Your Consent Mode v2 Setup Is Probably Broken, Here's How to Verify It

What Consent Mode v2 Is Supposed to Do

Google Consent Mode v2 sends two parameters with every Google tag request: ad_storage and analytics_storage. Each can be granted or denied. When denied, Google tags adjust their behaviour: GA4 sends cookieless pings, Google Ads does not write conversion cookies, Floodlight does not set audience pixels. The tag still fires, but operates in a privacy-safe mode.

Since March 2024, Consent Mode v2 added two additional parameters: ad_user_data and ad_personalization. These are required for sending user data to Google for advertising purposes in the EEA. Without these signals, your Google Ads remarketing audiences in Europe stop populating.

The theory is clean. The implementation is where it breaks.

Five Consent Mode Failures That Create GDPR Liability

1. Tags Firing Before Consent Is Initialised

This is the most common failure. The GTM container loads and fires tags immediately. The CMP loads asynchronously and updates consent state 200–500ms later. In that window, tags have already fired with the default consent state. If your default is granted (which it is unless you explicitly set it to denied), you just tracked a user without consent.

The fix requires setting the default consent state to denied before any tags fire, using a consent initialization trigger type in GTM. But 60% of implementations we audit have the default set incorrectly or not set at all. The gtag('consent', 'default', ...) call must execute before the GA4 config tag. If it does not, the config tag fires with implicit consent.

// This must run BEFORE any Google tags
gtag('consent', 'default', {
  'ad_storage': 'denied',
  'ad_user_data': 'denied',
  'ad_personalization': 'denied',
  'analytics_storage': 'denied',
  'wait_for_update': 500
});

2. Non-Google Tags Ignoring Consent Mode Entirely

Consent Mode is a Google-specific protocol. Meta Pixel, TikTok Pixel, LinkedIn Insight Tag, Hotjar, Intercom, and every other non-Google tag do not understand ad_storage: denied. They fire regardless. Your CMP is supposed to block these tags entirely when consent is denied, using GTM trigger exceptions or tag sequencing. In practice, most CMPs only configure consent groups for Google tags and leave non-Google tags unmanaged.

We audit 20+ containers per month. In 35% of them, the Meta Pixel fires on every page load regardless of consent state. The pixel does not check consent parameters. It fires because no GTM trigger exception blocks it.

3. Consent State Not Persisting Across Pages

A user grants consent on page 1. The CMP writes the consent state to a cookie. On page 2, the cookie is read and consent state is restored. But if the cookie domain is misconfigured (set to www.example.com instead of .example.com), the cookie is not readable on subdomains. The user navigates to shop.example.com and consent resets to the default denied state. Tags fire in cookieless mode even though the user already consented.

The opposite is also common: the consent cookie expires before the session ends, or a server-side redirect strips cookies, causing consent state to reset mid-journey.

4. CMP Banner Dismissed Without Explicit Choice

Many CMPs allow users to dismiss the banner by scrolling or clicking elsewhere on the page. Some CMPs interpret this as implicit consent. Under GDPR, consent must be “freely given, specific, informed and unambiguous” — a scroll is none of those things. If your CMP treats a banner dismissal as consent and fires tracking tags, you have a compliance violation on every session where the user did not click an explicit accept or reject button.

5. Consent Mode Update Calls Firing at the Wrong Time

When a user clicks “Accept All,” the CMP should call gtag('consent', 'update', { ... }) to change consent state from denied to granted. Google tags then re-fire with full tracking enabled. But if the update call fires after the page’s event tags have already completed, those events are lost. The page view was cookieless. The user is now cookied. But the original page view event was already sent without cookies and cannot be retroactively enriched.

This is especially problematic for single-page applications where the consent update fires once but the user navigates through multiple virtual page views. Only the first page view after consent is properly tracked.

How to Verify Your Implementation

Open Chrome DevTools, go to the Network tab, and filter for requests to google-analytics.com/g/collect. Look at the gcs parameter in the request URL. This encodes the consent state:

• gcs=G100 — analytics_storage denied, ad_storage denied
• gcs=G110 — analytics_storage granted, ad_storage denied
• gcs=G111 — both granted

If you see G111 on the first request before the user has interacted with the CMP banner, your default consent state is wrong. You are tracking without consent.

