Usercentrics CMPs were among the first consent management platforms certified by Google when it launched its CMP Partner Program in September 2022. Usercentrics CMP and Cookiebot CMP have now been awarded Google’s Gold Tier certification in the company’s CMP Partner Program.

This certification guides Google customers to select a consent management platform with outstanding customer support, meeting certain technical requirements and that Google customers can easily set up with Consent Mode.

As user privacy expectations continue to evolve, Google has recently updated its data privacy and consent requirements in Europe, the UK, and Switzerland. Consent mode receives your users’ consent choices from your cookie banner or widget and dynamically adapts the behaviour of Analytics, Ads and third-party tags that create or read cookies.

In addition to the Gold Tier certification, Usercentrics CMP and Cookiebot CMP are two of a small number of direct integrations currently available within the Google tag user interface inside of Google Ads, Google Analytics, and Google Tag Manager to provide this straightforward and user-friendly functionality.

“Privacy is a core part of marketing now. The Gold Tier certification means customers can choose a CMP with confidence to meet consent management needs in conjunction with their use of Google Services. The Usercentrics CMPs, accessible through all Google interfaces, make it more seamless than ever for SMBs to meet Google’s EU user consent policy requirements and grow digital marketing operations,” said Eike Paulat, Director of Product at Usercentrics.

Are you prepared for the latest trends in digital advertising? With the complexities of privacy in digital advertising evolving, it’s crucial to stay updated on how to leverage the newest tools and strategies effectively.

Watch our on-demand webinar recording to understand how to optimize ad performance while ensuring compliance with privacy standards. Learn from top PPC experts about Google’s Consent Mode and Customer Match to maximize your marketing ROI.

Why Watch?

Register now to access the recording and stay informed on how to navigate the complexities of privacy in digital advertising.

Small and medium-sized companies and digital marketing agencies must meet and maintain all of the same data privacy requirements that enterprise companies do, just with fewer resources. So, saving time and streamlining work for your campaigns is extra valuable.

As user privacy expectations continue to evolve, Google has recently updated its data privacy and consent requirements in Europe, the UK, and Switzerland, and is facilitating easier adoption of Google consent mode to help meet these requirements. Consent management platforms (CMPs) that are certified by Google, like the Usercentrics CMPs, can now be implemented right from the Google Ads, Analytics, or Tag Manager interface.

Digital marketers in EU markets can now take steps to ensure they can continue targeting ads, measuring conversions, and generating revenue while meeting Google’s European Union user consent policy.

Collect and signal user consent to meet Google’s requirements and prepare for the era of privacy-led marketing. Respect user consent preferences while continuing to use Google services for your marketing operations. Continue the success of your measurement, ad personalization, and retargeting features for your campaigns.

Start free trial

Usercentrics CMP implementation in the Google tag UI

Google consent mode should be used with a CMP to signal user consent information to Google services. All of the Usercentrics CMPs are certified to meet the necessary requirements by Google: web and mobile, and CookiebotTM Web CMP.

Now you can create your Usercentrics account, set up your consent banner, and enable Google consent mode v2. All in one place in just a few clicks.

What setup happens in the Google tag UI?

When you are logged into your Google Ads, Analytics, or Tag Manager account and click to set up the Usercentrics CMP, this is what happens:

What setup happens in the Usercentrics Admin Interface?

Once you’ve completed most of the setup in your Google Ads, Analytics, or Tag Manager account, this is what you will finish up in your Usercentrics account using the Admin Interface:

Setup Guide
2.18

We need your consent to load the YouTube Video service!

We use a third party service to embed video content that may collect data about your activity. Please review the details and accept the service to watch this video.

powered by Usercentrics Consent Management Platform

Find all the instructions for the Usercentrics CMP setup in your Google Ads, Analytics, or Tag Manager account here

“It’s now easier and more seamless than ever for SMEs to meet Google’s requirements and limit disruption to their digital marketing operations.” – Eike Paulat, Director of Product at Usercentrics

Benefits of Usercentrics CMP for Google customers

In addition to being Google-certified, Usercentrics Web and App CMPs have integrated the latest version of Google consent mode and the TCF v2.2. Usercentrics CMP also provides marketers with the following benefits for great user experience and streamlined consent management for a better privacy experience and optimizing campaigns:

Enroll for free

On April 4, 2024, Kentucky became the fifteenth state in the United States to enact a consumer privacy bill with the passing of House Bill 15, the Kentucky Consumer Data Protection Act (KCDPA). The law goes into effect on January 1, 2026 and gives organizations close to two years to prepare for compliance.

We look at the KCDPA, who it applies to, how it protects consumers, and how organizations can prepare for compliance.

What is the Kentucky Consumer Data Protection Act?

The Kentucky Consumer Data Protection Act (KCDPA) aims to protect the privacy and personal data of the state’s 4.5 million residents by regulating how it is collected and used. It sets obligations on businesses that operate in Kentucky or produce products or services consumed by its residents and process their personal data.

The KCDPA protects the personal data of residents acting in “an individual context” and not for commercial or employment purposes and defines them as “consumers”.

Like most other US states with consumer privacy laws, Kentucky follows an opt-out consent model. Businesses must clearly explain to consumers:

Definitions under the Kentucky Consumer Data Protection Act

The KCDPA defines key terms concerning the data it protects and data processing activities.

Personal data under the KCDPA

The Kentucky privacy law defines personal data as “any information that is linked or reasonably linkable to an identified or identifiable natural person.” The definition specifically excludes de-identified data or publicly available information.

Common types of personal data that businesses collect include name, phone number, email address, account name, IP address, passport number, or driver’s license number.

Sensitive data under the KCDPA

Sensitive data under Kentucky’s privacy law is personal data that could harm consumers if abused and includes:

Consent under the KCDPA

The Kentucky data privacy law defines consent as “a clear affirmative act signifying a consumer’s freely given, specific, informed, and unambiguous agreement to process personal data relating to the consumer.”

Consent may include a written statement, including a statement written by electronic means, or any other unambiguous affirmative action.

Controller under the KCDPA

A controller under the law is “a natural or legal person that, alone or jointly with others, determines the purpose and means of processing personal data.“

A controller, often referred to as a “data controller” in some regulations, is responsible for protecting personal data and must comply with the legal requirements for data protection.

Processor under the KCDPA

A controller may share personal data it collects with a third party for processing purposes. This third-party is known as a processor under the Kentucky privacy law and is defined as “a natural or legal entity that processes personal data on behalf of a controller.”

Sale of personal data under the KCDPA

The Kentucky privacy law defines sale of personal data as “the exchange of personal data for monetary consideration by the controller to a third party.“

Sale does not include disclosure of personal data:

Many other US state-level privacy laws define sale as the exchange of personal data “for monetary or other valuable consideration” by the controller or third party. The KCDPA, like the Virginia Consumer Data Protection Act (VCDPA) and the Utah Consumer Privacy Act (UCPA), requires monetary consideration for the exchange of personal data to be considered sale.

Non-monetary consideration does not constitute sale under the Kentucky privacy law.

Targeted advertising under the KCDPA

The KCDPA defines targeted advertising as “displaying advertisements to a consumer where the advertisement is selected based on personal data obtained or inferred from that consumer’s activities over time and across nonaffiliated websites or online applications to predict that consumer’s preferences or interests.”

The definition excludes:

Who must comply with the Kentucky Consumer Data Protection Act

The Kentucky privacy law applies to businesses that operate in the Commonwealth of Kentucky or produce products or services aimed at its residents and which, during a calendar year:

or

Unlike some other US state laws, including the California Consumer Privacy Act (CCPA) / California Privacy Rights Act (CPRA), the KCDPA does not require businesses to comply based on revenue alone.

