Google Ads, GA4 and consent management

Data privacy has become critical to doing business, touching regulatory compliance, digital marketing strategy and customer relations. For millions of companies, Google — and its products like Google Ads and Google Analytics 4 — is becoming central to privacy compliance and revenue generation.

Today there are three primary influences on the requirement for companies to obtain users’ consent for access to and processing of personal data:

• governments and data protection authorities
• large tech partners
• consumers

Some companies continue to ignore consent requirements, but they are increasingly risking not only fines and other penalties, but also loss of brand reputation, user trust, and potentially revenue if they are denied access to third-party platforms, like Google’s advertising services.

Ignoring the revenue potential of consent-based marketing initiatives will quickly leave change-resistant companies behind in highly competitive and rapidly changing markets.

Governments have been passing data privacy regulations around the world to protect citizens for many years. Modern comprehensive privacy laws started showing up over a decade ago, and have ramped up with the influence of the European Union’s General Data Protection Regulation (GDPR), which came into effect in 2018.

Prior to that, however, there have been other privacy laws passed, a number of which have been updated, like Switzerland’s FADP, or are in the process of being updated, like Canada’s PIPEDA and the Privacy Act in Australia.

Some privacy laws, like the GDPR, cover entire regions. Others cover just the country that passed them, like Brazil’s General Data Protection Law (LGPD). Still more only cover a far smaller area, like each of the United States’ state-level data privacy laws passed to date, e.g. California’s Consumer Privacy Act (CCPA) and Consumer Privacy Rights Act (CPRA).

Gartner has predicted that 75% of the world’s population will have its personal data protected by at least one data privacy law by the end of 2024. With China (PIPL) and India (DPDP Act) — the world’s two most populous countries — now on board with data privacy laws, this seems like a reasonable expectation. As does the likely passing of more national privacy laws, and more targeted laws, like those taking artificial intelligence (AI) or children’s online privacy into account. Or addressing the evolution of the ever-growing mobile industry, with mobile gaming alone (also very popular with children) being worth over US $140 billion in 2022.

In addition to passing laws, authorities are also ramping up enforcement efforts. Big tech companies receiving billion-dollar fines may garner headlines, but it’s not just Facebook, Google and Amazon in regulators’ crosshairs anymore. Organizations of all sizes that rely on user data, and that want to maintain users’ goodwill, need to comply with data privacy requirements.

In order for big tech companies to achieve regulatory privacy compliance, they need to ensure third parties they do business with are also compliant. This includes advertisers, merchants, data analytics services, and more. When platforms and services have audiences of billions of people, and are relied upon for revenue, data, and access to those audiences by millions of companies, big tech companies’ privacy compliance requirements for third parties come with significant clout.

Laws like the Digital Markets Act (DMA) are coming into effect in the EU, and gatekeepers, including Google, are implementing new requirements for third parties. As of January 16, 2024, in the EU/EEA and UK, Google is requiring publishers and developers to implement a Google-certified CMP, like Usercentrics CMP, which has Google Consent Mode and the TCF 2.2 integrated, as Google requires.

This is to ensure companies obtain and can signal valid user consent if they want to continue to monetize websites and/or apps with advertising using Google AdSense, Ad Manager, or AdMob.

Additionally, if companies are serving ads to audiences in the EU and/or EEA using Google Ads, Google Marketing Platform or Google Analytics (GA4), they need to activate Google Consent Mode v2. The best way to meet this requirement is by also implementing a Google-certified consent management platform (CMP), like Usercentrics CMP, that supports Google Ads Consent Mode, and sending verifiable consent signals to Google to maintain ad revenue from personalized campaigns in the EU and EEA.

Given that companies like Meta (parent of Facebook, Instagram and WhatsApp, among others), Microsoft, ByteDance (parent of TikTok) and Amazon have comparably large platforms and audiences, compliance-related requirements they launch are also likely to cause significant shifts and adoption of data privacy initiatives and uptake of consent management solutions.

