Consent Mode v2 Explained for Marketing Teams
A mid-sized retailer in Dublin runs Google Ads, has a cookie banner, and saw remarketing audiences shrink to nothing in late 2025. Their developer had implemented “Consent Mode v2”, meaning they’d added the API parameters Google asked for. They had not added a Google-certified CMP. Two systems, one product name, and the team had built one of them.
Consent Mode v2 is not a compliance solution. It is a signalling layer that sits between a separately required consent management platform and Google’s advertising and measurement stack. Most marketing teams treat it as one product. France’s CNIL, the UK’s ICO, and Google’s automated enforcement all treat it as two. The cost of conflating them sits in three places: regulator fines, switched-off ad features, and quietly degraded modelled conversion reports.
What Consent Mode v2 actually is
Consent Mode is a Google-developed API. Tags from Google Ads, Google Analytics 4, Floodlight, and Campaign Manager 360 read consent signals from this API and adjust their behaviour accordingly. In late 2023, Google added two parameters, ad_user_data and ad_personalization, to the existing two (ad_storage, analytics_storage).The four-parameter version is Consent Mode v2.
The signalling is the API’s only function. Consent Mode does not collect consent. It does not display a banner. It does not log a user’s choice. It carries the choice, wherever it was made, into Google tags, so that Google’s measurement and advertising systems behave according to the user’s stated preference.
Anything that collects, displays, or stores the choice itself is the consent management platform, which is a separate product subject to separate requirements. This distinction is where most implementations fail.
What it isn’t: a CMP
A consent management platform is the user-facing layer. It runs the banner, records the choice, surfaces the preference centre, and stores a consent log that has to stand up to a regulator. Under the EU User Consent Policy and Google’s publisher requirements, advertisers and publishers serving personalised ads to users in the EEA and the UK must use a CMP that is Google-certified and integrated with the IAB Transparency and Consent Framework. A certified CMP integrated with the TCF has been required for personalised ads to EEA and UK users since 16 January 2024.
The CMP and Consent Mode v2 talk to each other through the API. The CMP fires the consent state; the Google tags read it. If the CMP is missing, the signal still fires, but it carries no underlying lawful basis. If the signal is missing, the CMP collected consent that Google’s tags can’t see.
Either failure mode produces visible damage. A missing CMP triggers regulator enforcement: Article 5(3) of the ePrivacy Directive, and Article 82 of the French Data Protection Act in France, were the basis for the largest cookie fines on record. A missing or broken signal triggers Google’s own enforcement: blocked remarketing audiences, frozen Performance Max optimisation, and dropped conversion modelling.
Why this architecture exists
Three converging regulatory pressures put Consent Mode v2 in its current form.
The GDPR and the ePrivacy Directive set the legal baseline. Storage of, or access to, information on a user’s terminal equipment, including cookies, pixels, fingerprinting, and local storage, requires prior, freely given, specific, informed, and unambiguous consent, with narrow exceptions. In November 2023 the European Data Protection Board published Guidelines 2/2023 on the Technical Scope of Article 5(3) of the ePrivacy Directive, confirming that the consent requirement applies not just to cookies but to tracking pixels, tracking links, device fingerprinting techniques, certain local processing, IoT reporting, and IP-based tracking. The guidance was finalised in October 2024 and is the EU’s working interpretation of what counts as “tracking” for consent purposes.
The Digital Markets Act designated Google as a gatekeeper, which created an obligation for Google itself to obtain end-user consent before processing personal data for advertising or for combining data across services. Google could not realistically run that consent collection at every advertiser’s website. The architecture passes that obligation downstream: advertisers and publishers must collect consent through a certified CMP and signal the result back to Google through Consent Mode.
National data protection authorities then converted that architecture into enforcement. The EDPB’s Cookie Banner Taskforce, set up to coordinate enforcement across member states, established a baseline that has shaped every subsequent national fine. A “reject” option must be on the first layer of the banner, with equal prominence to “accept”. Pre-ticked boxes are not consent. Consent must be as easy to withdraw as to give. National data protection authorities across the EU have enforced against this baseline; the largest fines on record have come from France.
What separates the regulators from Google
Marketing teams sometimes treat the two enforcement regimes as the same thing. They are not.
The regulators care about whether the CMP collects valid consent and whether non-essential tags are blocked until consent is given. They look at the banner UX, the consent log, the cookie inventory, and the dark pattern audit. Their primary instrument is Article 5(3) ePrivacy and the equivalent national transposition. Their fines target the controller, which is the advertiser’s own legal entity.
Google cares about whether its tags receive the right signals to keep its advertising products running within the EU User Consent Policy. Its enforcement instrument is automated. Missing or invalid consent signals trigger feature degradation. Audience lists stop populating. Conversion modelling stops calibrating. Demographics drop out of GA4 reports. Mobile apps that hadn’t fully implemented Consent Mode v2 saw conversion tracking, remarketing, and personalisation silently turned off from 21 July 2025.
