1’ if access to the selected storage is granted or ‘0’ if the access to that storage is denied. There’s no need to use these variables as a part of conditions in your (blocking) triggers, but it’s a useful tool to have, especially during the debugging process – to quickly evaluate what the consent levels in a specific moment were.
Also, you can include these values in your Google Analytics hits for further analysis, or to build custom logic in your server-side GTM container, so even if you process your hits server-side, you still respect your users’ consent!
The question remains if the other vendors will accept consent mode and modify their existing tags to support and integrate it. However, when we consider that we’re already heading to a cookieless future, we wouldn’t be surprised to see other vendors than Google modifying the logic of their GTM tags and leverage consent mode.
The Business Impact of Consent Mode
We believe implementing a solid Consent Management Platform that integrates tightly with Google Tag Manager and Google Consent Mode is the way forward for any business that relies on Google Tag Manager to measure marketing data.
By implementing this, you get a GDPR compliant and highly customizable setup with a minimal amount of technical debt regarding maintaining and upgrading in the future.
You also get to retain as much high-quality data as possible and build a fallback to cookieless tracking for cases where user consent limits you to measure user and session ids. This hybrid approach ensures that you retain as much data as possible.