Exemptions to compliance with the Kentucky Consumer Data Protection Act

The Kentucky data privacy law exempts certain entities and types of data from compliance. Entity-level exemptions include, among others:

Data-level exemptions include, among others:

Consumer rights under the Kentucky Consumer Data Protection Act

Consumers have several rights under the Kentucky privacy law to protect their personal data.

There is no private right of action — or right to directly sue a controller — under the KCDPA.

Check your KCDPA compliance risk level with a data privacy audit.

Get started

Controllers’ obligations under the Kentucky Consumer Data Protection Act

Organizations subject to KCDPA compliance have several obligations under the law to protect consumers’ personal data.

Privacy policy under the KCDPA

Controllers must publish a privacy notice, or, similarly, privacy policy, that informs consumers about:

Controllers must clearly inform consumers if they sell personal data to third parties or process it for targeted advertising purposes. Unlike the CCPA, Florida Digital Bill of Rights (FDBR), and Texas Data Privacy and Security Act (TDPSA), the Kentucky privacy law doesn’t require any specific wording to be used to disclose this information. Controllers must also advise consumers how they can opt out of sale or processing for targeted advertising.

The privacy notice must be accessible, clear, and meaningful. It is usually published through a link on the controller’s website, like in the footer, to ensure that consumers can access it from any page.

Consumer rights requests under the KCDPA

Controllers must provide one or more secure and reliable methods for consumers to exercise their rights. Consumers may be asked to log in to an existing account for identity verification, but they can’t be required to create a new account solely for this purpose.

Controllers have 45 days to respond to consumer requests, with the option to extend this period by another 45 days if reasonably necessary. If they need an extension, the controller must inform the consumer before the initial 45-day period expires.

If the controller is unable to reasonably verify the consumer’s identity, they may request additional verification or decline the request. In cases where a request is declined, the controller must notify the consumer within 45 days of receiving the request, providing the reason for the denial and information on how to appeal the decision. Controllers must respond to appeals within 60 days. If an appeal is denied, the controller must provide the consumer a method to contact the Attorney General online to submit a complaint.

Purpose limitation under the KCDPA

Controllers are required to disclose the purpose(s) for which they collect personal data, and the KCDPA requires them to limit the personal data they collect to only what is “adequate, relevant, and reasonably necessary” for the purposes.

Controllers cannot process personal data for any purposes other than those that are disclosed to consumers. If the purpose of data processing changes, they must inform consumers about the new purpose and obtain consent for processing their data, if applicable.

Data security under the KCDPA

Controllers must ensure the confidentiality, integrity, and accessibility of the personal data they collect and process. The Kentucky data privacy law requires them to establish, implement, and maintain reasonable administrative, technical, and physical security measures that are appropriate to the volume and nature of the personal data.

Data protection assessments under the KCDPA

The Kentucky privacy law requires controllers to conduct and document a data protection impact assessment (DPIA) when processing personal data:

DPIAs are classified information under the law and are exempt from disclosure, public inspection, and copying. However, the Attorney General can request the controller to disclose a DPIA during its investigations into any alleged violations, and the controller must make it available in this circumstance.

If a controller has already conducted a DPIA for other laws or regulations, and it is similar in scope and effect to what is required under the law, the controller can use that DPIA to comply with the KCDPA.

DPIAs shall be required for data processing activities on or after June 1, 2026.

Consent requirements under the KCDPA

The KCDPA primarily follows an opt-out model for personal data processing, like the other US state-level data privacy laws. This means that, in most cases, businesses can collect and process personal data without needing prior consumer consent. An exception to this is processing that involves sensitive data, and controllers must obtain explicit consent before its processing.

Controllers are required to clearly inform consumers about their data processing activities and provide options for consumers to opt out of the sale of their personal data and its use for targeted advertising or profiling.

Unlike several other privacy laws, the Kentucky privacy law does not require controllers to recognize consumer consent preferences communicated through a universal opt-out mechanism such as Global Privacy Control (GPC).

With respect to children’s data, the KCDPA aligns with the Children’s Online Privacy Protection Act (COPPA), as is standard among the US data privacy laws. This requires controllers to obtain consent from a parent or guardian before processing any personal data of children under 13 years old, as the Kentucky privacy law considers all personal data of children under this age as sensitive data.

Nondiscrimination under the KCDPA

The KCDPA explicitly prohibits businesses from discriminating against consumers who exercise their rights under the law. Businesses cannot deny goods or services, charge different prices, or offer varying quality levels to these consumers. However, they may offer different prices, rates, levels, quality, or selections of goods or services to consumers if the offer is related to a voluntary loyalty, rewards, premium features, discounts, or club card program in which the consumer participates.

If a consumer chooses not to allow their personal data to be collected, processed, or sold, businesses cannot deny them access to their website. However, certain website features requiring essential cookies may not function properly if those cookies are declined. This limitation is not considered discrimination under the law.

Businesses are not required to offer a product or service that requires personal data they do not collect or maintain. They are also required to comply with state and federal discrimination laws and cannot process personal information in violation of these laws.

Data processing agreement under the KCDPA

The Kentucky privacy law requires controllers and processors to enter into contracts that govern data processing procedures. This contract is known as a “data processing agreement” under the European Union’s General Data Protection Regulation (GDPR) and Virginia’s CDPA and must include:

Processors must ensure confidentiality of the personal data and that, at the controller’s direction or when the contract is complete, all personal data will be deleted or returned to the controller.

Under most data privacy laws, controllers are held accountable for the data processing actions, breaches, and violations by processors. However, the KCDPA provides two exceptions:

The Nebraska Data Privacy Act (NDPA) contains a similar provision regarding controllers’ ultimate accountability for data processing activities.

Enforcement of the Kentucky Consumer Data Protection Act

The Kentucky Attorney General has the exclusive enforcement authority under the KCDPA. Consumers do not have a private right of action, but they can report potential violations or denials of their privacy rights directly to the Attorney General’s office.

Before initiating an enforcement action, the Attorney General must provide written notice to the implicated party, detailing the alleged violations and offering a 30-day cure period for organizations to address and resolve any issues. This cure period, which is a permanent aspect of the law, enables companies to rectify problems and implement measures to prevent future breaches.

Organizations found in violation must inform the Attorney General in writing of their corrective actions and confirm that future breaches will not occur.

Fines and penalties under the KCDPA

The Attorney General can initiate a civil action seeking damages against organizations that do not cure the violation within the 30-day period or breach the written statement they provide. Violations of the Kentucky privacy law may result in civil penalties of up to USD 7,500 per violation.

Consent management and the Kentucky Consumer Data Protection Act

The KCDPA adopts an opt-out model for data privacy, which allows businesses to collect and process personal data without requiring prior consent from individuals. However, exceptions are made for sensitive personal data and data belonging to children, where prior consent is mandatory. This approach is consistent with other US state-level data privacy laws.

Consumers must be able to opt out of data collection and processing for purposes such as sale, targeted advertising, or profiling. Businesses are required to make this opt-out option clearly available on their websites, usually through the privacy policy or privacy notice.

Websites often use consent banners on their websites that include clear links or buttons enabling users to opt out of data processing. Consent management platforms (CMPs) like Usercentrics CMP automate this process by managing cookies and other tracking technologies, ensuring they are blocked until the consumer gives consent, where this is required by law. CMPs also provide transparent information about the types of data collected, the purposes for which it is collected, and any third parties with whom the data is shared.

