Google Tightens Privacy Rules: Preparing Your Website for Consent Mode V2

We’re about to embark on a journey through cookies, consents, laws, and topical memes. We get that this level of excitement isn’t for everyone, so here’s a quick TL;DR and if you already know the basics of cookies and consent banners, you can click here to skip straight to Google’s announcement.

TL;DR: 

• Several privacy laws already require website owners to get consent from their users prior to placing non-essential cookies on their browsers. This is most commonly done via a cookie Consent Management Platform (aka cookie cmp, cookie popup, cookie banner).
• There’s a new Privacy regulation in town (the Digital Markets Act), that has caught Google’s eye – causing the company to now require many of its users to set up compatibility with their new Consent Mode V2 platform. 
• This requirement (for now) appears to be impacting business owners in the UK and EU who use Google Tag Manager and or Google Ads/Adsense/Analytics, or anyone advertising to those areas.
• Seeing this notice in your GTM or Adsense account? Use a Google Certified CMP Provider to get a consent solution for your website and follow the steps needed to manually set up the website and GTM to be compatible with Consent Mode V2. If you are a Termageddon partner, please review these step-by-step instructions to set up Google Consent Mode V2. 
• Seeing this notification in any of the GTM / Adsense accounts that you manage? you should notify your clients about this new requirement (especially those with UK and/or EU businesses or those who run ads in those areas). Here’s a pre-written email that can help ensure you notify your clients and offer to help set them up (along with a recommended setup fee).

Now for the TR;NM (Totally Read; Need More):

We know that when it comes to cookie consent banners, web designers just can’t get enough of questions like…

“Can’t it just automatically accept the cookies no matter what they choose?”

“Why is my website analytics no longer getting as much data after you put a cookie consent banner on my website?”

“Does it have to pop up where people can see it?”

Well, unfortunately for us web designers who may struggle with having to deal with cookie consents, things just got a bit more complicated as Google is now requiring all websites using AdSense, Ads, Analytics and/or GTM to have a cookie consent banner. Woo-to-the-hoo…

Luckily for you, we took just enough wrong turns in life to end up talking about this stuff for a living. So here’s a quick overview of everything you need to know about cookies and Google’s latest announcement.

Are cookie consents a bad thing? 

Look, it’s easy to make fun of how ridiculous and obnoxious some of these cookie consent banners have gotten – especially as web designers tasked with making a website look nice and operate efficiently.

However, let’s not forget that we’re also website visitors. So, if we put our web-tourist hats on for a moment, it’s nice that websites and businesses are giving us more control over how our personal information can be collected, stored, and whether or not we would like to be tracked through different websites. Not only does it give us some power as website visitors, but hitting that ‘decline all’ button lets us feel like Gandalf for the briefest of moments.

… just us? Just us. Moving on.

What are cookies? 

Cookies are small files that are created and stored on a website user’s browser and/or device when visiting a website that uses cookies. Cookies are used to track information about the visitor to improve user experience, allow for remarketing, keep the website safe and more. Cookies help you stay logged into sites where you have an account. They help determine what language the website should be displayed for you.

It’s also almost impossible to read about cookies online without seeing horrible jokes about them being named cookies.

Do you Accept All Cookies?

That depends… do they have raisins in them!?!?!??! *knee slap

Ugh.

How are cookies classified?

Cookies come in three main flavo… categories. We meant categories.

Those three are:

Essential Cookies – are cookies necessary to browse a website and use its features (security, authenticating users, or preventing fraudulent actions)

Functional Cookies – allow a website to remember the choices that you have made in the past and how you use that website to improve user experience (language preferences, username, password, or what pages you’ve clicked on)

Marketing & Analytics Cookies – are used to track your online activity for marketing, advertising and analytics purposes. There are also third-party cookies like Analytics Cookies and Social Cookies that are typically used to determine and analyze your interactions with the website. 

These are the most popular categories, but people can add additional ones as well such as ‘security cookies’. What’s most important here is that – if you are required to disclose your use of cookies on your website under an applicable privacy law – you properly label them. This is especially true for the ones that are non-essential (like cookies that track you simply for visiting the website and your data gets shared to companies who then advertise your data to other companies). 

Why are cookies being regulated?

There are only so many times people can be bashed over the heads with couch ads – because they looked at that one couch that one time – before they start to wonder what companies are doing with their data.

Different privacy laws have slightly different explanations as to why they are looking to regulate cookies, but they all essentially boil down to the desire to protect online users’ privacy and prevent the misuse of their personal information via collecting non-essential cookies.

