Set up and manage consent

Consent mode reference

This article is for Google tag users who receive user data from end users in the European Economic Area (EEA) through websites, apps, or offline resources.

Important: If the ad_storage or analytics_storage consent parameter is set to denied, either through a default consent state or the setConsent method, the analytics data associated with a particular app instance is permanently reset going forward. For example, if analytics data is reset for all app instances, user counts may be inflated.

  • iOS: you can prevent this issue by updating to version 10.23.0 or later.
  • Android: devices with Google Play Services have automatically received an update, and those devices are no longer subject to this issue. No further action is required on your part.

If your app runs on devices without Google Play Services, you will be able to update the Android SDK in the forthcoming 22.0.1 release to prevent this behavior. Until then, you can prevent the issue for these devices by following these steps:

  1. Don’t set default values for ad_storage and analytics_storage in your app’s manifest.
  2. Disable Analytics collection before setting the app instance’s ad_storage and analytics_storage consent state.
  3. Once you have affirmative consent, re-enable Analytics collection, which won’t reset analytics data.

If you want to reset analytics for an app instance, use the purpose-built API. See here for an Android example.

Overview: Consent mode parameters

Consent Type Description
ad_storage Enables storage (such as cookies) related to advertising.
ad_user_data Sets consent for sending user data related to advertising to Google.
ad_personalization Sets consent for personalized advertising.
analytics_storage Enables storage (such as cookies) related to analytics e.g. visit duration.

In addition to the consent mode parameters, there are the following privacy parameters:

Storage Type Description
functionality_storage Enables storage that supports the functionality of the website or app e.g. language settings.
personalization_storage Enables storage related to personalization e.g. video recommendations
security_storage Enables storage related to security such as authentication functionality, fraud prevention, and other user protection.

Tag behavior with consent mode

If all consent options are granted, tags behave as follows:

Web

Mobile apps

  • Cookies pertaining to advertising may be read and written.
  • IP addresses are collected.
  • The full web page URL, including ad-click information in URL parameters (e.g., GCLID / DCLID) is collected.
  • Third-party web cookies previously set on google.com and doubleclick.net, and first-party conversion cookies (e.g., _gcl_*) are accessible.
  • Advertising identifiers (e.g., Advertising ID/IDFA) may be collected.
  • The app-instance ID generated by the Google Analytics for Firebase SDK is collected.

When one or more forms of consent are not granted (not set or denied), there are additional behaviors to consider:

ad_personalization='denied'

Web & Mobile apps

Personalized advertising is disabled, the following features won't receive data:

  • Remarketing in Google Ads, Display & Video 360, Search Ads 360
  • Personalized advertising with Google's advertising products

ad_user_data='denied'

Web & Mobile apps

Personal data collection for online advertising is disabled, including:

  • user_id
  • Enhanced conversions: Hashed first party data

ad_storage='denied'

Web

Mobile apps

  • No new cookies pertaining to advertising may be written.
  • No existing first-party advertising cookies may be read.
  • Requests are sent through a different domain to avoid previously set third-party cookies from being sent in request headers.
  • Google Analytics will not read or write Google Ads cookies, and Google signals features will not accumulate data for this traffic.
  • Full page URL is collected, may include ad-click information in URL parameters (e.g., GCLID / DCLID). Ad-click information will only be used to approximate accurate traffic measurement.
  • IP addresses are used to derive IP country, but are never logged by our Google Ads and Floodlight systems and are immediately deleted upon collection. Note: Google Analytics collects IP addresses as part of normal internet communications. Learn more about IP masking in Google Analytics.
  • No Advertising ID/IDFA may be collected.
  • Google Signals features will not accumulate data for this traffic.
  • IP addresses are used to derive IP country, but are never logged by our Google Ads and Floodlight systems and are immediately deleted upon collection. Note: Google Analytics collects IP addresses as part of normal internet communications. Learn more about IP masking in Google Analytics.

analytics_storage='denied'

Web

Mobile apps

  • Will not read or write first-party analytics cookies.
  • Cookieless pings will be sent to Google Analytics for future measurement. Google Analytics 4 will use cookieless pings for modeling.
  • No IDFV may be collected.
  • Events without device or user identifiers will be sent to Google Analytics for future measurement. Google Analytics 4 will use these events for modeling.

Web & Mobile apps

When analytics_storage='denied', cookieless pings are sent to Google Analytics. No Analytics cookies are set, accessed, or read from the device. Consequently, cookieless pings are anonymized and non-identifiable Google Analytics events.

Cookieless pings, as part of regular HTTP/browser communication, may include the following information: user agent, screen resolution, IP address. Note that Google Analytics 4 does not store or log IP addresses.

If an advertiser sets other fields, such as user_id and custom dimensions, they will be sent normally. The data collected in the cookieless ping is used for behavioral and conversion modeling, to fill the gaps in your data. 

ad_storage='denied' and ads_data_redaction='true'

Web

  • No new cookies pertaining to advertising may be written.
  • No existing advertising cookies may be read.
  • Requests are sent through a different domain to avoid previously set third-party cookies from being sent in request headers.
  • Google Analytics will not read or write Google Ads cookies, and Google signals features will not accumulate data for this traffic.
  • In Google Analytics full page URL is collected, may include ad-click information in URL parameters (e.g., GCLID / DCLID). Ad-click information will only be used to approximate accurate traffic measurement. In Google Ads, ad-click identifiers (e.g., GCLID / DCLID) in consent and conversion pings are redacted.
  • IP addresses used to derive IP country, but are never logged by our Google Ads and Floodlight systems and are immediately deleted upon collection. Note: Google Analytics collects IP addresses as part of normal internet communications. Learn more about IP masking in Google Analytics.

Related resources

Was this helpful?

How can we improve it?
Search
Clear search
Close search
Google apps
Main menu