In the absence of a single federal privacy law in the US, businesses operating across the US and/or internationally may need to comply with various state and international privacy laws. CMPs assist by customizing cookie banners based on the user’s location, ensuring adherence to state-level laws like the KCDPA and international regulations like the GDPR.

Preparing for the Kentucky Consumer Data Protection Act

Businesses operating in Kentucky have until 2026 to comply with the KCDPA. Companies already adhering to privacy laws in other states will find that much of their existing compliance work aligns with the KCDPA requirements. Businesses that meet the compliance thresholds set by the law must be prepared to offer users clear opt-out options and accessible privacy notices. Implementing privacy by design improves all aspects of organizational operations, not just compliance with regulations.

As the KCDPA adapts to new technologies and shifting consumer expectations, it is strongly recommended for businesses to seek guidance from a qualified legal professional or data privacy expert, such as a Data Protection Officer, to achieve and maintain compliance.

Usercentrics does not provide legal advice, and information is provided for educational purposes only. We always recommend engaging qualified legal counsel or privacy specialists regarding data privacy and protection issues and operations.

Google requirements for its customers in 2024, including the use of Consent Mode v2, introduces yet another layer to an already tall stack of user privacy requirements. This can be daunting for businesses that need to comply but don’t necessarily have a significant amount of time, money, or expertise to invest in doing so.

Fortunately, many of Google Consent Mode’s requirements overlap with those of the General Data Protection Regulation (GDPR), Digital Markets Act (DMA), and others, so meeting its criteria can move you toward privacy compliance with multiple regulations.

Adhering to the rules set requiring the use of Google Consent Mode will help ensure that you can still collect and use valuable customer data and retain access to all of the Google services features your business relies on, while operating with transparency and building trust with your users.

This in-depth guide will help you better understand what Google Consent Mode is, what Google’s requirements mean for your business, and how you can best meet those requirements in a way that enables your continued success.

The latest version of Google Consent Mode was designed to enable websites to communicate users’ cookie consent choices to various Google tags that help measure website and advertising performance.

The tool was initially used primarily for anonymized data tracking. However, its intent and use have evolved, and today Google Consent Mode v2 functions more as a signaling tool.

“Google Consent Mode allows websites to adjust the Google tag behavior based on user consent for ads and analytics, ensuring compliance with laws like the DMA. It dynamically manages data collection, using signals that can employ data modeling to fill gaps when consent is denied. Let’s use the cookie banner as an example: When a user visits a website, a cookie banner asks for consent to use cookies and based on the user’s choice, Consent Mode will adjust the behavior of Google tags”

Following the latest updates, website operators can continue to meet compliance requirements, integrate systems, and respect users’ consent choices automatically with a consent management platform (CMP) like Usercentrics CMP, which comes with Consent Mode integrated, or directly with the global site tag (gtag.js) or Google Tag Manager (GTM).

A user’s consent choices, recorded in the CMP, determine whether Google collects and processes their full data or anonymized data that can’t personally identify them.

One of the primary reasons to use Google Consent Mode v2 is to achieve or maintain compliance with global data privacy regulations, including the General Data Protection Regulation (GDPR).

The Digital Markets Act (DMA) only requires designated “gatekeepers” like Alphabet (which owns Google) to comply, but in order to do so the company needs to require the business customers using their services, and collecting users’ personal data, to also meet compliance requirements.

“The biggest adjustments are the additional storage types for more granular advertising options regarding whether user data can be used for advertising purposes. The more granular options support Google’s conversion optimization and with that monetization through ads in general”

User consent and online ads

User consent is a necessity for online advertising under many global privacy regulations, as it allows you to compliantly gather user data and use it to promote your product to customers who are already in your marketing funnel.

The data you collect enables you to deliver relevant, personalized ads to users to enhance their interactions with your brand and increase the effectiveness of your campaigns.

With the proper implementation of Google Consent Mode v2, you can ensure that your users have full control over their data and how it’s used across digital spaces. This will help you to build trust with your customers, making them more inclined to trust you with their data and personalization actions, while helping to enable compliance with data privacy regulations like the GDPR, DMA, and others.

What services does Google Consent Mode v2 support?

Google Consent Mode currently supports the following Google services:

It’s a simple, convenient customization tool and another way to stay one step ahead of evolving legal and technology needs for data privacy compliance.

Google Consent Mode has a multitude of features that can bolster compliance efforts and enhance your business operations. Here are some of its key advantages:

“It is important because without Consent Mode website operators’ tracking capabilities will be highly limited by Google. But there is not just a downside: Google also provides the upside of using AI to recreate conversions and therefore making analytics and advertising possible, even without full consent.”

Google tags are loaded onto web pages before the cookie consent banner appears, so Google Consent Mode enables websites to dynamically adjust the behavior of these tags once a user allows or rejects cookies. Measurement tools will only be used for specifically determined purposes if the user has given consent.

Google Consent Mode features two tag settings to manage cookie behavior based on user consent choices:

Google Consent Mode v2 introduced two additional tag settings that are based on the same trigger as ad_storage:

Website owners can also leverage conversion modeling to gather insights from anonymized data collected from users who reject cookies. This feature helps businesses gather essential data and marketing insights to fill in data gaps and understand user behavior without compromising on privacy.

A consent management platform can enable you to seamlessly collect user consent preferences and transmit them to Google services for further processing.

With Usercentrics CMP, you can automate detecting and categorizing all cookies and trackers in use on your site. Then with that information in the CMP user interface, users can accept all cookies, reject all (except strictly necessary cookies), or accept some cookies while rejecting others.

Users’ privacy preferences are maintained at every step, and companies still have access to sufficient information to maintain their ability to make data-driven decisions.

Find out how to meet Google’s EU privacy requirements

Download for free
Google CMP Partner

Basic vs advanced consent mode in v2

Google Consent Mode v2 introduces two levels of consent handling: Basic and Advanced. Each of these levels is designed to meet different operational needs and regulatory requirements.

Basic Consent Mode:

Advanced Consent Mode:

Google Analytics Consent Mode

Google Analytics Consent Mode for GA4 uses the analytics_storage tag to manage how GA4 cookies behave based on user consent.

When a user gives consent for analytics cookies, GA4 will collect full data from the user for statistical or analytical purposes.

Conversely, when a user rejects analytics cookies, GA4 limits the data it collects to information that can’t personally identify the user, including their browser or operating system and the referrer, or how the user came to the website.

Consent Mode for Google Ads

Google Consent Mode v2 uses the ad_storage tag to manage how Google Ads cookies behave based on user consent.

If a user gives consent for advertising cookies, Consent Mode for Google Ads will collect full data from the user for marketing or advertising purposes.

Where a user rejects cookies for advertising purposes, Google tags will not use advertising cookies and any Google Ads the user sees will not be targeted or personalized based on their data.

Read next: Google Ads, GA4 and consent management

What is conversion modeling?

Data from cookies is useful to help website owners track and identify users, study user behavior on their website and see the effectiveness of their ad campaigns and messaging in converting users to customers, among other things.

When users consent to cookies, gathering comprehensive data becomes straightforward and makes precise ad targeting and data analytics easier. When users reject cookies, these are a little harder to do so since the data collected is restricted and anonymized, causing gaps in the analytics.

Google uses Machine Learning to fill in the gaps with conversion modeling. It studies data and trends from users who consented to cookies and estimates the behavior of users who reject cookies with the help of this data.

Conversion modeling helps ensure that businesses using Google Analytics Consent Mode data can still gain valuable insights and optimize their marketing strategies, even when full consent data is unavailable.

