Consent mode on websites and mobile apps

This article is for website or app owners who use a cookie consent banner or consent widget, or other consent management solution.

Consent mode lets you communicate your users’ cookie or app identifier consent status to Google. Tags adjust their behavior and respect users’ choices.

Consent mode interacts with your Consent Management Platform (CMP) or custom implementation for obtaining visitor consent, such as a cookie consent banner. Consent mode receives your users' consent choices from your cookie banner or widget and dynamically adapts the behavior of Analytics, Ads, and third-party tags that create or read cookies.

When visitors deny consent, instead of storing cookies, tags send pings to Google. If you are using Google Analytics 4, Google fills the data collection gaps with conversion modeling and behavioral modeling.

Consent mode does not provide a consent banner or widget. Rather, it interacts with it. Learn more in Manage user consent.

Set up consent mode in Google Analytics

Tags with built-in support for consent mode

Google tags for the following products contain built-in consent checks and adjust behavior based on consent state:

Google Analytics
Google Ads*
Floodlight
Conversion Linker

* includes Google Ads Conversions Tracking and Remarketing; support for Phone Call Conversions pending.

If you create tags that do not have built-in consent checks, you can add checks in Tag Manager. Use the Advanced > Consent Settings tag configuration. Learn more

Consent state and tag behavior

When you enable consent mode, Google measurement products ensure that a visitor’s consent mode state is preserved across the pages they visit. If consent is denied, tags that fire do not store cookies, instead they communicate a minimum of information about user activity. Consent state and user activity are then communicated by sending the following types of cookieless pings, or signals, to the Google server:

Consent state pings for Google Ads and Floodlight tags: Communicate the default consent state that you have configured and the updated state when the visitor grants or denies consent for each consent type such as `ad storage` and `analytics storage`. Consent state pings are sent from each page the user visits where consent mode is enabled, and are also triggered for some tags if the consent state changes from `denied` to `granted`. For example, if a visitor opts in from a consent dialog.
Key Event pings: Indicate that a key event has occurred.
Google Analytics pings: Sent from each page of a website where Google Analytics is implemented on load and when events are logged.

The pings described above can include:

Functional information (such as headers added passively by the browser):
- Timestamp
- User agent (web only)
- Referrer
Aggregate/non-identifying information:
- An indication for whether or not the current page or a prior page in the user's navigation on the site included ad-click information in the URL (e.g., GCLID / DCLID)
- Boolean information about the consent state
- Random number generated on each page load
- Information about the consent platform used by the site owner (e.g., Developer ID)

Consent mode behavior

Additionally, consent and key event pings may include the following behaviors depending on the state of the consent settings and the configuration of your tags.

The default behaviors work as if all consent options are granted:

`ad_storage='granted'` and `analytics_storage='granted'`
Web	Mobile apps
Cookies pertaining to advertising may be read and written. IP addresses are collected. The full web page URL, including ad-click information in URL parameters (e.g., GCLID / DCLID) is collected. Third-party web cookies previously set on google.com and doubleclick.net, and first-party key event cookies (e.g., _gcl_*) are accessible.	Advertising identifiers (e.g., Advertising ID/IDFA) may be collected. The app-instance ID generated by the Google Analytics for Firebase SDK is collected.

When one or more forms of consent are not granted, there are additional behaviors to consider:

`ad_storage='denied'`
Web	Mobile apps
No new cookies pertaining to advertising may be written. No existing first-party advertising cookies may be read. Requests are sent through a different domain to avoid previously set third-party cookies from being sent in request headers. Google Analytics will not read or write Google Ads cookies, and Google signals features will not accumulate data for this traffic. Full page URL is collected, may include ad-click information in URL parameters (e.g., GCLID / DCLID). Ad-click information will only be used to approximate accurate traffic measurement. IP addresses are used to derive IP country, but are never logged by our Google Ads and Floodlight systems and are immediately deleted upon collection. Note: Google Analytics collects IP addresses as part of normal internet communications. Learn more about IP masking in Google Analytics.	No Advertising ID/IDFA may be collected. Google Signals features will not accumulate data for this traffic. IP addresses are used to derive IP country, but are never logged by our Google Ads and Floodlight systems and are immediately deleted upon collection. Note: Google Analytics collects IP addresses as part of normal internet communications. Learn more about IP masking in Google Analytics.

