Why GTM consent mode is confusing
Consent in GTM is confusing because it spans three systems that rarely get explained together:
- Your CMP collects and stores the visitor’s consent choice.
- GTM receives those choices and exposes them as consent states.
- Google tags (GA4, Google Ads, Floodlight) change behavior based on those states.
Each layer has its own documentation and assumptions about what you already know. Google’s help docs cover GTM, Ads, and the Consent API separately; CMP docs focus on their own UI and assume you already understand consent frameworks. Most practitioners end up stitching together partial explanations written for different audiences and different versions of Consent Mode.
The Consent Mode v2 rollout in early 2024 amplified this. Implementations that worked under v1 suddenly needed two new consent signals (ad_user_data and ad_personalization), and many teams rushed to patch setups against a deadline. As a result, it’s common to inherit containers where v2 is technically present but mapped incorrectly or only partially implemented.
The basics of GTM consent mode
Consent Mode is Google’s framework for letting tags adapt to a visitor’s consent choices. It relies on two commands that should run at specific points in the page lifecycle:
consent_default– fires as early as possible (before any tags) to set the default consent state. For EU traffic this usually means denying all consent types until the user actively opts in.consent_update– fires after the visitor interacts with the banner and communicates their actual preferences.
These commands control four consent types:
| Type | What it controls |
|---|---|
| ad_storage | Advertising cookies (Google Ads, Floodlight, remarketing) |
| analytics_storage | Analytics cookies (GA4 measurement) |
| ad_user_data | Sending user data to Google for advertising purposes |
| ad_personalization | Personalized advertising and remarketing |
ad_storage and analytics_storage are the original consent types. ad_user_data and ad_personalization were added with Consent Mode v2 in 2024 to meet Digital Markets Act requirements. For sites serving EEA users and using Google advertising products, Google will not process conversion data for ads unless these v2 signals are correctly configured.
Basic vs advanced consent mode in GTM
Consent Mode can run in basic or advanced variants, and the choice has real implications.
Basic consent mode
In basic mode, tags simply do not fire until consent is granted. If a visitor denies consent, no data is sent to Google at all—no cookies, no pings, nothing. This can mean losing 30–70% of your European measurement data, depending on consent rates, but the compliance position is straightforward: a denial means no tracking.
Simo Ahava’s article “Basic Consent Mode: The Guide” is a clear, implementation-focused walkthrough of this setup.
Advanced consent mode
In advanced mode, tags can still fire when consent is denied, but in a cookieless configuration. They send limited pings to Google (e.g., page URL, timestamp, browser details) without setting cookies or attaching persistent identifiers. Google then uses conversion modeling to estimate conversions that would otherwise be lost, often recovering 65–80% of the data basic mode would drop.
Simo Ahava’s “Consent Mode V2 For Google Tags” details exactly what is sent and how tags behave under different consent states.
The trade-off
Advanced mode improves measurement but raises questions: some privacy advocates argue that any data transmission after a user denies consent—even without cookies—may conflict with the spirit or letter of local regulations. Some regulators have also questioned whether IP-based, cookieless pings truly respect a denial.
There is no universal best choice. Some organizations prioritize basic mode for maximum compliance clarity; others adopt advanced mode to preserve measurement for optimization and attribution. The key is to make this decision consciously, with your privacy team involved, rather than defaulting to advanced mode because it’s the most data-friendly option.
How CMPs connect to GTM consent mode
A consent management platform (CMP) handles the visitor-facing side of consent—banners, preference storage, and signaling choices to GTM.
Most CMPs integrate with GTM in one of two ways:
- Consent API integration (preferred)
The CMP calls GTM’s Consent API directly, setting consent_default and consent_update. Google tags then respect these states automatically, without complex trigger logic. This is cleaner and less error-prone, and it’s what Google recommends.
- Data layer integration
The CMP pushes consent states into the data layer, and you manually map those values to GTM consent types. This offers flexibility but increases the risk of misconfiguration.
The CMP market has consolidated, with Usercentrics and Cookiebot merging into a major provider. Other common CMPs include OneTrust, CookieYes, Iubenda, and Osano. Google’s CMP Partner Program certifies CMPs at Bronze, Silver, and Gold tiers based on integration quality and features.
In practice, the biggest issues tend to be configuration details inside GTM, not the CMP itself:
- Timing – the
waitForUpdateparameter controls how long GTM waits for the CMP to load before firing tags. - Consent mapping – ensuring tags that set advertising cookies depend on
ad_storage, and analytics tags onanalytics_storage, with v2 signals (ad_user_data,ad_personalization) correctly wired for ads.
The best resources for learning GTM consent
The documentation landscape is improving but still fragmented. These resources are especially useful:
Conceptual understanding
- Simo Ahava – “Consent Mode V2 For Google Tags”
https://www.simoahava.com/analytics/consent-mode-v2-google-tags/
Deep technical explanation of how Consent Mode works, what data is sent in each scenario, and how basic vs advanced differ.
- Simo Ahava – “Basic Consent Mode: The Guide”
https://www.simoahava.com/analytics/basic-consent-mode-the-guide/
Focused on the simpler basic mode, with clear examples.
Step-by-step implementation
- Analytics Mania – Consent Mode configuration guide
Practical walkthrough with screenshots and testing steps that bridge theory and real-world GTM containers.
Official specifications
- Google Tag Platform Consent docs
https://developers.google.com/tag-platform/security/guides/consent
API reference and code examples.
- Google Tag Manager Consent Mode v2 help
https://support.google.com/tagmanager/answer/13695607?hl=en
Official description of v2 requirements and consent types.
These official docs are accurate but assume intermediate knowledge, so they work best after reading Ahava’s explanations.
Staying current
- IAB Europe Transparency and Consent Framework (TCF)
https://iabeurope.eu/transparency-consent-framework/
The standard many CMPs implement, currently evolving to v2.3 (mandatory by February 2026).
- Measure Slack
A practitioner community where people share implementation patterns, edge cases, and troubleshooting tips.
Broader context
Consent mode is effectively its own discipline within GTM, overlapping with privacy law and engineering. You don’t need to become a lawyer, but you do need enough understanding to verify that your implementation matches your intent. A practical learning path is:
- Read Ahava’s conceptual guides.
- Implement using Analytics Mania’s step-by-step instructions.
- Verify behavior with GTM Preview and browser dev tools.
Checking where your GTM consent setup stands
The hardest part of consent compliance is often detecting problems. A broken setup can look fine on the surface: the banner appears, tags fire, and reports populate. The only way to know if consent is truly respected is to inspect the configuration.
TagManifest analyzes a GTM container export and maps every tag against its consent configuration. It flags:
- Tags using the wrong consent type
- Tags missing consent requirements
- Missing or misconfigured v2 signals
- CMP timing and
waitForUpdateissues
A practical next step:
- Pick one resource from this article (e.g., Ahava’s v2 guide).
- Read it end-to-end.
- Export your GTM container and review it—manually or with TagManifest—to see how your current setup compares.
The information you need exists; this piece is meant to give you a coherent starting map so you can move from scattered docs to a deliberate, verifiable implementation.
gtag('consent', 'default', {
'ad_storage': 'denied',
'analytics_storage': 'denied',
'ad_user_data': 'denied',
'ad_personalization': 'denied'
});
// After user accepts on CMP banner
gtag('consent', 'update', {
'ad_storage': 'granted',
'analytics_storage': 'granted',
'ad_user_data': 'granted',
'ad_personalization': 'granted'
});