Quick answer: Consent Mode v2 is required for any business serving EU users through Google's advertising and measurement products. If you haven't implemented it, you're losing modeled conversion data and potentially breaching GDPR. Below is the complete audit checklist used by enterprise GA4 implementations.
Google made Consent Mode v2 mandatory in March 2024 for EEA traffic, and enforcement has tightened steadily since. If your tags are still on Consent Mode v1 — or have no consent signaling at all — you're leaving conversion data on the table and exposing yourself to regulatory risk.
What changed from v1 to v2
Consent Mode v1 had two parameters:
ad_storage— controls advertising cookiesanalytics_storage— controls analytics cookies
Consent Mode v2 adds two more parameters that are now required for EEA traffic:
ad_user_data— explicit consent for sending user data to Google for advertising purposesad_personalization— explicit consent for personalized advertising
Without these two new signals, Google Ads cannot use your conversion data for audience building or personalization, and modeled conversions are not generated for users who decline consent.
The 12-point Consent Mode v2 audit checklist
1. Default consent state is set BEFORE the gtag.js or GTM container loads
The very first script on your page (before gtag.js, before GTM, before anything else) must set the default consent state. If consent is granted later (e.g., the user accepts the cookie banner), call gtag('consent', 'update', {...}) to update it.
Test: Open browser dev tools → Network → reload your page. Look for the first request to google-analytics.com or googletagmanager.com. The URL should contain gcs= parameter. gcs=G100 means consent denied; gcs=G111 means granted.
2. All four parameters are set, not just two
Check your consent default and consent update calls — they must include all of: ad_storage, analytics_storage, ad_user_data, ad_personalization. Missing any of the new v2 parameters means you're effectively still on v1.
3. Region-specific defaults for EEA
Best practice is to default ALL four parameters to denied for EEA users and granted elsewhere. Use the region parameter on your consent default call:
gtag('consent', 'default', {
'ad_storage': 'denied',
'analytics_storage': 'denied',
'ad_user_data': 'denied',
'ad_personalization': 'denied',
'region': ['EEA', 'GB']
});4. CMP is certified by Google
If you use a Consent Management Platform (Cookiebot, OneTrust, TrustArc, Usercentrics, etc.), verify it's on Google's certified CMP list. Non-certified CMPs may not properly transmit consent signals to Google's tags.
5. Consent banner triggers BEFORE GA4 fires its first hit
Common bug: GTM fires GA4 page_view on container load, then the cookie banner appears, and the user clicks "Reject." The first page_view already went out with default-granted consent — a compliance breach. Fix: ensure GA4 tags have a "Wait for consent" trigger blocking condition.
6. Cookieless pings are firing for denied users
When a user denies consent, GA4 should still send cookieless pings (these populate Google's modeled conversions). In dev tools → Network, you should see requests to google-analytics.com/g/collect even for users who declined. If you don't, modeled conversions won't work.
7. URL passthrough is enabled
In GA4 Admin → Data Streams → your stream → Configure tag settings → Show all → URL passthrough — toggle this ON. Without it, GCLID won't be preserved across pageviews for users who declined cookies.
8. Conversion modeling enabled in GA4
In Admin → Reporting Identity → choose "Blended" or "Observed" but ensure that the property is also opted into behavioral and conversion modeling. Modeling only works when consent signals are coming through correctly.
9. CMP version is up-to-date
Some CMPs deployed v2 support late and have inconsistent behavior across plan tiers. Check that your CMP's "Consent Mode v2" feature is explicitly enabled (often a toggle in the CMP admin).
10. Custom JavaScript variables in GTM don't read cookies before consent
If any GTM variable reads from document.cookie to populate event parameters, you may be processing personal data before consent is granted. Audit all custom JS variables.
11. Server-side GTM honors consent signals
If you use server-side GTM, the consent state must be forwarded from client to server in the request payload. Check your server-side client template's data layer mapping.
12. Test with Consent Mode debugger
Install the Tag Assistant Companion Chrome extension and visit your site. Click the extension → it will show consent state, gcs parameter, and whether consent updates fired correctly. This is the fastest way to validate end-to-end.
How to verify your full implementation in 5 minutes
- Open your site in an incognito Chrome window
- Open DevTools → Network tab → filter by "collect"
- Don't interact with the cookie banner. Look at the first request to
google-analytics.com/g/collect. Check thegcsparameter. - Click "Reject" on the banner. Subsequent requests should still fire but with
gcs=G100. - Click "Accept." Subsequent requests should have
gcs=G111.
Audit your Consent Mode v2 setup automatically
Manually validating all 12 points takes 30–60 minutes per property. Run a free Snifflytics audit to verify your GA4 Consent Mode v2 implementation along with the rest of your tracking setup — gaps in consent signaling, missing parameters, banner-timing issues, and modeled-conversion eligibility are all checked automatically.