What is Google Consent Mode v2 and who needs to implement it?

Consent Mode v2 is Google's framework for advertisers to communicate user consent state to its ad and analytics products. It became mandatory in March 2024 for advertisers serving ads to users in the European Economic Area, the UK, and Switzerland. Without a compliant Consent Mode v2 implementation, Google Ads will reject conversions and audience uploads from EEA users, and Customer Match won't function.

Why don't ad_storage and analytics_storage work server-side?

ad_storage and analytics_storage are gtag-only signals — they tell gtag whether to set cookies in the browser. They have no effect on Measurement Protocol or Meta CAPI server-side delivery. Only ad_user_data and ad_personalization affect server-to-server delivery decisions, which is why Datafly Signal explicitly excludes ad_storage and analytics_storage from outgoing payloads. Sending them is a common misconfiguration that does nothing in production but pollutes the audit trail.

Which CMPs does Datafly Signal support?

Any TCF v2.2 framework plus all major non-TCF CMPs: OneTrust, Cookiebot, Didomi, Sourcepoint, Iubenda, Usercentrics, Termly, and Klaro. Mapping is declarative YAML so adding a CMP that exposes consent state in any structured form is a configuration change, not a platform change.

Can the audit log evidence consent for a specific event?

Yes. Every vendor delivery is logged with: event ID, timestamp, vendor target, the consent state at evaluation time, the gate decision (allowed or denied), and the rule that produced the decision. Searchable by event ID, user ID, or vendor. Retention is configurable and runs from a few days for high-volume pipelines up to multi-year retention for regulated industries.

What happens if my CMP fails to load?

The default-deny wildcard rule fires. If consent categories are absent, malformed, or missing, the gate denies. The fail-safe is non-delivery, which is the regulator-defensible posture. Compare this with client-side setups where a CMP load failure can leave gtag in an undefined consent state, often resulting in delivery without consent being verified.

Google Consent Mode v2

Consent Mode v2, evaluated server-side

Google Consent Mode v2 is mandatory for advertisers serving EEA users. Datafly Signal evaluates ad_user_data and ad_personalization at the Signal Core, gates every vendor delivery on the result, and produces a server-side audit trail for every event. No reliance on gtag('consent') timing, no client-side race conditions, no CMP-script load failures hiding non-compliant deliveries.

Request a Demo View Platform

2 signals

Required by CMv2

ad_user_data and ad_personalization, both server-honoured

Server-side

Enforcement

Consent gate runs before vendor delivery, not in the browser

Per event

Audit trail

Every delivery logged with the consent state that allowed it

Default-deny

Missing categories

Wildcard rule denies on absent or malformed CMP signals

Why client-side Consent Mode is fragile

Consent Mode v2 became mandatory for EEA-targeted advertising in March 2024. Most implementations bolt it onto an existing gtag.js setup, which leaves several failure modes that are silent in the browser but obvious to a regulator auditing your stack.

CMP and gtag.js race conditions

gtag('consent', 'default') has to fire before any other gtag call, but in real conditions the CMP banner and the GA loader race. Hits sent in the few hundred milliseconds before consent is initialised may be processed without the right consent state. Hard to debug, hard to evidence the right behaviour.

ad_storage and analytics_storage don't apply server-side

A common misconfiguration is sending ad_storage and analytics_storage signals to GA4 Measurement Protocol or Meta CAPI server-side. These are gtag-only signals; vendor APIs ignore or reject them. Only ad_user_data and ad_personalization affect server-to-server delivery. Pipelines built without that distinction silently fail audits.

No audit trail per event

When a regulator or DPO asks "was this conversion sent to Meta only after consent was granted?" the answer needs to be an audit log row, not a screenshot of the CMP banner. Client-side consent leaves no server-verifiable record. Datafly Signal logs the consent state that gated every individual vendor delivery, retained alongside the event for the lifetime of your audit retention policy.