ad_storage='denied' and ads_data_redaction='true'

Web

No new cookies pertaining to advertising may be written.
No existing advertising cookies may be read.
Requests are sent through a different domain to avoid previously set third-party cookies from being sent in request headers.
Google Analytics will not read or write Google Ads cookies, and Google signals features will not accumulate data for this traffic.
In Google Analytics full page URL is collected, may include ad-click information in URL parameters (e.g., GCLID / DCLID). Ad-click information will only be used to approximate accurate traffic measurement. In Google Ads, ad-click identifiers (e.g., GCLID / DCLID) in consent and key event pings are redacted.
IP addresses used to derive IP country, but are never logged by our Google Ads and Floodlight systems and are immediately deleted upon collection. Note: Google Analytics collects IP addresses as part of normal internet communications. Learn more about IP masking in Google Analytics.

`analytics_storage='denied'`
Web	Mobile apps
Will not read or write first-party analytics cookies. Cookieless pings will be sent to Google Analytics for future measurement. Google Analytics 4 will use cookieless pings for modeling.	No IDFA may be collected. Events without device or user identifiers will be sent to Google Analytics for future measurement. Google Analytics 4 will use these events for modeling.
Web/Mobile apps When `analytics_storage='denied'`, cookieless pings are sent to Google Analytics. No Analytics cookies are set, accessed, or read from the device. Consequently, cookieless pings are anonymized and non-identifiable Google Analytics events. Cookieless pings, as part of regular HTTP/browser communication, may include the following information: user agent, screen resolution, IP address. Note that Google Analytics 4 does not store or log IP addresses. If an advertiser sets other fields, such as user_id and custom dimensions, they will be sent normally. The data collected in the cookieless ping is used for behavioral and conversion modeling, to fill the gaps in your data.

Consent mode best practices

Regardless of how you enable consent mode, you should follow these best practices:

Set an initial consent state with the default values determined by your organization. The default consent state applies the first time a visitor views a page on your website.
Implement so that page tags are loaded before the consent dialog opens.
Load Google tags in all cases, not only if the user consents. If consent is denied, Google receives cookieless pings. In Google Analytics 4 properties, cookieless pings enable behavioral and conversion modeling to fill the gaps in your data.
Consent options should appear to the visitor as soon as possible. Update consent state once the visitor indicates their choice.
Give users the option to deny or grant consent for every type of storage used by the tags on a website. For example, a user might grant consent to analytics cookies and deny advertising cookies.
Since current privacy laws are region-specific, configure a default state to apply to particular regions instead of to all visitors. Especially if your organization requires default state to be `denied`, applying `denied` only to visitors from the appropriate region avoids losing precise measurement for all other regions.

When you set a default state for a region, your mechanism for obtaining consent, whether custom or a CMP, should give visitors from those regions the opportunity to update their consent state.

Advanced implementation vs. basic implementation

If you choose to implement consent mode by blocking Google tags until the consent dialog appears and users consent, you will not get the full benefits of consent mode. For example, you will not get modeled data in your GA4 property to fill in the gaps for the missing observed data when users decline consent. Whether you choose to block tags (basic implementation) or unblock tags (advanced implementation), Google tags adjust their behavior based on your users’ consent state.

Here are the tradeoffs between advanced and basic implementation for consent mode:

	Advanced implementation	Basic implementation
Tag behavior	Google tags are loaded before the consent dialog appears Tags send cookieless pings when cookie consent declined	Google tags blocked until consent is granted
Behavioral modeling in GA4
Conversion modeling in GA4		*
Conversion modeling in Ads		*

* When tags are blocked due to consent choices, no data is collected, and conversion modeling in Ads is based on a general model. The models use features such as browser type, key event action type, time of day, and other high-level, non-identifying variables. Learn more about consent mode and conversion modeling for Ads.

The IAB Europe Transparency & Consent Framework (TCF) is an alternative way of obtaining and tracking consent state. When your users deny consent with a consent solution that uses the TCF, GA4 properties aren’t able to model data to fill in the missing information.

How to enable consent mode

How you enable consent mode differs for websites and apps. It also depends on your implementation for obtaining consent and which tagging platform you use.

