Privacy Compliance

Navigating the Grey: A Technical & Legal Audit of Google Consent Mode v2 Under GDPR

Published: June 16, 2026

Quick Answer: Google Consent Mode v2 (GCMv2) is an API framework that transmits user consent states to Google tags to adjust their behavior. The critical architectural choice is between Basic Mode (where tags are completely hard-blocked until explicit user opt-in) and Advanced Mode (where tags initialize pre-consent, sending cookie-less data pings containing device metadata if consent is denied). Under current EDPB Guidelines 11/2023, Advanced Mode introduces significant regulatory liability in the EU because accessing device parameters to transmit pings constitutes a terminal equipment interaction requiring prior, explicit consent under Article 5(3) of the ePrivacy Directive. For strict EU compliance, Basic Consent Mode remains the gold standard.

1. Introduction: The Clash of Privacy Law and Ad Tech Attribution

With the enforcement of the EU Digital Markets Act (DMA), Google designated itself as a regulatory “gatekeeper.” To maintain access to its core advertising, remarketing, and personalization features for web traffic originating within the European Economic Area (EEA), Google has made the implementation of Google Consent Mode v2 (GCMv2) strictly mandatory.

For technical web analysts, GCMv2 is a welcome engineering development. It promises to reclaim up to 65% to 70% of “lost” conversion data caused by user opt-out rates through machine-learning-based conversion modeling.

For Data Protection Officers (DPOs), however, GCMv2 represents a significant compliance concern. It sits directly at the intersection of two overlapping European legal regimes:

The ePrivacy Directive (Directive 2002/58/EC): Governing any access to, or storage of, information on a user’s terminal equipment.
The General Data Protection Regulation (GDPR - Regulation 2016/679): Governing the processing of personal data, including pseudonymized identifiers and client IP addresses.

To make an informed choice on whether to deploy Basic or Advanced GCMv2, organizations must look past ad-tech marketing sheets and analyze the underlying mechanics against official regulatory texts.

2. Technical Mechanics: GCMv2 Parameters and Modes

GCMv2 introduces two new consent parameters to the existing analytical tracking stack, giving Google granular control over how user data is processed:

analytics_storage: Controls whether analytics cookies can be written or read.
ad_storage: Controls whether advertising cookies can be written or read.
ad_user_data (New): Sets consent for sending user-specific data to Google for specialized advertising profiling.
ad_personalization (New): Sets consent for personalized ads (e.g., remarketing audiences).

The Architectural Split: Basic vs. Advanced Mode

[User Arrives on Website]
           │
           ├─────────────────────────┐
           ▼                         ▼
   [BASIC CONSENT MODE]      [ADVANCED CONSENT MODE]
           │                         │
  Is Banner Accepted?       Is Banner Accepted?
     │           │             │           │
     ├─► NO      └─► YES       ├─► NO      └─► YES
     │                 │       │                 │
[Tags Remain     [Tags Load    [Tags Load        [Tags Load
  Blocked;        Normally;     Pre-Consent;      Normally;
 No Data Sent]    Cookies Set]  No Cookies Set;   Cookies Set]
                                Cookieless Pings
                                Sent to Google]

In Basic Mode, Google tags are completely hard-blocked from firing. If a user rejects consent or ignores the banner, the tag is never initialized. No network calls to Google’s domains (google-analytics.com, doubleclick.net) occur pre-consent. Google Ads can only perform very limited modeling based on historical trends, as it lacks a behavioral baseline of the non-consenting population.

In Advanced Mode, Google tags load immediately when the page renders, before the user interacts with the Consent Management Platform (CMP) banner. All four GCMv2 variables default to denied.

Because the tags load, they immediately execute network requests. If the user clicks “Reject,” Google does not write local browser cookies. Instead, it fires cookieless pings back to Google servers. These pings transmit:

Functional metadata: Timestamps, User-Agent strings (browser/operating system parameters), and Referrer URLs.
Consent states: Explicit signals indicating that consent was actively denied.
Ad-click parameters: Redacted or modified Google Click Identifiers (GCLID / DCLID) embedded within the landing URL.
Randomized cache-busters: Temporary, single-page-load numbers designed to prevent duplicate estimation errors during conversion modeling.

The primary legal vulnerabilities surrounding GCMv2 concentrate heavily on Advanced Mode. While marketed as a privacy-safe design, its technical implementation conflicts with several strict regulatory interpretations.

Black Areas (Clear Legal Violations)

Under the ePrivacy Directive and GDPR, non-essential tracking technologies must not load before the user has provided explicit consent.

The Legal Precedent: CJEU Case C-673/17 (Planet49) and EDPB Guidelines 05/2020 confirm that consent must be prior and active.
The Violation: Advanced Mode fires network requests (pings) immediately upon page load. In practice, this means the website transmits user device telemetry to a third party before the user has even engaged with the consent banner.