How consent enforcement works at the Signal Core

CMP categories captured at the client

Datafly.js reads the user's consent state directly from your CMP (OneTrust, Cookiebot, Didomi, Sourcepoint, Iubenda, or any TCF v2.2 framework). The category booleans are attached to every event sent to your subdomain.

Mapped to Consent Mode v2 signals

The Signal Core translates your CMP's categories into Google Consent Mode v2's ad_user_data and ad_personalization fields, and into the equivalent fields for Meta CAPI, TikTok, LinkedIn, and any other vendor that exposes consent. Mapping is declarative YAML, version-controlled.

Default-deny on missing or malformed signals

If the CMP doesn't fire, returns a malformed payload, or omits a category, the wildcard rule denies. The fail-safe is non-delivery, not accidental delivery, which is the regulator-defensible posture.

Per-vendor delivery gate

Each integration's blueprint declares which consent categories it requires. Ad vendors gate on marketing consent. Analytics-only vendors still receive events with consent flags attached so reports reflect reality. Warehouses receive everything plus the consent state for downstream analysis.

Logged per event

Every delivery is written to the audit log with: event ID, vendor, consent state at evaluation time, gate decision (allowed / denied), and rule that produced the decision. Retained for the duration of your audit policy. Searchable by event ID or user ID.

Consent mapping configuration

The CMP-to-Consent Mode v2 mapping lives in your blueprint. Below is the canonical pattern: explicit value map for each category, default-deny on the wildcard, and per-vendor gates. ad_storage and analytics_storage are deliberately absent because they have no effect on server-side delivery.

consent-mapping.yamlYAML

# consent-mapping.yaml
# Map your CMP's category booleans to Google Consent Mode v2
# signals (and the equivalents for Meta CAPI, TikTok, etc).
# This runs server-side at the Signal Core before any
# vendor delivery. No gtag('consent', 'update') needed.

global:
  mappings:
    # Google Consent Mode v2 — only ad_user_data and
    # ad_personalization are honoured by Measurement
    # Protocol. ad_storage and analytics_storage are
    # gtag-only and have no effect server-side.
    # Reference Signal's canonical vocabulary so the same blueprint
    # works for any CMP (Cookiebot, OneTrust, Didomi, custom). The
    # customer maps their CMP categories to canonical buckets in
    # Settings → Consent.
    - source: context.consent.canonical.marketing
      target: '@root.consent.ad_user_data'
      mode: value_map
      value_map:
        'true': GRANTED
        'false': DENIED
        '*': DENIED   # default-deny on missing categories

    - source: context.consent.canonical.personalization
      target: '@root.consent.ad_personalization'
      mode: value_map
      value_map:
        'true': GRANTED
        'false': DENIED
        '*': DENIED

  # Server-side gating: events with denied marketing consent
  # are dropped before reaching ad vendors. Analytics-only
  # vendors (e.g. GA4) still receive the event with the
  # consent flags attached so reporting reflects reality.
  gates:
    google_ads:    deny_if_consent_marketing_false
    meta_capi:     deny_if_consent_marketing_false
    tiktok_events: deny_if_consent_marketing_false
    ga4:           always_send_with_consent_signals
    bigquery:      always_send_with_consent_signals

Built for regulator-defensible consent

Every part of the stack is designed so that the answer to "prove consent was honoured" is a database row, not a guess.

Server-side gate, not client trust

The consent decision is made at the Signal Core after the event arrives. Browser-side timing failures, CMP loading failures, and gtag.js race conditions don't affect what gets delivered.

ad_user_data + ad_personalization only

Only the two signals that Measurement Protocol and Meta CAPI actually honour are sent to vendors. ad_storage and analytics_storage are kept out of server-side payloads.

Default-deny wildcard

Any missing, malformed, or absent CMP signal denies by default. The fail-safe is non-delivery, not accidental delivery, which is what regulators expect.