The two systems can fail independently. A site can have a perfectly legal banner and a broken Consent Mode signal: Google’s products degrade while the regulator stays away. A site can have a frictionless signal that fires correctly to Google but a non-compliant banner: Google is happy and the CNIL writes a fine. A guide for CMOs is, in practice, a guide to passing both audits.
Basic vs Advanced: the measurement trade-off
Within Consent Mode v2, the meaningful choice is Basic versus Advanced. The names are misleading. The actual difference is whether Google tags load before consent.
In Basic mode, Google tags do not load until the user accepts. If the user denies, the tags never fire. No data flows to Google for that user: no measurement, no advertising, no modelling. The cookie banner becomes the gatekeeper for the entire Google measurement stack.
In Advanced mode, Google tags load with a default state of denied for all four parameters. When the user grants consent, the state updates to granted and the tags begin recording fully. When the user denies, the tags continue to fire, but in a restricted state, sending what Google calls “cookieless pings”: anonymous signals about page views and conversion events, with no identifiers that link back to an individual.
Advanced mode is what feeds Google’s conversion modelling. Without those cookieless pings from denied users, the model has nothing to calibrate against. Google’s documentation is explicit: conversion modelling activates once an advertiser meets a daily ad click threshold of 700 ad clicks over a seven-day period, per country and domain grouping. Below that volume, the implementation is correct and the modelled column stays empty.
This threshold is the rule that quietly stratifies the market. An enterprise advertiser with high traffic in three EEA countries will see modelled conversions flow into Google Ads diagnostics within a week of switching to Advanced. A mid-market advertiser with the same compliance posture, but spread across six countries with 100 clicks each, will not. They meet the legal requirement, they keep their remarketing audiences populated, but they do not see the reported conversion uplift the architecture was supposed to provide. The 10 to 30% modelling uplift that vendors quote is real and visible in the diagnostics tab of accounts that meet the volume threshold; it is invisible to accounts that don’t.
Why most teams choose Basic, and why that’s usually wrong
Basic mode looks safer. The legal team understands “tags don’t fire until the user clicks accept.” There are no cookieless pings to explain to a sceptical DPO. The cookie inventory matches the banner exactly.
The cost is measurement. Consented users convert at materially higher rates than unconsented users, since users who reject cookies skew lower intent. Even so, on most sites, denied-consent traffic carries enough conversion volume that losing all visibility is expensive. Smart Bidding optimises on the data it sees. If it sees only consented users, it bids on the half of traffic most likely to consent and ignores the rest.
The right default for almost all advertisers is Advanced, with one caveat. Some legal teams object to cookieless pings on principle, on the grounds that any data leaving the device after denial undermines the spirit of the consent. This is not how data protection authorities have read the rules. Properly anonymous pings without identifiers fall outside the GDPR definition of personal data. But it is a defensible internal position. If the position holds, the cost of holding it is roughly 10 to 30% of measurable conversions on EEA traffic, plus the loss of model-trained Smart Bidding accuracy. That cost should be visible to the CMO and weighed against the legal team’s risk tolerance, not absorbed silently in a default setting.
What the regulators are actually fining
The largest cookie fines in 2025 were not for missing Consent Mode signals. They were for non-compliant CMPs. On 1 September 2025, the CNIL imposed a €325 million fine on Google: €200 million on Google LLC and €125 million on Google Ireland Limited, for displaying advertisements between Gmail messages without consent and for placing cookies during Google account creation without valid consent. The breach affected more than 74 million accounts.
The CNIL’s pattern is instructive. The first layer of the banner had to provide an equally accessible reject option; it didn’t. Pre-selection had to be neutral; it nudged. Asymmetric design, making refusal harder than acceptance, was treated as invalidating consent. The decision considered Google’s prior cookie violations from 2020 and 2021 as aggravating, and recidivism multiplied the penalty.
The same week, the CNIL fined Shein €150 million for placing advertising cookies before any user action and for continuing to track users who had clicked “Reject all.” The decision made a separate point that matters for cross-border CMOs: ePrivacy enforcement does not run through GDPR’s one-stop-shop mechanism. A non-French company with French users can be enforced against directly by the CNIL whenever those users are affected.
Both decisions cite the substance of the EDPB Cookie Banner Taskforce baseline. The taskforce report has been the operating manual for European cookie enforcement since January 2023, and it is the document a CMO’s privacy counsel should be working from when reviewing a banner.
The UK is diverging, slightly and recently
UK enforcement has its own trajectory. The Information Commissioner’s Office made online tracking a strategic priority in 2025. The ICO assessed the cookie practices of the top 200 UK websites and notified 134 of them of compliance concerns, as part of a broader plan to bring the UK’s top 1,000 websites into compliance. The same office published guidance on “consent or pay” models, finding them lawful in principle but only when the paid alternative is genuinely free of personalised tracking and the choice is truly free.