B. IP Address Collection and Transatlantic Data Transfers

The Technical Reality: Every HTTP request must include the client’s IP address within the network packet header to establish a connection. While Google states that IP addresses are processed in local EU landing servers and immediately discarded, the processing still takes place.
The Legal Precedent: Under GDPR Article 4(1), IP addresses constitute unambiguous personal data (Breyer v. Bundesrepublik Deutschland). Transmitting this data to infrastructure subject to US surveillance laws (such as FISA Section 702) pre-consent constitutes an unauthorized international data transfer vector if not properly isolated.

Grey Areas (High Regulatory Risks)

A. The ePrivacy Article 5(3) Loophole: “We Don’t Use Cookies”

Google’s Position: Cookieless pings do not read or write physical cookie files on the terminal device when consent is denied. Therefore, they argue it falls outside the scope of the ePrivacy Directive.
The Regulatory Counterpoint: EDPB Guidelines 11/2023 on the Technical Scope of Article 5(3) of the ePrivacy Directive clarify that “terminal equipment storage” is not limited to cookies. The EDPB explicitly rules that “gaining access” occurs when a website instructs a user’s browser to send specific technical information (such as User-Agent, screen resolution, or tracking parameters in the URL) back to a server. Because these technologies read and transmit device characteristics (fingerprinting), they require prior consent.

The Legal Argument: Some ad-tech analysts argue that since Advanced Mode skips cookie storage, the subsequent processing of cookieless pings for AI “conversion modeling” can be justified under GDPR Article 6(1)(f) (Legitimate Interest).
The Legal Counterpoint: You cannot use Legitimate Interest under the GDPR to bypass a consent requirement mandated by the ePrivacy Directive. Because the initial collection of the data triggers ePrivacy Article 5(3) via device access, consent is the only legally valid gateway. If the collection method is unlawful under ePrivacy, any subsequent processing is legally compromised.

4. Official Regulatory Citations

To build a reliable legal defense, DPOs must refer exclusively to official regulatory outputs rather than marketing documentation:

European Data Protection Board (EDPB)
- Guidelines 11/2023 on the Technical Scope of Article 5(3) of the ePrivacy Directive (v1.0): Section 4.1 (IP-only tracking) and Section 4.2 (URL tracking / GCLID) confirm that transmitting IP addresses and passing unique identifiers inside URL query parameters to third parties constitutes terminal device access requiring consent.
- Guidelines 05/2020 on Consent under Regulation 2016/679: Paragraph 40 notes that a controller must ensure consent is obtained before any data processing starts.
Commission Nationale de l’Informatique et des Libertés (CNIL - France)
- Position on Consent-Exempt Analytics: The CNIL maintains that for an analytics tool to be exempt from consent, it must be strictly limited to producing anonymous, first-party statistical measurements for the publisher alone. GA4 with GCMv2 does not qualify, as data is shared with the broader Google ad ecosystem for cross-site optimization.
UK Information Commissioner’s Office (ICO)
- Guidance on PECR and Cookies: The ICO states clearly that all cookies and tracking technologies (including pixels and beacons used for analytics or advertising) require prior consent. The ICO does not recognize a “modeling exemption” for cookieless tracking that transmits device metadata back to ad networks without explicit opt-in.

5. DPO Assessment Matrix: Basic vs. Advanced GCMv2

This matrix is designed for DPOs conducting a Data Protection Impact Assessment (DPIA) or a Legitimate Interest Assessment (LIA) for European operations.

Compliance Vector	Basic Consent Mode	Advanced Consent Mode
Pre-Consent Tag Load	None. Tags are completely blocked until consent is granted.	Immediate. Tags initialize and load in the background before user interaction.
ePrivacy Art. 5(3) Risk	Zero risk. No terminal device storage or access occurs.	High risk. Reads user-agent parameters, screen dimensions, and URL identifiers.
GDPR Art. 6 Lawful Basis	Consent (freely given, specific, informed).	Often relies on Legitimate Interest for modeling, which is legally fragile due to ePrivacy overlap.
US Data Transfer Exposure	Zero pre-consent. Data only flows to US servers after opt-in.	Moderate to High. Transmits IP address and browser telemetry to Google networks pre-consent.
Fingerprinting Vulnerability	None.	High. Aggregated browser metadata in pings can easily be classified as device fingerprinting.
DPA Enforcement Risk	Negligible. Fully aligned with EDPB standards.	High. Vulnerable to structural complaints under ePrivacy Art. 5(3).

6. Technical Implementer’s Guide: Basic vs. Advanced

For a technical web analyst, the choice of implementation is dictated directly by the organization’s Risk Tolerance Profile.

Scenario A: Strict Compliance (The DPO-First Approach)

If your legal team has a zero-risk policy or you operate within highly regulated sectors (healthcare, finance, public sector), you must implement Basic Consent Mode.

