Google Consent Mode v2 will be mandatory from March 6, 2024. There'll be a simple (Basic) and an extended (Advanced) implementation. Your organisation will have to implement this to continue using Google Ads or GA4.
But is it compliant? We've looked to see if you can use Google Consent Mode v2 in compliance with data privacy regulations. Here's what we discovered.
In this blog post, we'll cover:
- What is Google Consent v2?
- What are the key updates in Google Consent V2?
- Can you use Google Consent Mode v2 compliantly?
- What do DPOs and IT leaders need to know about Google Consent V2?
- What do marketing teams need to know about Google Consent v2?
- Help me update my privacy policy
What is Google Consent v2?
Google Consent Mode v2 is a significant update that aims to boost user privacy and data compliance. It's an interface that tells Google what consent the website user has given for using cookies. It only takes effect if your website users refuse cookies. If they consent, Google uses its cookies for tracking as usual.
This updated version introduces new features that allow for more granular control over user consent, mainly concerning personal advertising and analytics trackers.
What are the key updates in Google Consent v2?
Key features of Google Consent Mode v2 include the introduction of two additional parameters to the consent mode API: ad_user_data and ad_personalisation. These parameters allow websites to more accurately manage and reflect user consent preferences, particularly about advertising data and personalised ads, alongside the existing analytics_storage and ad_storage parameters.
Can you use Google Consent Mode v2 compliantly?
The default setting is always important when using tools such as Google Consent Mode. To comply with the principles of the GDPR, such as privacy by default, the default settings of the tags - "analytics_storage" and "ad_storage" - should have the value "Denied" by default.
You should also block the Google tags until the user gives their consent. According to Google, this is possible in "consent mode with basic implementation."
Consent Mode v2 is available in two variants: Basic and Advanced. Website operators can now choose between these two options. In the Basic mode of Google Consent Mode v2, no data is collected, and no cookie-free pings are sent if consent is not given.
This significantly limits data collection if users refuse their consent. But what about the advanced version? This allows so-called "pings" to be sent to Google even if the user does not consent. These pings contain data such as:
- Timestamp
- Referrer user agent
- Signals about ad-click information in the URL (e.g. GCLID)
- Information on the consent status
- Information on the CMP
- And random numbers generated during page load
This will enable websites to recover certain amounts of data for Google Ads and Google Analytics 4, even without the data subject's consent.
In our opinion, using the advanced version would not be compliant with data protection regulations, as from our perspective, this ping data can represent personal data being processed without consent. We’ll continue to monitor how the supervisory authorities and courts will assess the use of Google Consent Mode v2.
What do DPOs and IT leaders need to know, and what actions can I take?
So, what does this mean for you and your organisation? Here are some steps you can take as you consider the impact of the Google Consent Mode v2 settings.
- Assess Google Analytics and Google Consent Mode v2: Which mode is right for you? The basic version might be sufficient for your needs.
- Check alternatives: Consider European or local providers that can provide similar insights and goals to reduce your reliance on Google Analytics.
- Server-side tracking: Consider implementing tracking on your server side. This way, the data isn’t sent to Google 1:1, but is first forwarded to your own tracking server. You can make adjustments (like anonymising - or completely removing - the IP address) before the request is forwarded to Google to minimise risk.
- Update your privacy policy: If you need to use Googe Consent Mode v2, you’ll need to update your privacy policy. This will make sure you keep your website users informed, and that you’re fulfilling your transparency obligations.
What do marketing teams need to know about Google Consent v2?
There are some providers that already support Google Consent Mode v2. Your website owners should check their traffic and consider implementing a consent management platform (CMP) that does. This will help make sure you stay compliant with data regulations and minimise the negative impact on your marketing campaigns.
It's also important to note that consent mode does not replace a regular cookie banner but must link to it. Obtaining user consent will remain the responsibility of the website operator.
Need help updating your privacy policy?
Explore how DataGuard can help you stay compliant, or reach out to us for a free consultation. We've helped many companies like yours to keep their customers informed and privacy policies up to date.