As the source of personal data, consumers are becoming increasingly concerned about and savvy regarding who gets access to what data, and how they are allowed to use it. They are also starting to expect to get more for their consent in order to hand over their data, rather than just accepting that it will be hoovered up everywhere they go when accessing websites, apps and other connected platforms.

New regulations like the Digital Markets Act are also enabling consumers to exercise greater flexibility and choice regarding the products and services they use. Data portability requirements make it easier to switch platforms for better features or more competitive pricing. This should serve to spur innovation on companies’ part and make them work harder to retain their customer base.

There have also been enough high-profile data breaches, and enough consumers have been personally affected, that people no longer have much patience for companies that don’t protect or respect the data that consumers have entrusted to them. The mobile space is particularly notable, where users are more than willing to delete apps if they don’t feel like they have adequate security and respect for their personal information.

At the core of all these privacy requirements is user consent. But like any legal requirement, you have to obtain consent the right way, and be able to prove it. This is what a consent management platform (CMP) enables. Most privacy laws also require notifying users about relevant laws, users’ rights, what data is being collected and for what purposes, and more. This is also done via a CMP’s consent banner.

Every privacy law has its own specific requirements for consent. Many require prior consent, or “opt in”, where valid user consent has to be obtained before any data is collected. Some laws, like the ones passed to date in the US, are “opt out”, and require consent for specific uses, like sale of data or using it for profiling, but don’t require it to collect and process data. Different laws also have specific requirements for what constitutes valid consent. Art. 7 GDPR, for example, has become probably the most influential guideline for that.

Adding complexity, companies that do business in more than one jurisdiction may well need to comply with multiple different laws with varying requirements. A CMP streamlines this otherwise very tricky and complex operation. A high performance CMP will also enable geolocation rules so that not only is information displayed about the right regulations, but also in the user’s preferred language for better user experience and transparency.

Marketing operations today also require an ecosystem of platforms and tools, which means that consent requirements have to be applied and communicated across various systems. A good CMP solution also enables this, integrating with many platforms, and enabling signaling of consent information to third parties, like via Google Consent Mode v2, which is integrated into Usercentrics CMP. This way, organizations can obtain valid, granular user consent for relevant regulations, and communicate it to all relevant third-party partners, enabling seamless operations for digital advertising and more.

Increasingly, yes. In jurisdictions where you need to obtain prior consent from users before collecting user data, you need consent for any non-essential cookie use, including for advertising or analytics purposes. In Europe, companies will have to prove consent to be able to use Google Ads for functions like personalization, retargeting and conversion tracking. Consent is required to collect users’ data from their online browsing, shopping, etc. to power GA4.

Cookies and other trackers also need to be blocked by the CMP until user consent is obtained under many regulations. All of this precedes serving ads or other advertising functions, or collecting user analytics data. Over the past year or two there has been increasing scrutiny on Google Analytics use in Europe, and its compliance with the GDPR.

Google Consent Mode is an API that enables consent management for Google Ads and other platforms to pass consent data to Google Tag Manager in a recognizable format. This enables businesses to modify how Google tags function based on user consent decisions related to cookies for ads and analytics. Google updated Consent Mode to v2 in late 2023.

Originally, Consent Mode mainly enabled anonymized tracking of data when user consent was not obtained. However, the tool and its role have evolved, and now its primary function is as a tool for signaling, as outlined above regarding the use of a CMP. Consent Mode also helps website owners with conversion data from advertising, enabling greater accuracy in their insights for optimization.

In the latest version of Consent Mode, the key settings are ad_user_data and ad_personalization, which are based on the same trigger as ad_storage.

Consent Mode is not exclusively used with Google Ads, but their use is becoming increasingly intertwined and required in light of requirements of regulations like those under the DMA. In relevant jurisdictions like the EU and UK, Google is requiring third parties to use a CMP that they have certified, which supports Consent Mode, to obtain and signal user consent if they want to continue to serve personalized ads as of January 2024.