Enable consent mode for websites

You can enable consent mode for websites with minimal coding using Tag Manager and a CMP with a community template. CMP Partners provide Tag Manager templates and instructions to enable consent mode through their integration:

Consent Management Platform integrations

Website developers can enable consent mode using gtag.js consent commands or a tag created from a Tag Manager consent mode template:

Manage consent settings (web)

Enable consent mode for apps

App developers can enable consent mode using the Google Analytics for Firebase SDK:

Manage consent settings (apps)

Consent management platform integrations

Consent management platforms (CMPs) are able to integrate with Consent Mode and consent settings in Google Tag Manager. Tag Manager Featured CMPs have templates available in the Tag Manager Community Template Gallery which are integrated with our Consent APIs.

To capture valuable insights while protecting user privacy, you need to collect consent from your website users. We recommend you use a Consent Management Platform (CMP) or work with your Content Management System (CMS) to collect consent and send it to Google.

Learn more about how to Set up your consent banner with a consent management platform or a content management system.

Refer to the table below for more information on how CMPs have integrated with Consent Mode:

Consent Tool	Supported consent types	Tag Manager Community Template available	Integrated with consent update calls	Integrated with consent default calls
Commanders Act	ad_personalization ad_storage ad_user_data analytics_storage functionality_storage personalization_storage security_storage	✓	✓	✓ (Integrated GTM template + TrustCommander template)
Complianz	ad_personalization ad_storage ad_user_data analytics_storage functionality_storage personalization_storage security_storage	✓	✓	✓ (Integrated GTM template + TrustCommander template)
Consentmanager	ad_personalization ad_storage ad_user_data analytics_storage	✓	✓	✓ (Integrated GTM template + code example for gtag.js)
Cookie First	ad_personalization ad_storage ad_user_data analytics_storage functionality_storage personalization_storage security_storage	✓	✓	✓ (Integrated GTM template + code example for gtag.js)
Cookie Information A/S	ad_personalization ad_storage ad_user_data analytics_storage functionality_storage personalization_storage security_storage	✓	✓	✓ (Integrated GTM template + code example for gtag.js)
Cookiebot (Cybot)	ad_personalization ad_storage ad_user_data analytics_storage functionality_storage personalization_storage security_storage	✓	✓	✓ (Integrated GTM template + code example for gtag.js)
CookieScript	ad_personalization ad_storage ad_user_data analytics_storage functionality_storage personalization_storage security_storage	✓	✓	✓ (Integrated GTM template + code example for gtag.js)
CookieYes	ad_personalization ad_storage ad_user_data analytics_storage functionality_storage personalization_storage security_storage	✓	✓	✓ (Integrated GTM template + code example for gtag.js)
Didomi	ad_personalization ad_storage ad_user_data analytics_storage functionality_storage personalization_storage security_storage	✓	✓	✓ (Full GTM + non-GTM integration)
iubenda	ad_personalization ad_storage ad_user_data analytics_storage functionality_storage personalization_storage security_storage	✓	✓	✓ (Integrated GTM template + code example for gtag.js)
OneTrust	ad_personalization ad_storage ad_user_data analytics_storage functionality_storage personalization_storage security_storage	✓	✓	✓ (Integrated GTM template + code example for gtag.js)
Osano	ad_personalization ad_storage ad_user_data analytics_storage	✓	✓	✓ (Integrated GTM template + code example for gtag.js)
Secure Privacy	ad_personalization ad_storage ad_user_data analytics_storage functionality_storage personalization_storage security_storage	✓	✓	✓ (Integrated GTM template + code example for gtag.js)
Sirdata	ad_personalization ad_storage ad_user_data analytics_storage functionality_storage personalization_storage security_storage	✓	✓	✓ (Integrated GTM template + code example for gtag.js)
Termly	ad_storage analytics_storage functionality_storage personalization_storage security_storage	✓	✓	✓ (Integrated GTM template + code example for gtag.js)
Usercentrics	ad_personalization ad_storage ad_user_data analytics_storage functionality_storage personalization_storage security_storage	✓	✓	✓ (Integrated GTM template + code example for gtag.js)

Consent mode for CMP providers

Consent Management Platform (CMP) providers can integrate with consent mode to provide a better experience for customers who use Google products. To learn more, see Consent mode for CMP providers.

Additional resources

Consent mode has additional capabilities such as region-specific behavior, the ability to redact information that was previously stored, and the ability to pass information in URLs when consent is denied. For information on how to use consent mode and these additional features, see:

Was this helpful?

How can we improve it?