Compliance Guide
The Truth About Google Consent Mode v2 & GDPR
GDPR is a complex topic, involving many areas, not just cookies.
ConsentGuard.io cannot guarantee that you are fully compliant, but we detect issues that make you non-compliant.
We're not here to criticize Google or tell you to use Basic or Advanced consent mode.
Many site owners assume that simply enabling Google Consent Mode v2 makes them GDPR compliant. The reality is much more complex, and one configuration carries significant legal risk.
Google Consent Mode v2 is a tool that helps you manage how Google's tags behave based on the consent status of your users. However, it is not a compliance solution in itself. In fact, depending on how you configure it, you might be violating GDPR requirements regarding "prior consent."
The Two Modes: Basic vs. Advanced
To remain GDPR compliant, it is critical to understand the difference between the two implementation modes.
1. Basic Mode (Safest for Compliance)
This is the conservative, privacy-first approach that is widely considered GDPR compliant.
- How it works: Google tags are completely blocked from loading until the user interacts with your cookie banner and grants consent.
- Why it's compliant: No data (not even anonymized "pings") is sent to Google servers before the user says "Yes." This aligns perfectly with the GDPR's requirement for "prior consent."
- The Trade-off: You lose more data. If a user ignores the banner or declines, you get zero data from them—no analytics, no conversion tracking.
2. Advanced Mode (Compliance "Grey Area")
This is the configuration Google pushes for better data modeling, but it carries legal risk.
- How it works: Google tags load immediately, even before the user grants consent. If the user declines (or hasn't clicked yet), the tags send "cookieless pings" to Google.
- The Compliance Issue: These "pings" technically transmit the user's IP address and User Agent to Google servers. Under GDPR, an IP address is often considered Personal Identifiable Information (PII).
- The Debate: Google claims they "redact" (delete) the IP addresses immediately upon receipt. However, many EU Data Protection Authorities (DPAs) argue that the act of transmission of an IP address without consent is a violation, regardless of what the receiver does with it later.
Comparison Summary
| Feature | Basic Mode | Advanced Mode |
|---|---|---|
| Data Collection | Only after consent | "Pings" sent without consent |
| GDPR Status | Compliant | Controversial / Grey Area |
| Data Quality | Lower (100% loss on reject) | Higher (Modeled data) |
What You Need to Do
- Use a Certified CMP: You generally must use a Google-certified Consent Management Platform (like Cookiebot, OneTrust, CookieYes, etc.) to collect the user's choice.
-
Ensure Correct Signal Mapping: You must ensure the new v2 signals (
ad_user_dataandad_personalization) are correctly mapped to your user's consent choices. -
Choose Your Risk Level:
- Low Risk (Recommended): Use Basic Mode. Ensure your CMP blocks all Google tags from firing until consent is
granted. - Higher Risk: Use Advanced Mode. You may get ~60-70% of "lost" conversion data back through modeling, but you risk a potential future ruling that the "cookieless pings" are non-compliant.
- Low Risk (Recommended): Use Basic Mode. Ensure your CMP blocks all Google tags from firing until consent is
How ConsentGuard Helps
ConsentGuard monitors your implementation 24/7 to ensure that your technical setup matches your policy. We detect if tags are firing before consent (a common implementation error) and if the correct signals are being sent to Google.