The Data (Use and Access) Act 2025, which received Royal Assent on 19 June 2025, brought the most material UK divergence to date. From 5 February 2026, three new categories of cookies and similar technologies became exempt from PECR consent, narrowly: cookies for statistical analysis, for website appearance, and for certain low-risk purposes. The Act also raised the maximum PECR fine to £17.5 million or 4% of global annual turnover, whichever is higher, a thirty-five-fold increase on the previous £500,000 cap.
The ICO published its finalised guidance on storage and access technologies on 29 April 2026, reflecting the Act’s PECR changes and the regulator’s working position on what counts as “strictly necessary.” Advertising and analytics cookies remain firmly in the consent zone. The DUA exemptions are narrower than they sound; the penalty escalation is large.
The practical UK position for a CMO running EEA and UK traffic is straightforward. The compliance baseline is broadly the same as the EU: same banner principles, same consent definition, same Consent Mode v2 implementation through a Google-certified CMP. The fines are now meaningful enough that “we’ll fix it if we get a letter” is no longer a defensible internal position.
TCF v2.3 and the moving floor
The IAB Transparency and Consent Framework is the protocol through which Google-certified CMPs communicate consent state for the IAB’s vendor list. TCF v2.3 became mandatory on 1 March 2026. The change is technical, since the consent string now includes a “Disclosed Vendors” segment that lists which IAB vendors were shown to the user, but the operational consequence is sharp. CMPs that hadn’t updated by the deadline produce non-conforming TC strings, which Google’s ad stack treats as missing consent. The result is the same as a missing signal: limited or dropped ad serving.
A CMO reviewing the technology stack should know which CMP version their team is on, what TCF version it serves, and when the vendor most recently updated. “We have a CMP” is not the same as “we have a current Google-certified CMP.” Vendor selection is part of compliance.
Implementation: the order of operations
A working Consent Mode v2 implementation has six moving parts in a specific order.
The CMP loads first. Before any Google tag, before any third-party tracker, the CMP script must be on the page and ready to receive interactions. Tag Manager containers should be configured so that the CMP fires unconditionally on every page.
The default consent state is declared. Before the user sees the banner, Consent Mode must declare default values for all four parameters, typically denied for EEA and UK traffic and granted elsewhere, with the region segmentation specified by ISO 3166-2 codes. This declaration tells Google tags how to behave during the brief window between page load and user choice.
Google tags fire in a restricted state. In Advanced mode, tags load and send cookieless pings. In Basic mode, they wait. Either way, no full-fidelity measurement happens before the user has interacted with the banner.
The user makes a choice. The CMP records the choice, writes the consent log, and immediately calls the Consent Mode update command with the new state.
The state propagates. Every subsequent Google tag fire respects the updated state. Conversions, audience signals, and remarketing inclusions follow.
The consent log is auditable. The CMP retains a record of when each user gave consent, to what, and through what banner version. A regulator audit will ask for this log; a CMP that cannot produce it has not satisfied the accountability principle.
Two technical failure modes recur. The first is a tag firing before the default state is set, usually because the CMP loads asynchronously and the developer didn’t sequence the calls. The second is partial page coverage, with Consent Mode firing on most pages but missing on a checkout step, a post-purchase page, or a subdomain. Google’s diagnostics flag both. Both degrade modelling materially.
The CMO read
Most of this is the Head of Performance’s job to implement and the DPO’s job to validate. The CMO’s job is to ask the questions that surface whether either has actually happened.
The questions worth asking the team are concrete. Which CMP are we on, and is it Google-certified? When did it last update its TCF version? Are we running Basic or Advanced Consent Mode, and who made that decision? What is our current consent rate, by country? Where in Google Ads diagnostics does our modelling uplift sit, and if it’s blank, why? Does Consent Mode fire on 100% of pages, including the post-purchase flow, the account area, and any subdomains? When did Legal last sit down with the banner, and which EDPB and CNIL precedents did they review against?
If the answers are vague, the implementation is probably half-built. Half-built is the most expensive state. It carries the implementation cost without the measurement benefit, and it carries the legal exposure without the compliance defensibility.
What this means
Consent Mode v2 is not a single problem with a single solution. It is the meeting point of three separate systems: a CMP that satisfies regulators, a signalling layer that satisfies Google, and a measurement architecture that recovers as much of the unconsented traffic as the rules allow. The three pull in different directions. A CMP optimised for consent rate may use design choices the CNIL has fined for. A signalling layer optimised for measurement may load tags faster than Legal is comfortable with. A modelling implementation optimised for Smart Bidding accuracy depends on volume thresholds that mid-market advertisers can’t meet on a per-country basis.
The architecture works when those tensions are resolved deliberately rather than by default. That is a strategy question, not a tag implementation question. The teams that get this right treat consent as a UX surface, a decision that affects banner design, page load sequencing, and measurement architecture together. The teams that don’t end up paying twice: once in fines, once in dark conversions.