Be aware that Consent Mode does not itself enable compliance with data privacy laws. For that, valid consent needs to be obtained via a consent management platform for the use of cookies and other tracking technologies on websites and apps.

As with ads, Consent Mode enables modification of how Google tags function based on the consent decisions users make. Importantly in this case, that includes preventing data collection or processing until consent for analytics cookies is obtained.

Consent Mode enables management of cookies for analytics use in GA4 based on users’ consent choices via the analytics_storage tag. If a user consents to analytics cookie use, GA4 can collect the full complement of data for analytics and/or statistical purposes. If a user does not consent to analytics cookie use, then the data GA4 has access to is limited. For example, the user cannot be personally identified, though non-identifying data is still collected, like operating system or browser in use, referrer, etc.

A correctly implemented consent management platform detects (and blocks) all cookies and tracking technologies in use. It should also provide information about all of them to users, available in the consent banner. Usercentrics CMP’s scanning functionality and database of thousands of data processing services streamline this process and save considerable time and resources.

Users can then make consent choices to consent broadly to data processing, or at a granular level. E.g. a user could consent to analytics cookie use, but not advertising cookie use. Consent Mode then enables signaling this information to GA4, which proceeds with collecting and analyzing the consented data.

Google is requiring third parties using its platforms and services in the EU to use the latest version of Consent Mode to signal valid user consent, i.e. that obtained through the use of a consent management platform into which it’s integrated. Consent Mode’s original value was also in providing additional information and insights through modeling when users did not provide consent, which continues to be the case.

Organizations intending to collect and use consumers’ data for marketing, analysis, and other purposes very likely need a CMP and Consent Mode if their visitors, users or customers reside where they are protected by a data privacy law with opt-in requirements. This includes the EU, Brazil, South Africa and many other places. Today and into the future, data privacy best practices will involve obtaining valid prior user consent for advertising, analytics, and other functions. Consent will be particularly important as it contributes to enabling revenue generation.

Consent Mode supports the following Google services:

• Google Analytics
• Google Analytics 4
• Google Ads (Google Ads Conversion Tracking and Remarketing)
• Floodlight
• Conversion Linker

Consent Mode is also a valuable tool for organizations that want to enhance their consent-driven marketing and move away from outdated and questionably privacy-compliant strategies.

In addition to the legal requirements, Consent Mode brings benefits for data and revenue. Great user experience through a user-friendly UI and transparency consent information help optimize opt-in rates. This means more data, which is used to develop conversion insights to better understand user interactions, including those who do not provide consent.

For website operators using Google Analytics, Google Tag Manager or Google Ads, Consent Mode means on average getting over 70 percent of ad-click-to-conversion journeys back for advertisers.

Usercentrics CMP meets all of Google’s latest requirements and has been certified for use by Google customers operating in the EU, EEA and UK. Usercentrics CMP was one of the first certified by Google in May 2023 to meet their new requirements, and it was upgraded to support Consent Mode v2 in November 2023 when Google rolled out the change. Usercentrics CMP is also integrated with the TCF 2.2, another requirement by Google and for regulatory compliance for advertisers in Europe.

Usercentrics helps companies to achieve and maintain data privacy compliance with global regulations. However, it’s not just important to avoid fines, loss of brand reputation or damage to user trust today. The tech and legal landscapes are always changing, and Usercentrics is committed to ensuring companies are futureproofed as tools, requirements and user expectations evolve.

Companies need to stay focused on their core business, and Usercentrics CMP provides the user-friendly, flexible and scalable solution to provide privacy compliance peace of mind as your company grows.

Usercentrics does not provide legal advice, and information is provided for educational purposes only. We always recommend engaging qualified legal counsel or privacy specialists regarding data privacy and protection issues and operations.