To maintain access to all of Google’s analytics and advertising services, you need to implement Google Consent Mode on your website if you’re doing business in the EU, UK, or Switzerland. There are two options for how you implement it.

The most straightforward solution is to use a CMP with Google Tag Manager. Another option is to have your tech team integrate it directly into your website with the Interactive Advertising Bureau’s (IAB) Transparency and Consent Framework (TCF 2.2).

Google Consent Mode and Google Tag Manager

Google Consent Mode can be integrated with Google Tag Manager in two ways, depending on whether the website owner uses a CMP.

Once Google Consent Mode and Google Tag Manager are integrated, user consent choices in the CMP’s displayed consent banner are passed on to Google Tag Manager, which then governs how cookies behave for a user’s visit.

This integration helps ensure that all tags and tracking tools comply with user consent preferences to help businesses balance effective data collection and privacy compliance.

While integrating Google Consent Mode without a CMP allows for more flexibility, it demands more technical expertise and ongoing maintenance. Using Usercentrics CMP, on the other hand, simplifies this process by ensuring that user consent preferences are automatically communicated to Google.

Google Consent Mode v2 and the TCF 2.2

Google Consent Mode has been updated especially for websites where user consent is not obtained within the scope of the IAB Transparency and Consent Framework (TCF) with their CMP.

For companies actively using the IAB TCF 2.2, Google Tools will continue to read out and respect the IAB TC String. This means that all Google services, including Google Analytics and Google Ads, will honor the consent preferences specified in the String to help ensure that a user’s choices are applied across all integrated tools and services.

Leverage the TCF v2.2 for privacy compliance, revenue growth and great cross-platform user experience with Usercentrics CMP

Learn more

How to implement Google Consent Mode with the Usercentrics CMP

Implementing Google Consent Mode with the Usercentrics CMP solution as an alternative to prior blocking can be done in a single step. Existing customers and those with custom Data Processing Services should note the additional information below.

✔ Adjust the existing Google Tag Manager code by adding a few lines of code above your Google Tag Manager tag.

✔ If you are an existing customer, ensure the Google Consent Mode option is toggled ON in the Usercentrics Admin Interface.

✔ For new customers, Google Consent Mode is ON by default.

✔ If you have custom Data Processing Services, use the Usercentrics CMP events to signal the consent status via the Consent Mode API.

There is also a convenient feature that automates the process of enabling Google Consent Mode in Usercentrics CMP. Get it up and running in two easy steps.

Integrate Google Consent Mode v2 with Usercentrics CMP to collect valid user consent from EU/EEA users and adhere to Google’s user consent policy.

Learn more
Google CMP Partner

Google Consent Mode does not replace a CMP; it serves as a link between the CMP and Google services. This has become increasingly important since enforcement of the Digital Markets Act (DMA) began in the EU in March 2024, and the gatekeepers have levied stricter requirements on their business customers.

With Google (via parent company Alphabet) designated one of the seven gatekeeper companies under the DMA, to ensure end to end privacy compliance in its business ecosystem, third-party customer companies using Google services will need to achieve valid privacy compliance and signal consent to tracking, particularly for advertising purposes.

Google Consent Mode is an integrated tool that enables Google services to run on websites based on the types of consent collected from website users, without requiring Google to have direct access to personal data or denying companies access to information they need to drive conversions.

However, obtaining user consent remains the website operator’s responsibility, and Consent Mode doesn’t work as a standalone. With the help of a CMP, you can collect granular user consent for all cookies and tracking technologies in use on the site in accordance with the GDPR and other data privacy laws.

By pairing the Consent Mode API with the Usercentrics CMP, websites can indicate if the user has given consent for cookie usage related to analytics, advertising, or both. The supported Google tags will respect this signal and adjust their behavior accordingly, only using cookies if consent was granted for the specific purposes.

For example, if the website user decides to reject the use of cookies or trackers for certain marketing technologies, Google Consent Mode will react based on this consent status and will only display purely context-based advertising to that person on the website, without any personalization. This enables companies to meet regulatory requirements while still respecting users’ privacy choices.

Data privacy laws like the GDPR, Brazil’s LGPD, and more provide individuals online with protection and control over their personal data, who has access to it, and how it’s used. As technologies evolve, the average person creates more and more data online every day.

Laws like the GDPR require prior consent for access to and processing of that personal data, which can reveal a great deal about individuals — some of the information being quite sensitive. Without consent, people’s privacy could also be violated without their knowledge for the benefit of companies using their data.

This way, businesses can still obtain and use personal data, and in many cases do so to create better experiences for their customers, but only with individuals’ consent, and only within the parameters of what those people have agreed to or the law allows.

Learn more: 7 Criteria for GDPR-compliant consent

Consumers are also increasingly aware of the value of their data, their rights, and the collection and use of their data online by companies.

This means that companies that want to build and retain user trust and develop long-term engagement must give users choices around whether or not to be tracked using transparent, user-friendly notices about their privacy compliance and data collection practices, as well as employing compliant consent mechanisms.

Proactively embracing consent-based marketing helps protect companies’ revenue and brand reputation while helping to future-proof growth and helping them to get ahead of their competitors.

The future of digital marketing includes a focus on driving revenue by optimally leveraging technologies that address companies’ responsibilities and serve users’ needs. In an era when consumers have more and more choices and the ability to leave companies that don’t provide great experiences, companies can no longer rely on dominant market positions or limited alternative options.

Companies can evolve their marketing efforts with smart, data-driven decisions by using tools like Google Consent Mode v2 and integrating them with a robust CMP to help ensure compliance and use data effectively.

According to Google, if a user doesn’t provide consent to tracking via G4A (analytics_storage: denied), all data will be anonymized. Google will not collect any personally identifiable information when a user has denied consent, so the data will be captured without a client ID and recorded in aggregated form.

Additionally, if the placement or reading out of advertising cookies is prevented (ad_storage: denied), the main processing purposes for which user consent is usually obtained will no longer be active. This helps to ensure that any data collected is not used for personalized advertising, in line with the GDPR’s requirements.

Can these technologies be used without user consent?

Anonymized data — like the information that Google tags collect when a user rejects tracking — is not considered to be personal data under the GDPR and therefore can be used without consent.

Here, it’s important that website operators ensure that users are able to easily reject tracking and also guarantee that data collected after this rejection:

Google Consent Mode v2 ensures that if a user denies consent, only non-identifiable information is collected. Data is anonymized and aggregated to provide a generalized view of user behavior rather than specifics. Plus, the tool prevents the transfer of data to third parties and countries, unless express consent is given.

These factors help to ensure that Google Consent Mode v2 complies with the provisions of the GDPR, enabling companies to collect data from anonymous users even without consent.

Learn why a Google-certified CMP like Usercentrics is essential for serving ads in the EU and EEA.

Learn more
Google CMP Partner

With valid consent collection from website users, advertisers can continue to optimize opt-ins, measure conversions, and retrieve analytics insights with Google Consent Mode v2 while achieving and maintaining GDPR compliance.

Google Consent Mode seamlessly combines the protection of users’ data with companies’ and the advertising industry’s interests, so you can collect customer data to enhance your marketing efforts while protecting user privacy.

The simplest way to obtain granular, GDPR-compliant user consent for the use of cookies and other tracking technologies is via a CMP.

Usercentrics CMP gives users granular control over their data privacy preferences via a brand-aligned consent notice, helping you to comply with major privacy regulations while building customer trust.