For non-Google tags, check the Network tab for outbound requests to facebook.com/tr, analytics.tiktok.com, or any other third-party endpoint. If these fire before consent, those tags are unmanaged.

Continuous Consent Verification

Manual verification checks one session, one time. Consent failures are intermittent — they depend on CMP load timing, network conditions, cookie state, and user behaviour. You need automated, continuous verification that monitors consent state on every session and alerts when tags fire outside their consent boundaries.

What Regulators and Auditors Actually Check

When a Data Protection Authority opens an investigation — whether the CNIL in France, the ICO in the UK, the Irish DPC, or the Data Protection Board of India — they do not ask “do you have a CMP?” That is a 2021 question. In 2026, the questions are specific and technical:

• Show us a packet capture of a session where consent was denied. Confirm that zero tracking requests left the browser in that session.
• Show us the exact order of script execution on your first page load. Prove that gtag('consent', 'default', ...) executed before any Google tag initialisation.
• Provide a list of every non-Google tag (Meta, TikTok, LinkedIn, Hotjar, Intercom) and show how each one is blocked when consent is denied.
• Demonstrate that consent withdrawal (clicking “Withdraw Consent” in your preference center) stops all tracking on the current page without requiring a reload.
• Provide consent logs with timestamps, showing who consented, to what, when, and what version of the consent notice they saw.

Auditors do not accept screenshots. They want HAR files, console output, and the ability to reproduce a session themselves. If you cannot produce this evidence within 7 days of a request, you are in functional non-compliance regardless of your CMP configuration.

The Real Cost in INR of Getting Consent Wrong

The CNIL fined Google €150 million in January 2022 for consent-banner violations. Amazon paid €35 million in 2021. Under GDPR, the maximum fine is 4% of global annual revenue. For an Indian subsidiary of a multinational with ₹2,000 crore global revenue, that ceiling is ₹80 crore. The DPDP Act in India allows penalties up to ₹200 crore for non-compliance with consent obligations.

But the real cost for most businesses is operational, not regulatory. When a user who denied consent sees a personalised retargeting ad, they complain to the CMP vendor, the platform (Meta, Google), or the regulator. Each complaint triggers an investigation ticket. Responding requires 8–20 hours of legal and engineering time per complaint. A mid-sized Indian business fielding 15 complaints a month burns ₹4–6 lakh monthly on complaint response alone. Continuous consent verification reduces this burn by catching violations before users experience them.

Case Study: A European D2C Brand Launching in India

A Berlin-based D2C skincare brand expanded to India in Q3 2025 through a Shopify store on a .in domain. Their European CMP was OneTrust, configured for GDPR. For India, they copied the same configuration, assuming DPDP compliance would follow. Within 90 days, three problems surfaced: (1) The CMP’s default was still granted for “legitimate interest” Meta tracking, which had been argued as permissible under GDPR but is not supported under DPDP’s strict consent model. (2) The consent cookie was set on www.example.com, so cross-subdomain shopping sessions reset consent. (3) A Hotjar recording captured users typing into the checkout form before consent was granted — a direct DPDP Section 6 violation.

The brand discovered the issues during a pre-launch compliance review we conducted. The remediation required: re-configuring OneTrust with a DPDP-specific template that set all non-essential categories to denied by default, moving the consent cookie to .example.com, and adding a GTM consent-initialisation trigger that fired before Hotjar loaded. Engineering time: 18 hours. Legal review: 6 hours. Deferred launch by 9 days. The alternative — launching with the GDPR configuration and hoping — could have triggered a first-year penalty that dwarfed the entire India P&L.