Your name is your name. Your phone number is your phone number. Your IP Address is your IP Address. This is all property that belongs to the you, not the business, and these regulations just help ensure companies respect that. 

How are cookies being regulated?

By the man, man.

But really. There are several privacy laws across the globe that require websites to have a cookie consent banner with even more privacy bills in the works.

The ‘how’ depends on each privacy law. For example, the EU and UK use Data Protection Authorities (DPA) to enforce these laws. Consumers file complaints and the DPA dishes out the fines to the business owners.

These fines also depend on the law. Privacy laws have different penalties for failing to comply with them but they start at $2,500 per website visitor whose rights have been violated. You read that right. That’s where they START. It just gets uglier from there. You can ask these businesses that got caught with their hand in the cookie jar (sorry, can’t turn it off at this point).

What is a cookie consent banner?

It’s a banner that’s designed to be as annoying and ugly as possible, according to YouTube comments about cookie banners… and let’s be real, a very large portion of the world population.

Stepping back into reality, a cookie consent banner is a pop-up designed to inform users about the use of cookies on the site and offers a way for them to accept or decline those non-essential cookies.

This means you can’t just say:

“Hello, there! We use cookies to learn all about you and what keeps you up at night. Here are your options: Accept or Accept.”

People must have the ability to decline non-essential cookies that are being used by a particular website. If a website uses multiple types of cookies, the banner should also allow the user to manage each cookie individually (eg. decline marketing cookies, but accept functional cookies). There are also other requirements such as: 

• The ‘accept’ and ‘decline’ buttons must have equal prominence (no hiding one or the other in the corner or using colors that blend with the background)
• Provide a mechanism for users to withdraw their consent in a way that’s just as easy as it was to provide their consent

When selecting a cookie consent provider, make sure it’s not just a glorified popup that doesn’t actually do anything. You need to ensure you are opting out certain visitors by default prior to letting non-essential scripts and cookies load on their browsers.

How can you avoid putting a cookie consent banner on your website? 

If you are sitting here thinking you’d rather watch paint dry than have to deal with cookie consents (for your or your clients’ website), there are a handful of things you may be able to do:

Plan A: Remove tracking technologies on your website:

1. Store fonts locally – using google fonts? Download the font and store it locally. This not only avoids you needing to get consent, but technically your website should load faster too. Not to mention, Google Fonts was deemed non-compliant with GDPR in 2022.
2. Load videos locally – instead of embedding YouTube or Vimeo videos, load videos locally.
3. Try privacy-focused analytics alternatives – Instead of Google Analytics 4, try using UseFathom.com or Matomo Analytics. 
4. Avoid embedded maps – Google Maps is another third-party script used to load maps. It’s a great experience, but technically it’s a third party. Perhaps you can list just an address or provide a map screenshot or a Google Maps link as a privacy-focused alternative.
5. Alternative to reCaptcha – Try using Friendly Captcha or another privacy-focused captcha alternative.

Plan B: Use geolocation to limit the exposure of the consent solution

1. If you find yourself needing to use a cookie consent solution, you could select settings to only display it to certain visitors around the world (those that have the respective privacy rights). Many cookie consent providers offer the ability to limit where to display consent solutions.

Removing scripts you don’t need helps you minimize the data you collect and can even possibly prevent you from being required to have a consent tool in the first place. This is a good business practice: only collect the data you need to run your website and your business. As more privacy laws pass, you’ll be thankful you implemented this philosophy into your agency!

How does the Digital Markets Act impact your website?

The Digital Markets Act is a regulation from the European Union that went into effect in May 2023 to try and make the digital economy more fair. While the Digital Markets Act regulates “gatekeeper platforms” such as Google and Facebook, its impacts and requirements are starting to trickle down to small business websites as well. Companies like Google are already laying down the hammer, requiring their customers (especially those in the UK and EU right now) to not only set up a consent solution on their website but to also adhere to Google’s new consent communication platform: Consent Mode V2 (discussed further in the next section).

In layman’s terms, the Digital Markets Act is basically putting major publishers (like Google) in a position where they are required to ensure their ad spenders are properly getting consent from their website visitors. For this reason, companies like Google are going to start penalizing their own customers (ad spenders) for failure to properly capture consent from its website visitors by suspending or potentially terminating accounts (like Google Tag Manager, Google Ads. and AdSense).
If you’re using Google advertising-related products or Facebook marketing tools, you may be notified by them that they’re requiring you to add a consent tool to your website, otherwise your account could be paused or possibly even terminated. Sounds scary, but it’s certainly getting people’s attention. 