A flexible solution to optimize consent rates and comply with ever-changing regulations

Learn more

Navigating the complexities of GDPR compliance can be challenging, especially when managing cookies and tracking tools on your website. Google Tag Manager (GTM) provides a streamlined solution for handling various marketing and analytics tags. However, ensuring it aligns with stringent data protection laws requires careful setup and management.

We’ll explore how to use GTM effectively while staying compliant with global privacy regulations like the GDPR. We’ll discuss the role of Google Consent Mode, the importance of a consent management platform, and practical steps for configuring GTM to respect user consent.

Whether you’re new to GTM or looking to optimize your current setup, this guide will help you balance data collection needs with user privacy rights.

What is Google Tag Manager?

At its core, Google Tag Manager (GTM) is like a control center for your website’s tracking and marketing tools.

Google Tag Manager is a free tool that enables companies to manage and deploy marketing and analytics tags on their websites or mobile apps without modifying the code. It acts as a centralized system where one can add, edit, and manage various tracking codes and snippets, known as “tags,” from a web-based interface.

Imagine you’re running an ecommerce website and want to track user interactions, analyze traffic sources, and measure conversions. Instead of manually adding separate code snippets for Google Analytics, Google Ads, Facebook Pixel, and other tools directly to your website’s code, you would add a single GTM container code to your site.

Then, using the GTM interface, you can set up and manage all these different tags, defining when and where they should fire based on specific triggers, like page views, button clicks, or form submissions. This approach simplifies tag management, reduces the risk of errors, and enables marketers to make changes quickly without having to constantly rely on web developers to modify the site’s code.

In GTM, there are tags and triggers. Tags are the actual snippets of code you want to run on your site, while triggers determine when these tags should fire. For example, you might set up a Google Analytics tag to track pageviews, with a trigger that fires on all pages. You could also have a conversion tracking tag for Google Ads, with a trigger that only fires when a user reaches the “Thank You” page after completing a purchase.

Does Google Tag Manager use cookies?

The Google Tag Manager code does not use cookies. The one exception is when using GTM’s Preview and Debug mode, where it sets several first-party cookies essential for the preview functionality. These cookies are only set for administrators using the Preview mode and are deleted once you exit it.

While GTM doesn’t use cookies itself, it can be used to implement tags from other tools, like Google Analytics, that do set and use cookies. These third-party tools implemented via GTM are likely to store cookies and process personal information.

Therefore, the tags you implement through GTM may set and use cookies. This is why it’s vital to have proper Google Tag Manager cookie consent mechanisms in place, especially for compliance with privacy regulations like the General Data Protection Regulation (GDPR).

Google Tag Manager and cookie consent

Google Tag Manager doesn’t directly require cookie consent because it doesn’t set cookies, and so doesn’t collect personal information.

However, some tags added through Google Tag Manager may use cookies to track how users interact with a website. For example, Google Analytics uses cookies to collect information about user behavior, such as pages visited, time spent on site, and conversion actions.

Thus, obtaining Google Tag Manager cookie consent is a best practice and potentially necessary to meet GDPR and CPRA regulatory requirements. However, this depends on your marketing tools setup and operations.

Is Google Tag Manager GDPR-compliant?

Google Tag Manager itself is not inherently GDPR-compliant or non-compliant. Its compliance status depends on how it’s used and configured.

By default, GTM does not set cookies or collect personal data on its own. However, it’s commonly used to implement tags from other services, like Google Analytics or advertising pixels, that use cookies and collect personal data. These third-party tags implemented through GTM may require consent under the GDPR.

To use GTM in a GDPR-compliant manner, website owners need to take several steps:

GDPR data processing using Google Tag Manager

Google Tag Manager (GTM) can play a crucial role in GDPR compliance for websites that use it to manage tracking and marketing tags. As it often deploys scripts and tags that collect personal data. Thus, website owners must ensure that tags implemented through GTM only fire after obtaining proper user consent, in line with GDPR requirements. Under the regulation, website owners are responsible for ensuring that all data processing activities, including those facilitated by GTM, comply with GDPR stipulations.

One key aspect of GDPR compliance in GTM is data minimization. This involves carefully auditing all tags and scripts deployed through GTM to ensure they only collect necessary data. Website owners should regularly review their GTM container to remove any redundant or excessive data collection points.

Another important consideration is the principle of purpose limitation. Each tag in GTM should have a clear, documented purpose for data collection. This documentation can be maintained within GTM using notes and descriptions for tags and triggers, creating an audit trail demonstrating GDPR compliance efforts.

Navigating consent management with Google Tag Manager

To address privacy regulations like the GDPR and CCPA, GTM offers a Consent Mode framework that enables website owners to adjust tag behavior based on user consent status.

The Consent Mode in GTM supports various consent types for different data collection purposes, such as advertising, analytics, and personalization. Website owners can create Consent Initialization triggers to ensure consent settings are applied before other tags fire. Individual tags can also be configured with specific consent requirements, enabling granular control over data collection practices.

In addition, GTM integrates well with leading consent management platforms, making it easier to implement comprehensive consent solutions.

By leveraging these tools, website owners can ensure their data collection practices comply with global privacy regulations while still gathering valuable insights.

Google Tag Manager and Google Consent Mode

Google Tag Manager and Google Consent Mode work together to help websites manage user consent and comply with privacy laws like the GDPR. Google Consent Mode adjusts Google tags based on user consent status. When used with GTM, it enables precise control over when tags fire and how data is collected.

With this setup, website owners can set default consent states for purposes like analytics, ad storage, and personalization. Tags are configured to respect these consent states, running fully, partially, or not at all based on user choices. This allows data collection to continue in a privacy-respecting manner even if full consent isn’t given.

GTM simplifies implementing Consent Mode by offering built-in variables and triggers for consent management. Website owners can create conditions for tag firing, ensuring tags only execute with the proper consent. This integration helps maintain compliance with privacy laws and improves user experience by respecting privacy preferences while still gathering necessary data.

We’ve put together a checklist to help you obtain valid user consent for privacy compliance.

Learn more

The consequences of GDPR noncompliance when using Google Tag Manager

Noncompliance with the GDPR when using Google Tag Manager can have severe consequences for businesses.

The penalties for violations can be substantial, with fines of up to EUR 20 million or 4 percent of global annual revenue, whichever is higher, for repeat or particularly serious violations.

Beyond the financial impact, companies can suffer significant reputational damage as customers become increasingly aware of and concerned about their data privacy rights. A breach or misuse of personal data can lead to negative publicity, loss of consumer trust, and a subsequent decline in sales and customer acquisition.

Lastly, non-compliant companies may face legal action from affected parties in jurisdictions that allow it, resulting in costly and time-consuming legal proceedings.

How a consent management platform can help with GTM GDPR cookie consent

A consent management platform is helpful for organizations using Google Tag Manager to comply with the GDPR for cookie consent. These platforms help websites collect, manage, store, and signal user consent (e.g., with Google Consent Mode) as required by data protection laws.

Integrating a CMP like Usercentrics’ with GTM makes it easier to obtain legally compliant cookie consent through features like customizable banners, an extensive data processing services database, and multi-language support. This helps to ensure transparent consent collection and enables users to easily modify or withdraw their consent.

Usercentrics CMP also tracks and records consent preferences, providing a centralized repository that can be used to demonstrate compliance in the case of a regulatory audit or if a user requests a copy of their personal data, including consent history.

By automating consent management for GTM, CMPs help businesses meet GDPR requirements and build user trust by giving individuals greater control over their data.

Usercentrics CMP and Google Tag Manager cookie consent

Usercentrics understands how important data privacy is to both your business and your customers. That’s why our solution can help you obtain and manage user consent effectively within Google Tag Manager.