Technical Architecture in Google Tag Manager (GTM):

Do Not Use Advanced Defaults: Do not configure your Consent Management Platform (CMP) to load Google tags before consent is granted.
Consent Initialization Trigger: Ensure your CMP script loads exclusively on the Consent Initialization trigger.
Strict Blocking Triggers: Configure GTM triggers for Google Analytics and Google Ads to fire only when the custom event from your CMP (e.g., cookie_consent_marketing = true) is pushed to the dataLayer.
Tag Settings: Under GTM Tag Advanced Settings -> Consent Settings, configure your tags to require explicit consent categories (e.g., ad_storage, analytics_storage) before execution.

Scenario B: Risk-Managed / Performance-First (The Analyst Approach)

If your organization accepts a calculated risk profile in exchange for data recovery, and seeks to deploy Advanced Mode, you must apply maximum technical mitigations to reduce exposure.

Technical Mitigations for Advanced Mode:

Overwrite your initialization snippet to force data redaction, block URL passthroughs, and pass internal developer flags to enforce server-side IP isolation inside the Google infrastructure:

// Example of a highly mitigated GCMv2 default state configuration
gtag('consent', 'default', {
	ad_storage: 'denied',
	analytics_storage: 'denied',
	ad_user_data: 'denied',
	ad_personalization: 'denied',
	wait_for_update: 500
})

// Mitigation 1: Redact all advertising data parameters
gtag('set', 'ads_data_redaction', true)

// Mitigation 2: Disable URL Passthrough (prevents GCLID transmission via URLs)
gtag('set', 'url_passthrough', false)

// Mitigation 3: Force IP Anonymization Flags
gtag('set', 'developer_id.dNDFmYto', true)

Why Server-Side GTM is the Ultimate Mitigation

If you are deploying Advanced Consent Mode, routing pings through a Server-Side Google Tag Manager (sGTM) container hosted within the EU (e.g., GCP in Frankfurt) is the most robust mitigation path:

IP Masking: The client browser sends the ping to your first-party sub-domain (metrics.yourdomain.com). Your server strips the client IP address completely before forwarding the payload to Google’s servers.
User-Agent Reduction: You can sanitize or aggregate the User-Agent header on your server, preventing device fingerprinting.
Third-Party Cookie Removal: Because the request goes to your first-party domain, no third-party Google cookies (google.com, doubleclick.net) can be read or sent in the request header pre-consent.

7. FAQ Section

No. GCMv2 is not a consent banner; it is a signaling API. It cannot collect, record, or log consent from users. You still require a certified CMP (such as Usercentrics, Didomi, or Cookiebot) to render the cookie banner, record user choices, and translate those choices into GCMv2 variables via the GTM dataLayer.

If you do not pass the mandatory ad_user_data and ad_personalization signals to Google, your advertising capabilities for EEA users will be severely restricted. Specifically, you will be unable to build remarketing lists in Google Ads, leverage Enhanced Conversions, or run personalized ad campaigns targeting users within the European Union.

Yes. Basic Consent Mode is the gold standard of compliance. Because Google tags do not load and no network requests are transmitted to Google domains before the user explicitly clicks “Accept”, there is no risk of unauthorized data processing or ePrivacy violations.

Q4: Why do European DPAs view “cookieless pings” as a violation of the ePrivacy Directive?

Under Article 5(3) of the ePrivacy Directive, any access to information on a user’s device requires prior consent unless it is “strictly necessary” to deliver a service requested by the user. European DPAs clarify that “access” includes reading browser configuration telemetry (User-Agent, screen size, IP, and unique URL click identifiers) when a script executes. Because cookieless pings rely on reading this device metadata, they require prior opt-in consent, even if no cookie file is written to the hard drive.

Q5: Can I configure GCMv2 to run “Advanced” in some countries and “Basic” in others?

Yes. This is called Region-Specific Consent Mode. You can configure your Tag Manager setup to automatically load GCMv2 in Basic Mode for users originating from the EEA, UK, and Switzerland (due to strict GDPR/ePrivacy enforcement), while running Advanced Mode for users in jurisdictions with opt-out regimes (such as certain US states). This allows you to maximize data modeling globally while mitigating legal risks within the European Union.

8. Summary of Actionable Recommendations

DPO & Legal Strategy: Unless your organization has an explicitly defined and high-risk-tolerant legal appetite, mandate the implementation of Basic Consent Mode for all EU/EEA and UK traffic.
Technical Deployment: Set up Region-Specific configurations in GTM. Implement Basic Consent Mode in the EEA/UK and Advanced Mode in jurisdictions where implied consent or opt-out tracking is legally recognized.
Advanced Mode Mitigations: If your business operations require Advanced Mode in the EU, you must set ads_data_redaction to true, set url_passthrough to false, and deploy Server-Side GTM to strip client IP addresses and truncate User-Agents before they are transmitted to Google’s networks.

Essential

Analytics

Marketing