Consent Mode on websites and mobile apps

Consent Mode interacts with your Consent Management Platform (CMP) or custom implementation for obtaining visitor consent as described in Managing user consent. Consent Mode receives visitors’ consent choices and dynamically adapts the behavior of Analytics, Ads, and third-party tags that create or read cookies.

Consent Mode enables you to optimize for business goals while respecting the privacy choices of visitors. When visitors deny consent, instead of storing cookies, tags send signals (or pings) to Google. If you are using Google Analytics 4, Google fills the data collection gaps with Conversion Models.

The IAB Europe Transparency & Consent Framework (TCF) is an alternative way of enabling Consent Mode.

Tags with built-in support for Consent Mode

Google Tags for the following products contain built-in consent checks and adjust behavior based on consent state:

  • Google Analytics
  • Google Ads*
  • Floodlight
  • Conversion Linker

* includes Google Ads Conversion Tracking and Remarketing; support for Phone Call Conversions pending.

If you create tags that do not have built-in consent checks, you can add checks in Tag Manager using the Advanced > Consent Settings tag configuration. Learn more.

Consent state and tag behavior

When you enable Consent Mode, Google measurement products ensure that a visitor’s consent mode state is preserved across the pages they visit. If consent is denied, tags that fire do not store cookies, instead they communicate a minimum of information about user activity. Consent state and user activity are then tracked by sending cookieless pings, or signals, to the Google server:

  • Consent state pings for Google Ads and Floodlight tags: Communicate the default consent state that you have configured and the updated state when the visitor grants or denies consent for each consent type such as `ad storage` and `analytics storage`. Consent state pings are sent from each page the user visits where Consent Mode is enabled, and are also triggered for some tags if the consent state changes from `denied` to `granted`. For example, if a visitor opts in from a consent dialog.
  • Conversion pings: Indicate that a conversion has occurred.
  • Google Analytics pings: Sent from each page of a website where Google Analytics is implemented on load and when events are logged.

The pings described above can include:

  • Functional information (such as headers added passively by the browser):
    • Timestamp
    • User agent (web only)
    • Referrer
  • Aggregate/non-identifying information:
    • An indication for whether or not the current page or a prior page in the user's navigation on the site included ad-click information in the URL (e.g., GCLID / DCLID)
    • Boolean information about the consent state
    • Random number generated on each page load
    • Information about the consent platform used by the site owner (e.g. Developer ID)

Consent Mode behavior

Additionally, consent and conversion pings may include the following behaviors depending on the state of the consent settings and the configuration of your tags.

The default behaviors work as if all consent options are granted:

ad_storage='granted' and analytics_storage='granted'

Web

Mobile apps

  • Cookies pertaining to advertising may be read and written.
  • IP addresses are collected.
  • The full web page URL, including ad-click information in URL parameters (e.g., GCLID / DCLID) is collected.
  • Third-party web cookies previously set on google.com and doubleclick.net, and first-party conversion cookies (e.g., _gcl_*) are accessible.
  • Advertising identifiers (e.g., Advertising ID / IDFA) may be collected.
  • The app-instance ID generated by the Google Analytics for Firebase SDK is collected.

When one or more forms of consent are not granted, there are additional behaviors to consider:

ad_storage='denied'

Web

Mobile apps

  • No new cookies pertaining to advertising may be written.
  • No existing first-party advertising cookies may be read.
  • Requests are sent through a different domain to avoid previously set third-party cookies from being sent in request headers.
  • Google Analytics will not read or write Google Ads cookies, and Google signals features will not accumulate data for this traffic.
  • Full page URL is collected, may include ad-click information in URL parameters (e.g., GCLID / DCLID). Ad-click information will only be used to approximate accurate traffic measurement.
  • IP addresses are used to derive IP country, but are never logged by our Google Ads and Floodlight systems and are immediately deleted upon collection. Note: Google Analytics collects IP addresses as part of normal internet communications. Learn more about IP anonymization in Google Analytics.
  • No Advertising ID, IDFA, or IDFV may be collected.
  • Google Signals features will not accumulate data for this traffic.
  • IP addresses are used to derive IP country, but are never logged by our Google Ads and Floodlight systems and are immediately deleted upon collection. Note: Google Analytics collects IP addresses as part of normal internet communications. Learn more about IP anonymization in Google Analytics.

ad_storage='denied' and ads_data_redaction='true'

Web

  • No new cookies pertaining to advertising may be written.
  • No existing advertising cookies may be read.
  • Requests are sent through a different domain to avoid previously set third-party cookies from being sent in request headers.
  • Google Analytics will not read or write Google Ads cookies, and Google signals features will not accumulate data for this traffic.
  • Ad-click identifiers (e.g., GCLID / DCLID) in consent and conversion pings are redacted.
  • IP addresses used to derive IP country, but are never logged by our Google Ads and Floodlight systems and are immediately deleted upon collection. Note: Google Analytics collects IP addresses as part of normal internet communications. Learn more about IP anonymization in Google Analytics.
  • Page URLs with ad-click identifiers are redacted.

analytics_storage='denied'

Web

Mobile apps

  • Will not read or write first-party analytics cookies.
  • Cookieless pings will be sent to Google Analytics for future measurement. Google Analytics 4 will use cookieless pings for modeling.
  • Google Optimize is not affected by this setting.
  • Events without device or user identifiers will be sent to Google Analytics for future measurement. Google Analytics 4 will use these events for modeling.

Web/Mobile apps

This article introduces Consent Mode basics. Consent Mode has additional capabilities such as region-specific behavior, the ability to redact information that was previously stored, and the ability to pass information in URLs when consent is denied. For information on how to use Consent Mode and these additional features, see:

Enabling Consent Mode

Customers using Google Tag Manager should enable Consent Mode with a template that is typically created by the CMP provider. Customers not using Tag Manager can write `gtag.js` code or a custom HTML tag as an alternative, but that requires manual addition of code to each page, which can be cumbersome, difficult to implement correctly, and difficult to maintain.

Regardless of how you enable Consent Mode, the following outline best practices:

  • Set an initial consent state with the default values determined by your organization. The default consent state applies the first time a visitor views a page on your website.
  • Implement so that page tags are loaded before the consent dialog appears to the visitor.
  • Be sure to load Google tags in all cases, not only if the user consents. If consent is denied, Google receives cookieless pings. For properties using Google Analytics 4, cookieless pings improve modeling accuracy.
  • The mechanism for obtaining consent should appear to the visitor as soon as possible and update consent state whenever users indicate their choices.
  • Give users the option to deny or grant consent for every type of storage used by the tags on a website. For example, a user might grant consent to analytics cookies and deny advertising cookies.
  • Since current privacy laws are region-specific, we recommend configuring a default state to apply to particular regions instead of to all visitors. Especially if your organization requires default state to be `denied`, applying `denied` only to visitors from the appropriate region avoids loss of precise measurement for all other geographic areas.
When you set a default state for a region, your mechanism for obtaining consent, whether custom or a CMP, should give visitors from those regions the opportunity to update their consent state.
Was this helpful?
How can we improve it?

Need more help?

Sign in for additional support options to quickly solve your issue

Search
Clear search
Close search
Google apps
Main menu
Search Help Center
true
69256
false
false