Usercentrics CMP integrates seamlessly with GTM using a data layer variable, enabling smooth communication between your GTM settings and the CMP. This integration allows for automated tag management, ensuring that only tags corresponding to consented purposes are fired, respecting user privacy preferences.

Usercentrics also generates customizable consent banners that can be easily implemented through GTM, enabling users to provide granular consent for different types of cookies and data processing purposes.

Experience what Usercentrics CMP can do for you. Sign up for a free trial today

Start your free trial
Video Preview

We need your consent to load the YouTube Video service!

We use a third party service to embed video content that may collect data about your activity. Please review the details and accept the service to watch this video.

powered by Usercentrics Consent Management Platform

Date: 31 July 2024
TIme: 4 pm
Duration: 1 hour

Join us as we speak to Head of Policy Team and In-house Product & Privacy counsel at Wix about how SMB websites can achieve GDPR compliance. Data privacy is not something small and medium sized businesses should ignore. Data privacy legislation is expanding around the globe and consumers are more aware of their data rights than ever.

If you have a website that is collecting personal information you need to consider data privacy. But no need to worry! In this episode we break down all of the considerations you need to make for your website and give actionable advice on the things you can do to enable compliance.

Watch it here Listen on Spotify

What you’ll learn

Who should watch?

¹The podcast partner is Wix

Google checklist: your toolkit for compliance with the new consent requirements in Switzerland

As Google expands its EU user consent policy to include Switzerland, it’s crucial for Swiss businesses to stay informed and become or maintain compliance. Our exclusive checklist provides a clear roadmap to understand the new requirements and provides actionable steps to achieve compliance before the 31 July 2024 deadline.

Who this checklist is for

Why you should download our Google checklist

❓When is Google’s deadline?

✅ Enforcement starts 31 July 2024.

❓What regions are included in the requirements?

✅ Online users residing in Switzerland to whom companies target advertising.

❓What are the new requirements?

✅ Businesses using Google advertising and/or monetization products are required to obtain Swiss users’ consent for the use of cookies or other local storage where legally required, as well as for the collection, sharing, and use of personal data for the personalization of ads.

❓Do the new requirements apply to all publishers and advertisers targeting Swiss traffic?

✅ No. The new Google consent requirements in Switzerland mandate the use of a Google-certified CMP that fully supports the Transparency and Consent Framework (TCF) for publishers.

✅ For advertisers that don’t monetize their platforms with digital ads, the only requirement is to obtain consent from Swiss users where legally required.

❓What are the requirements for verifiable consent under Google’s EU user consent policy?

✅ Based on existing requirements from regulations like the Swiss Federal Act on Data Protection (FADP), which is compatible with the General Data Protection Regulation (GDPR).

The main requirements for third parties using Google services:

and

❓What Google services are included in the requirements?

✅ Google’s advertising platforms or services, like AdSense, AdMob, Ad Manager, Google Ads, Google Analytics, or Google Marketing Platform.

✅ Personalization features on these platforms.

❓I am a publisher. What do I need to do to become compliant?

✅ Implement a Google-certified Consent Management Platform (CMP) for the TCF, such as Usercentrics CMP.

✅ Activate the Transparency and Consent Framework (TCF) v2.2 on your CMP.

✅ Use your CMP to obtain prior consent from users to collect their personal data for advertising purposes.

✅ Consider implementing the latest version of Google Consent Mode for additional marketing benefits.

❓I am an advertiser. What do I need to do to become compliant?

✅ Obtain consent from Swiss users where legally required.

💡 For now, you’re not expected to send a verified consent signal for Swiss traffic through Google Consent Mode — a requirement already in force for EU/EEA audiences — but this may change in the future.

❓How do I collect valid consent with Usercentrics CMP?

✅ Start with one of Usercentrics CMP’suser-friendly templates, or fully customize your banner design and messaging.

✅ Set up the CMP for all regulations relevant to your business.

✅ The Usercentrics CMP consent banner enables users on websites to record their consent preference for use of their personal data with the click of a button.

✅ Website users can also revoke consent or update their preferences at any time.

✅ Consent information is securely stored in the event of an audit or data subject access request.

❓How does Usercentrics CMP integrate with the IAB TCF 2.2?

Usercentrics CMP integrates with the IAB’s Transparency and Consent Framework 2.2 via an extra panel in the consent banner of websites registered with the IAB. From Ad Settings, end users can choose between IAB Purposes and Vendors before submitting their consent.

❓How do you set up Usercentrics CMP with Google Consent Mode?

  1. Create an account and add your domain.
  2. Select and customize your banner.
  3. Implement the code into your website. Done!

For detailed instructions on how to set up and implement the Usercentrics consent banner with the IAB TCF v2.2 integration enabled, check our documentation.

❓Is Google Consent Mode v2 implementation included in the new requirements?

✅ Not for now.

✅ You should consider implementing Consent Mode v2 for additional marketing benefits, such as analytics and conversion modeling. It also helps you avoid losing marketing data due to users declining consent.

Get Usercentrics CMP to achieve compliance with Google’s CMP requirements in Switzerland

By using Usercentrics CMP IAB Framework (TCF v2.2) integration as your website’s consent management platform, you can ensure compliance with Google’s new consent requirements for Swiss traffic.

With Usercentrics CMP, advertisers and publishers can also ensure compliant data collection and processing across the board.

On your website or app, with our mobile app CMP SDK

Start your 30-day free trial

Google started making announcements and began changes relating to phasing out third-party cookies some time ago. Cookieless solutions typically refer to the end of third-party cookie use, but not the end of every type of cookie or tracker. Given the company’s dominant market share, the final deprecation of third-party cookie use in the Chrome browser will mark a significant milestone in the evolution of data processing and digital marketing.

Expert Insights

“Once third-party cookies are phased out, we will not build alternate identifiers to track individuals as they browse across the web, nor will we use them in our products. Instead, our web products will be powered by privacy-preserving APIs which prevent individual tracking while still delivering results for advertisers and publishers.”

David Temkin
Director of Product Management, Ads Privacy and Trust at Google

Google has also been rolling out new data privacy-related requirements for its customers, spurred in good part by requirements in regulations like the Digital Markets Act (DMA). The company has updated and is enforcing its EU user consent policy. Many publishers in the EU that need to retain full access to Google services are also being required to implement Google Consent Mode and/or the TCF 2.2.

It’s not all stick and no carrot, though. Google provides cookieless future solutions to help enable data privacy compliance with regulations and the company’s own requirements, while also helping organizations replace strategies that relied on third-party cookies. Millions of companies rely on Google services for advertising, analytics, and more, and there is a suite of options to help your company evolve its digital marketing strategy. Become privacy-led, better engage your audience, and achieve strong growth.

Consent Mode

Google Consent Mode is a tool used by websites to signal visitors’ choices about consent for the use of cookies and other tracking technologies. It’s commonly used with a Google-certified consent management platform (CMP) like Usercentrics CMP, which displays a consent banner to site visitors to obtain the consent choice information.

Expert Insights

“Be aware that Consent Mode does not itself enable compliance with data privacy laws. For that, valid consent needs to be obtained via a consent management platform for the use of cookies and other tracking technologies on websites and apps.”

Eike Paulat
Director of Product, Usercentrics

How does Consent Mode work?

Google tags are loaded onto web pages before the consent banner is displayed. This way Consent Mode enables websites to adjust tag behavior dynamically based on whether a user accepts or rejects cookies. When the user provides consent, only then are measurement solutions employed for specific purposes.

Get our handy checklist and meet these EU privacy requirements.