TCF v2.2 native

Reads TCF v2.2 consent strings directly when your CMP exposes them, with full purpose / feature / vendor list resolution server-side.

Per-event audit trail

Every vendor delivery is logged with the consent state that allowed (or denied) it. Searchable by event ID, user ID, or vendor. Retained for the lifetime of your audit retention policy.

Works with every major CMP

OneTrust, Cookiebot, Didomi, Sourcepoint, Iubenda, Usercentrics, Termly. Mapping is declarative YAML — no per-CMP custom code in the platform.

Client-side vs server-side Consent Mode v2

Consent Mode v2 can be implemented at the browser via gtag, server-side via vendor APIs, or both. The surfaces differ on what they actually enforce.

Surface	Honours ad_user_data / ad_personalization	Honours ad_storage / analytics_storage	Per-event audit log
gtag.js client-side	✓	✓	✗
GA4 Measurement Protocol (server)	✓	✗ (ignored)	✗ (no native log)
Meta CAPI (server)	✓	N/A	✗ (no native log)
Datafly Signal (server)	✓	N/A (correctly excluded)	✓

Frequently asked questions

What is Google Consent Mode v2 and who needs to implement it?: Consent Mode v2 is Google's framework for advertisers to communicate user consent state to its ad and analytics products. It became mandatory in March 2024 for advertisers serving ads to users in the European Economic Area, the UK, and Switzerland. Without a compliant Consent Mode v2 implementation, Google Ads will reject conversions and audience uploads from EEA users, and Customer Match won't function.
Why don't ad_storage and analytics_storage work server-side?: ad_storage and analytics_storage are gtag-only signals — they tell gtag whether to set cookies in the browser. They have no effect on Measurement Protocol or Meta CAPI server-side delivery. Only ad_user_data and ad_personalization affect server-to-server delivery decisions, which is why Datafly Signal explicitly excludes ad_storage and analytics_storage from outgoing payloads. Sending them is a common misconfiguration that does nothing in production but pollutes the audit trail.
How is this different from gtag('consent', 'update')?: gtag('consent', 'update') runs in the browser and depends on gtag.js loading, the CMP loading first, and the two coordinating without race conditions. In real-world conditions hits sent in the few hundred milliseconds before consent is initialised may be processed without the right state. Datafly Signal evaluates consent at the Signal Core after the event arrives, eliminating browser-side timing issues. The decision is also auditable in a database row rather than only inferable from client-side behaviour.
Which CMPs does Datafly Signal support?: Any TCF v2.2 framework plus all major non-TCF CMPs: OneTrust, Cookiebot, Didomi, Sourcepoint, Iubenda, Usercentrics, Termly, and Klaro. Mapping is declarative YAML so adding a CMP that exposes consent state in any structured form is a configuration change, not a platform change.
Can the audit log evidence consent for a specific event?: Yes. Every vendor delivery is logged with: event ID, timestamp, vendor target, the consent state at evaluation time, the gate decision (allowed or denied), and the rule that produced the decision. Searchable by event ID, user ID, or vendor. Retention is configurable and runs from a few days for high-volume pipelines up to multi-year retention for regulated industries.
What happens if my CMP fails to load?: The default-deny wildcard rule fires. If consent categories are absent, malformed, or missing, the gate denies. The fail-safe is non-delivery, which is the regulator-defensible posture. Compare this with client-side setups where a CMP load failure can leave gtag in an undefined consent state, often resulting in delivery without consent being verified.

PII Handling

The other half of compliance: hash, mask, or strip personal data before vendor delivery.

Bot Filtering

Filter invalid traffic at the same Signal Core layer that evaluates consent.

Trust

Datafly's overall security and compliance posture, certifications, and audit retention defaults.

Google Analytics 4

Server-side GA4 that honours Consent Mode v2 signals.

Make consent enforcement auditable

Request a technical walkthrough. We'll review your current Consent Mode v2 setup, identify the silent failure modes, and show you what server-side enforcement looks like in practice.