Step-by-Step Consent Debugging Playbook

1. Open Chrome in incognito mode with no extensions. Navigate to your site.
2. Before clicking anything on the CMP banner, open DevTools → Network tab. Clear the log.
3. Reload the page. Every request that leaves the browser before you interact with the banner is a potential consent violation.
4. Filter the Network tab to: collect, /tr, pagead, analytics, pixel, fbevents. Count the requests. Should be zero.
5. In the Console, run window.google_tag_data and window.dataLayer. Look for the consent default object. If ad_storage or analytics_storage is granted before interaction, your default is wrong.
6. Click “Reject All” on the banner. Reload. Repeat steps 3–4. Any tracking request after a reject is a violation.
7. Inspect the gcs parameter in GA4 requests. G100 means both storages denied; anything else under a rejected consent is a bug.
8. Close the browser completely. Reopen. Navigate to the site again. Does the CMP banner reappear? If the user already rejected, it should not. If it does, consent state is not persisting.
9. Test on a subdomain (e.g., shop.example.com if main is www.example.com). Does the consent carry over? If not, cookie domain is misconfigured.
10. Click “Withdraw Consent” in the preference center. Immediately run navigator.sendBeacon inspection in Network. Tags should stop firing on the current page, not on next navigation.

Decision Framework: When to Escalate a Consent Issue

FAQ for DPOs and Privacy Counsel

Is a cookie banner enough for DPDP compliance?

No. A banner is a user-interface element. Compliance requires: default-denied state before interaction, granular consent categories (not a single “Accept All”), explicit affirmative action for each category, consent records with timestamps, and a functional withdrawal mechanism. The banner is one component of a compliant architecture, not the architecture itself.

Can we rely on “legitimate interest” under DPDP like we did under GDPR?

No. DPDP Act Section 7 recognises a limited set of legitimate uses (employment, medical emergency, court orders, etc.) but does not recognise “legitimate interest” for marketing analytics. If you are processing personal data for analytics or advertising, you need consent.

What if the user closes the banner without clicking anything?

Treat it as a denial. DPDP requires “unconditional and unambiguous consent with clear affirmative action.” Ignoring the banner is not affirmative action. Fire no tags until the user explicitly accepts.

How long should we retain consent records?

Consent records should be retained for as long as the processing continues, plus a reasonable post-termination period (we recommend 3 years post-withdrawal). The logs must be immutable and include timestamp, user identifier (anonymised), consent categories accepted, and the version of the notice presented.

The Gap Between Vendor Claims and Tag Behaviour

Every major CMP vendor claims “Consent Mode v2 compliant” in their marketing. The claim refers to the vendor’s ability to emit the correct Consent Mode v2 signals. It does not verify that the tags in your specific container respect those signals. This gap is where most compliance failures originate: the CMP emits correctly, a subset of tags consume the signal correctly, but 3-5 tags in the container (often Community Templates from vendors that have not been updated) silently ignore the signal and fire regardless of consent state.

Verification requires testing each tag individually against the signal matrix. Grant all categories and verify which tags fire. Deny all categories and verify no non-exempt tags fire. Grant ad_storage only and verify that ad_user_data and ad_personalization consumers still respect the “denied” state. This matrix has 16 combinations; most teams test only 2-3. Regulators in enforcement actions walk the full matrix.

DPDP Act Specific Implementation Requirements

The DPDP Act imposes obligations that overlap with but are not identical to GDPR and CCPA. Explicit consent granularity: each data purpose requires separate consent. Mixing analytics and marketing consent into a single toggle is non-compliant. Consent manager integration: DPDP Act requires integration with the Consent Management Platform maintained by the Data Protection Board once it becomes operational (expected mid-2026). Your CMP architecture must be ready to integrate when the DPB publishes technical specifications.

Data principal rights: users can request access, correction, and deletion of their data. Your consent logs must include sufficient identifier information to respond within the statutory timelines (typically 30 days). Cross-border restrictions: certain categories of personal data may be restricted from international transfer. If your tag stack includes US-based vendors (Meta, Google, TikTok), consider whether the data being sent falls within the restriction. This is evolving guidance; monitor the Ministry of Electronics and IT notifications through 2026.

Bottom Line

Consent Mode v2 is a protocol, not a compliance guarantee. A site with Consent Mode v2 implemented correctly in GTM can still violate GDPR, CCPA, and DPDP if non-Google tags fire unmanaged, consent state fails to persist across subdomains, or the default is granted instead of denied. In 2026, regulators are probing the gap between “we have a CMP” and “our tags actually respect the consent state”. That gap is where the fines live.