Download checklist

The two tag settings Consent Mode has added for managing cookie and tracker behavior based on consent are:

Once consent information is obtained, Consent Mode then signals it to Google tags in various services that are used for measurement of website and advertising performance. Each user’s consent preferences control whether Google services collect and process all or some relevant types of available data, or only anonymized data that can’t identify an individual, potentially a cookieless identity solution where needed.

Watch next: Google Consent Mode: 4 steps you need to take now

What are the benefits of using Consent Mode?

The original version of Consent Mode was primarily for anonymized data tracking. However, with its update to v2 in November 2023, its value and intent have evolved to focus more on signaling capabilities, which help website operators to meet compliance requirements.

Consent Mode enables automation of obtaining and activating visitors’ consent choices for privacy compliance and peace of mind over meeting consent requirements. It also helps with systems integration, enabling more seamless control over data collection and access.

Expert Insights

“Implementing Consent Mode normally takes me 1-2 hours. Implementation with Google Tag Manager and a CMP like Cookiebot by Usercentrics is really simple. So, if you are not implementing Consent Mode because it’s difficult, don’t be afraid.”

Adriaan Dekker
Top 50 PPC Expert

Google Consent Mode enables website operators to get back a significant amount of data for advertisers. Even when a visitor does not provide consent for all cookie and tracker use, you can still gain conversion insights and consent banner interaction information to optimize consent rates. For example, conversion modeling enables you to use anonymized data collected from users who do not consent to cookie use to gather insights. The future is modeled, providing a cookieless solution.

Consent Mode helps website operators to move toward cookieless future solutions, away from mass collection of users’ personal data — like from use of third-party cookies — to a future-proofed, consent-driven system. Regulations and users’ privacy are respected while your advertising business model remains intact, marketers get the data they need, and clarity on conversions.

Google services that Consent Mode supports

Consent Mode currently supports these Google services:

Learn more: Meet Google’s EU consent requirements. Check out our Google-certified CMP and Consent Mode v2.

Enhanced Conversions

We mentioned that Consent Mode enables conversion modeling, so let’s look at that more closely. Third-party cookies track users across websites, making it easy to get a full view of the conversion journey, among other data. In a world driven by cookieless solutions, there are new challenges, like knowing whether visitors are first-timers or repeat, if they come from paid or organic traffic sources, or how to connect users’ ad interactions to conversions.

Expert Insights

“2024 will be the year of 𝐄𝐧𝐡𝐚𝐧𝐜𝐞𝐝 𝐂𝐨𝐧𝐯𝐞𝐫𝐬𝐢𝐨𝐧 and 𝐂𝐨𝐧𝐬𝐞𝐧𝐭 𝐌𝐨𝐝𝐞. Those privacy measurement solution can help us reveal more conversion signals and user data while respecting GDPR. But beware:
– This feature is intended for properties with web data streams. At this time, Google does not recommend it if you have an app data stream.
– Expect at least 30 days to see a data enhancement.
– This is not recommended for advertisers using BigQuery!”

Thomas Eccel
Top 50 PPC Expert, Ex-Google Ads Support, Founder of Custom PPC ChatGPT

What is conversion modeling?

Marketers need new solutions to help them adapt their strategies and retain the ability to gain insights into user behavior. Broadly, conversion modeling uses machine learning to assign links between ad interactions and conversions to account for instances where cookies, trackers, and other identifiers weren’t available (like the user declined consent).

Conversion modeling helps to evaluate each user visit’s incremental impact on visitor behavior data, even if you can’t directly observe a final conversion. Advertisers still get data and insights to optimize campaigns for desired outcomes, whether signups, increased sales, or other goals.

Benefits of conversion modeling

Companies need to understand customers’ and visitors’ behavior better to optimize marketing campaigns. Conversion modeling brings several strategic advantages:

Learn why a Google-certified CMP like Usercentrics is essential for serving ads in the EU and EEA.

Learn more
Google CMP Partner

Enhanced conversions with Google

Google Analytics 4 (GA4) and Google Ads are the most popular tools on the market for conversion modeling, and they enable predictions on unobserved conversions without identifying individuals, thus complying with privacy requirements. Marketers are increasingly going to need cookieless identity solutions.

Further to improved bidding and user identity protection, Google’s enhanced conversions is a feature to improve conversion measurement accuracy and unlock better, smarter bidding. It acts as a supplement to existing conversion tags, securely sending hashed first-party conversion data from your website to Google using a one-way hashing algorithm. That data is then used to match the customer to their Google account, which they were signed into when they interacted with your ad.

Learn more: Google Ads, GA4 and consent management

How enhanced conversions work

When a customer converts on your website, first-party data is often captured, e.g. name, address, email address, etc. Conversion tracking tags can capture this information, which, once hashed, can be sent to Google privately and securely. It’s then used to enhance conversion measurement in various ways, depending on which type of enhanced conversions you use, e.g. tracking on-site sales or off-site sales from leads.

Use the Google tag, Google Tag Manager, or Google Ads API to set up enhanced conversions. Recover previously unmeasurable conversions, better optimize your bidding based on quality data, and be confident in your privacy compliance operations with the secure hashing of the first-party customer data.

How to set up enhanced conversions for web

There are three ways to set up enhanced conversions for web:

How to set up enhanced conversions for leads

Conversion data from website lead forms (first-party data) can be imported or uploaded into Google Ads, and doesn’t require modifications to your lead forms or CRM. It’s easy to set up — configure measurement right from your Google Ads account — and enables you to better optimize campaigns to off-site sales and transactions for better performance.

Server-side tagging

Server-side tagging involves serving your tags directly from a server instead of in the visitor’s browser. By moving your core tags to the server, this server-side tracking gives you more control over privacy-compliant data collection and sharing.

It’s an evolution from client-size tagging, which uses tags and data from the user’s browser, transmitted to one or more servers. Commonly, tag management uses this function to share customer data from your website with third parties, like marketing technology partners or other vendors. However, from a privacy perspective, there isn’t any centralized control over the data or who can access it.

Instead of relying on third-party services, with this sitewide tagging, both your website and customers’ data are hosted securely on a centralized server, helping meet privacy regulation requirements. Server-side tags provide a buffer between your customers and third-party vendors that want their data for tracking. It’s a way to integrate cookieless tracking solutions. Third parties cannot directly access collected first-party data from your website(s). You control who gets access, when, how, and to what specific data.

Traditiona website configuration without server-side Tag Manager

What is server-side tracking?

Both functions use a server for data management, but server-side tagging involves directly procuring data from the server, rather than only from the client’s browser. Using this method improves data accuracy, can enhance your website’s performance, and lessens the workload on the client’s side.

Learn what server-side tagging is and how it will impact the future of consent and data.

Learn more

Benefits of server-side tagging

In addition to the privacy compliance benefits, there are a number of advantages to adopting server-side tagging and its single data stream:

Benefits of server-side tagging

Marketing teams use this sitewide tagging to benefit from improved visibility through the whole purchasing cycle. Boost conversion rates and advertising ROI. Greater control over the quality of data collection enables more precise insights and better data-driven decision-making for both in-house and third-party activities.

Website visitors also benefit from server-side tagging, as its focus is the privacy and security of their data. Consent choices can be seamlessly communicated across tools and systems to help ensure privacy compliance and controlled access to their data.

Server-side tagging with Google Tag Manager

Using Google Tag Manager for server-side tagging enables website operators to manage their tags, triggers, and variables on a server instead of in the user’s browser. It’s an easy to use solution that’s popular among marketers and web developers.

