Google’s consent mode is creating a stir among digital advertisers, similar to the anxiety caused by the phasing out of third-party cookies. Whether your business meaningfully interacts with users in the United Kingdom (UK) and European Economic Area (EEA) or not, understanding and strategically implementing Google’s consent mode is crucial. It’s an opportunity for your business to enhance transparency and offer users meaningful control over their data while interacting with your digital properties.
What if I don’t do anything about consent mode?
If your business model doesn’t focus on the UK and EEA, immediate action may not be necessary. However, starting in early March 2024, with the enforcement of the Digital Markets Act, not adopting consent mode will mean users visiting your digital property from the UK or EEA won’t have personalized ads or audience data sent to various Google platforms. This also will suppress parts of GA4 tracking of these users related to Google Ads audiences and ads personalization, as well as GA4 data modeling & GA4 conversion modeling (key event modeling), and Google Ads modeled conversions. Non-Google analytics and advertising signals will remain unaffected.
How should I employ consent mode?
Businesses can employ consent mode via a consent management platform (CMP) partner like OneTrust, or without a partner integration. We suggest employing a CMP to manage consent mode.
To engage a CMP like OneTrust to manage consent mode, assuming OneTrust is deployed already and integrated with your Google Tag Manager (GTM) configuration, you simply check a box in OneTrust to enable it. There are four (4) consent mode flags: analytics, ad storage, ad user data, and ad personalization. Each of these flags will be assigned to a OneTrust cookie category (e.g., targeting cookies, performance cookies, etc.), with a default for the cookie category to opt out or not by geolocation. If a user opts out of a cookie category (by default or by election using the end-user CMP user interface), any related consent mode flag will be sent to Google as unconsented.
- analytics_storage = can we store cookies (or app instance id for mobile apps) pertaining to analytics?
- ad_storage = can we store cookies (or device id for mobile apps) pertaining to ads?
- ad_user_data = can we send user data to Google for ads (e.g. enhanced conversions object)?
- ad_personalization = can Google use the above data points to personalize ads or remarket to that user?
Why should I use a CMP to manage consent mode?
We recommend our customers engage a CMP like OneTrust in general, and specifically to manage consent mode, regardless of how the EEA or UK relates to their business model:
- So their tracking intentions are more practically transparent to users.
- So users have a means of explicitly opting out (even with server-side tracking in the mix), and
- So businesses have more flexibility & ease in adjusting their tracking by geolocation to evolving user consent regulations (e.g., if & when specific states in the US start requiring explicit permission to track as per the EEA’s GDPR).
CMP solutions are integrated with consent mode so businesses can set their default posture for each consent mode flag based on their business legal posture by geolocation, and will automatically comply with a user’s tracking elections in the end-user CMP user interface. CMPs will evolve their solutions per ongoing regulation changes & additions, and businesses can use the business admin-user CMP user interface to conveniently adjust default opt out logic by geolocation.
What are some “gotchas” that a CMP will help me prevent?
Some users have browser settings engaged to not be tracked that are turned on implicitly with automatic browser updates (i.e., the user did not explicitly take action to prevent tracking), where server-side GTM (or a similar server-side tracking solution) could still track them. With a CMP in the mix, users can easily see how the business intends to track them, can explicitly elect to not be tracked, and browser + server GTM configurations can be configured to honor user elections.
NOTE: For businesses to which the California Consumer Privacy Act (CCPA) applies, the GPC “do not track” signal, if turned on in a user’s browser, needs to be honored. A CMP like OneTrust will automatically honor this setting.
What are some benefits of employing consent mode?
With advanced consent mode, Google will model data for unconsented users if consent mode flags are sent (i.e., modeled data will fill data gaps for unconsented users). That modeling would apply to unconsented users geo-detected to be in the UK or EEA. If a non-EEA / non-UK geo-detected user otherwise tracked with an opt-out posture (tracked by default) elects to not be tracked via the CMP user interface, such modeling would also apply.
Eventually consent mode may be required relative to non-EEA / non-UK geo-detected users. Engaging consent mode now even if the EEA and/or UK is not a consideration for your business model will mean you are already prepared for such future possibilities (likely inevitabilities), and you won’t have to maintain separate technical treatment for EEA or UK vs. non-EEA / non-UK users.
OneTrust’s documentation suggests it supports advanced consent mode, although this isn’t explicitly stated.
Suggestions recap
- Deploy a CMP like OneTrust on your digital properties.
- Integrate the CMP with a tag management solution like GTM.
- Enable consent mode in the CMP, with consent mode flags assigned to cookie categories.
- Set defaults for each cookie category based on geolocation.
- Update your privacy policy to reflect your legal posture and related technical implementation.
How can iDimension help?
We provide consulting services to integrate a CMP into your GTM configuration, including consideration for consent mode. We also offer a monitoring service to help you have confidence default user consent elections are being honored by your CMP and tag management solution as you intend. Contact us to start a conversation.