Google’s new Google Consent Mode V2 

In response to the Digital Markets Act, Google has deployed Consent Mode V2 and is requiring many of its users to set up compatibility with this new platform.

Google’s Consent Mode helps ensure that consent settings selected by a user of a website are properly passed to Google Tag Manager so that only respective tags/scripts fire. It also helps ensure that if a user later changes their consent settings, the respective tags within GTM are turned on/off respectively. 

For example, if a user consents to Google Ads within the consent banner of a certified Consent CMP that’s properly set up with Consent Mode V2, then Google Tag Manager will allow any Tags to fire that contain the Google Ads consent ‘granted’ trigger (see the ‘how’ section below). 

Who is impacted by this update?

The primary people impacted by this update will be business owners in the UK or the EU who are using Google Ads, Google Adsense, or Google Analytics along with Google Tag Manager. If you are running ads and targeting EU and/or UK residents, you may also be receiving a nice little warning email from Google. 

This appears to be the first wave of customers to be impacted by this update, but don’t be surprised if Google spreads this requirement out further to their entire audience eventually. Quebec Law 25 for example just passed last year and is similar in nature to GDPR as it relates to cookie consents. We believe it’s only a matter of time until this becomes a universal requirement to use Google.

How to set up Google Consent Mode V2 in Google Tag Manager (GTM) 

Regardless of which certified consent cmp you are using, the following will help serve as a general outline on how to get set up with basic Consent Mode V2 with Google Tag Manager.  We would recommend locating the specific instructions from your consent provider, as each will have slightly different specifics on how to set up compatibility:

1. Update your Google Tag Manager script on your website to the new consent mode V2 script. It will likely be a copy/paste from this section of Google’s V2 Article. 
2. Upload the GTM community template provided by your certified CMP provider. This helps GTM understand that you’re using a certified partner. 
3. Create variables and triggers to ensure your certified CMP can communicate consent choices (granted/denied) to Google Tag Manager. This will depend on what third-party scripts are being fired through your GTM account. So for example if you load GA4 and Google Ads through GTM, you’ll be setting up a variable and trigger for each of these).
4. Enabled Consent Overview (beta) – Although in beta, enabling/adding consent overview to your GTM account will help provide you with more insights when testing later on.
5. Enable consent mode within your CMP – this will typically be a setting you simply enable with your third-party consent provider. 
6. Test – Using GTM’s Preview feature (aka TagAssistant), visit your website and test consent choices. Accept/decline all scripts and accept/decline individual scripts. The new ‘consent’ tab within TagAssistant will help display to you whether or not consent settings are properly being captured and updated.

If you are a Termageddon agency partner, please review these step-by-step instructions for getting set up with Consent Mode V2 with a Termageddon license (using google certified CMP Usercentrics).

Basic vs advanced consent mode – be cautious 

If you are managing a website and processing a ton of data and ad spend, you may be considering Google’s advanced Consent Mode, where behavioral data is being collected for users that deny non-essential cookies.

We get it, this can be “mission critical” from a marketing standpoint, but it’s important to understand that Google collects IP addresses in this scenario without the proper consent – even though Google says the data is immediately deleted after locating the individual. It’s still a bit of a concerning practice for those in the privacy community. 

The primary difference between setting up basic vs advanced consent mode is the relation to where you paste the consent banner in comparison to the new GTM V2 embed script. With basic consent mode, the consent script gets pasted first, and then the GTM V2 script gets pasted second. With Advanced mode, the cookie consent gets pasted in between the new GTM V2 script.  You should contact your certified CMP provider for their instructions on how to set up advanced Consent Mode.

How to charge website clients for this update (pre-written email sequence) 

This isn’t just a ‘make the logo bigger’ situation. Agency owners should be charging for their time to set their clients up with this new requirement from Google. You not only have to research this new change, but then you’ll have to set it all up and test to help ensure consent is properly being captured and passed onto Google Tag Manager.

We put together this pre-written email template that you can send to your clients, informing them about this new requirement, while helping you form a quote. Hope this helps!

Conclusion

Another day, another new privacy regulation.

The Wild West days of collecting people’s data are, for better or worse, coming to an end. The internet is growing up, and we as agency owners should embrace these changes in order to help protect our clients. If you’ve made it this far, I’d say you’re on the right track!