Tag management is shifted from the client side (the user’s browser), over which you have little control, to the server your company manages. This is particularly valuable to companies focusing on privacy compliance and privacy-led marketing, as well as those handling more sensitive user data.

Website configuration with server side Tag Manager

Server-side tagging with Google Analytics

Google Analytics 4 (GA4) is easy to use, and integrates well with many widely used platforms, making it a popular choice for server-side tracking. Consent Mode also works with GA4 using the analytics_storage tag. Server-side tagging with GA4 involves sending data directly from your server to Google Analytics, so it bypasses the user’s browser entirely. In addition to enhancing security and data privacy, this provides better quality control over data and improves your website performance.

Customer Match

Customer Match is an advertising tool that helps you better leverage your company’s unique online and offline customer data and insights while maintaining robust privacy standards. It uses the high quality data your customers have provided to you to target ads to them — customers control the ads they see via their Google Ads settings — and other potential customers like them. It’s a way to implement cookieless advertising solutions.

Increase brand awareness, drive conversions, and more. Customer Match helps you to reach and re-engage custom segments of your existing customer base with tailored messaging at the most relevant moments using first-party data matched against Google account holders. Customer Match also helps you reach new customers across Google platforms like Search, Gmail, and YouTube in a privacy-led way.

Particularly with the deprecation of third-party cookie use, Customer Match helps you preserve performance and can be a key part of your measurement strategy for revenue growth. It’s a scalable solution to help make the most of your invaluable first-party data in privacy-compliant ways.

How Customer Match works

Customer Match is available for Search, Shopping, Display, Gmail, and YouTube. To get started, segment your customers and upload your first-party data to Google Ads, which then matches your customer data to existing Google accounts. From there, you will target or exclude your new audience list across channels and devices. You can also use auto-generated segments that are similar to expand your list to new customers.

Benefits of Customer Match

In addition to enhancing your privacy compliance operations while still effectively engaging with your audience, Customer Match brings a number of additional advantages:

Benefits of Customer Match

Learn more: Multichannel ad campaigns: A deep dive into Google’s consent requirements for Campaign Manager 360 and Display and Video 360

Find out why a Google-certified CMP is crucial, and what you need to do next.

Read more

Google’s Privacy Sandbox

Google’s Privacy Sandbox is and will include initiatives and guidelines to enhance data privacy, as well as cookieless solutions and technologies that support those goals. It was initially launched in 2019.

Privacy Sandbox has two big goals:

The Privacy Sandbox is developing public proposals and working with data protection authorities. Ideas, policies, and tools to display relevant web content, fight spam and fraud, limit covert tracking, and more, will continue to evolve and roll out over time.

Learn more: The Privacy Sandbox timeline for the Web

Comparison of Google’s cookieless tools

Solution: Consent Mode

Function: Signals consent information to Google tags to control data processing functions for privacy compliance. Works with a Google-certified CMP.

Benefits: 

Solution: Enhanced Conversions

Function: Related to conversion modeling, helps to improve accuracy of conversion measurement and improve bidding. Supplements conversion tags, securely sending hashed first-party conversion data to Google to be matched to customer accounts.

Benefits: 

Solution: Server-side tagging

Function: A method of serving website tags from a server instead of the user’s browser. Enables more control over data privacy compliance and processing. Can be done with Google Tag Manager and with Google Analytics 4.

Benefits: 

Solution: Customer Match

Function: An advertising tool to help better leverage data customers provide to your company (first-party data matched against Google accounts) for better insights while maintaining strong privacy standards. Used for ad targeting to drive conversions, target new relevant audiences, and build brand awareness on platforms like Search, Gmail, and YouTube in a privacy-led way.

Benefits: 

Solution: Privacy Sandbox

Function: Google’s Privacy Sandbox is an initiative to create and evolve web technologies in privacy-led ways. Main goals are phasing out third-party cookies and reducing cross-site and cross-app tracking (while keeping online content and solutions free). Also meant to fight online fraud and spam.

Benefits: 

The future is cookieless with Google solutions

While it was easy to rely on third-party cookies and the data they provided, this marketing strategy often failed to respect user privacy. It also doesn’t tend to enable the precision needed for today’s digital audiences and markets. The future is consented for marketers.

Zero- and first-party data are higher quality, can be obtained in a variety of consent-driven ways, and can be used to drive and scale privacy-led marketing campaigns to better grow revenue. Google provides sophisticated yet easy to use and integrate tools — that work with platforms you’re probably already relying on. These solutions enable marketers to continue to find their audiences and engage them while building trust, get the data marketing operations need, and comply with data privacy regulations and Google’s requirements today, and in the future.

For everything from better customer segmentation to improving your website’s performance, there are Google tools to improve your marketing tech stack that also make data privacy compliance easier.

Don’t forget to tie it all together with the most key privacy-led marketing solution — Usercentrics CMP — to obtain, store, document, and signal valid user consent. Comply with global privacy regulations, control data collection and processing, and make that high quality customer data work even harder for you to provide great user experiences and boost revenue.

Expert Insights

“Companies must learn only to collect the data that matters and create great experiences around that instead of treating everything as important.”

Adelina Peltea
CMO, Usercentrics

Want to learn more about Google tools and how they can help you manage the cookieless future with Usercentrics’ data privacy solutions? We’re here to help.

Contact sales

Usercentrics does not provide legal advice, and information is provided for educational purposes only. We always recommend engaging qualified legal counsel or privacy specialists regarding data privacy and protection issues and operations.

Usercentrics’ Consent Management Platform (CMP) : enables display of a cookie banner to collect user consent for data processing.

Meet consent requirements for advertisers with Google Consent Mode

As of March 2024, Google has new requirements for compliance with European data privacy regulations and enforcement of their EU user consent policy. These requirements apply to third-party companies using Google services for online advertising.

Download our checklist to learn what you need to do to obtain and signal valid user consent to meet Google’s requirements and safeguard your advertising campaigns.

What is Google Consent Mode?

Google Consent Mode (GCM) is a solution that interacts with your CMP’s consent banner. When user consent is obtained via the banner, GCM signals the consent information to Google services, enabling tags to adjust their behavior to respect user choice, e.g. for personalized advertising.

Who is required to use Google Consent Mode?

As of March 2024, Google is requiring companies using Google advertising services like Google Ads, Google Analytics, and/or the Google Marketing Platform in the EU/EEA and UK to use Google Consent Mode v2 (the latest version) with a Google-certified consent management platform (CMP), like Usercentrics CMP.

Companies must signal valid user consent to Google via Consent Mode in order to use personalization features to serve ads.

Learn more in our Google Consent Mode Resource Hub.

How does Usercentrics CMP work with Google Consent Mode?

With the latest version of Consent Mode (v2), Google has introduced two new parameters. This enables signaling of consent information for personalized advertising.

Usercentrics CMP has Google Consent Mode integrated and activated by default, so when users’ consent choices are received, they are sent to Google to control tags or SDKs and adjust their behavior to meet data privacy requirements.

Google Consent Mode also enables privacy-compliant modeling to recover lost conversions when users do not provide consent.

What Google services does Consent Mode support?

Currently Consent Mode supports the following Google services:

What is Google’s EU user consent policy?

Google introduced its EU user consent policy in 2015. It’s been updated several times to meet evolving regulatory requirements, like those from the GDPR, ePrivacy Directive, and Digital Markets Act (DMA).

Google announced in early 2024 that they would be increasing enforcement of the EU user consent policy. This is to enable the company to comply with data privacy regulations, including DMA enforcement.

Don’t risk your ad revenue. Download our Google Consent Mode checklist now!