On 6 March 2024, if you sell to anyone in the EEA, Google changed the rules on how it is allowed to collect your conversion data. Most brands implemented something around that date, ticked a box, and moved on. The something is usually wrong.
The result is a quiet hole in your attribution data — not a broken dashboard or an obvious error. A stable, healthy-looking set of reports that happen to be missing a fifth or more of what actually happened, because the sessions that would have filled the gap were never collected. If you run paid media against those numbers, you are optimising toward a picture that flatters itself.
This is the piece on what Consent Mode v2 ecommerce setups are really doing to your data, what is almost certainly misconfigured in yours, and the two ways to fix it properly. It is written for EMEA-facing DTC and SaaS brands specifically, because you feel this harder than anyone.
PART 01What Consent Mode v2 actually is¶
Strip away the product marketing and Consent Mode is one specific thing: a mechanism for telling Google's tags how to behave when a visitor has declined, or has not yet answered, your cookie banner. That is the whole job.
It is worth being blunt about what it is not. Consent Mode does not make you GDPR compliant on its own. It is not a cookie banner, and it is not a legal shield. It is a data collection behaviour control. Google made it mandatory from 6 March 2024 for any advertiser serving EEA or UK users who wants to keep using measurement, remarketing, and ad personalisation, driven by the EU's Digital Markets Act. Getting it wrong does not usually trigger a fine. It quietly degrades your GDPR Google Analytics 4 data instead, which is arguably worse because nobody notices.
PART 02The signals it controls¶
Consent Mode works by passing consent states to Google as a set of signals. Two are the ones that shape your analytics:
- ad_storage controls whether Google Ads tags can use cookies for attribution and remarketing.
- analytics_storage controls whether GA4 can read and write the cookies it uses to stitch a session together.
Version 2 added two more, ad_user_data and ad_personalization, which govern whether user data can be sent to Google for advertising and used for personalisation. All four default to denied until the visitor consents.
The failure most brands do not know they have is treating these as one on/off switch. They are separate signals, and a setup that grants or denies them incorrectly either leaks data you had no consent to collect, or blocks data you were allowed to keep.
PART 03Basic mode versus Advanced mode¶
This is the technical crux, and it is where most of the damage is done.
In Basic consent mode, when a visitor declines, Google's tags are blocked entirely and never load. No data is sent, not even an anonymised signal. Google then estimates the missing conversions after the fact through modelling.
In Advanced consent mode, the tags load before the banner is answered, and when a visitor declines they still send cookieless pings: no identifiers, no cookies, but enough of a signal that Google's modelling has real data to work from rather than a guess.
Most brands are on Basic, often without knowing it, because Basic is the simpler thing a CMP does out of the box. Advanced takes deliberate configuration, and it is the difference between modelling built on signal and modelling built on very little.
PART 04What modelled conversions are, and why they aren't enough alone¶
When a visitor declines and no data is collected, the conversion does not vanish from your reports. Google fills it back in with an estimate, based on the observed behaviour of visitors who did consent. The model is directionally useful. It is not measured data.
The problem is proportion. If a large share of your EEA visitors decline, a large share of your reported conversions are estimates rather than records, and estimates tend to be optimistic. Your ROAS looks a little better than reality, and the gap is invisible because modelled and measured conversions sit in the same number. This is the same class of problem as the gap between GA4 and Shopify revenue: the reporting looks stable, so nobody questions what is underneath it.
PART 05What is probably broken in your current setup¶
Almost every setup we audit has at least one of the following four issues. This is the section worth screenshotting.
- The CMP fires after GTM. Your consent banner loads after the GTM container has already fired GA4, so a slice of every session is collected before consent is even requested. This is both a compliance problem and a data problem. The fix is load order: the CMP must initialise before the container.
- Consent signals are not mapped to GTM variables. Your CMP is collecting choices and your tags are running, but the two are not wired together, so the consent state never actually reaches your tags. The fix is mapping your CMP's consent categories to the Google signals inside your Google Consent Mode setup in GTM.
- You are on Basic mode when you should be on Advanced. You are throwing away the cookieless pings that make modelling work. The fix is configuring the CMP to send signals on denial rather than block outright.
- There is no server-side tagging. Client-side tags are still blocked by ad blockers regardless of consent state, and ad blocker usage across Europe sits at roughly 40% of internet users, close to half in markets like Germany. Consent Mode does nothing about that layer of loss. Server-side is the only complete answer, and we come to it below.
PART 06How to check your own setup in five minutes¶
You do not need us to tell you which of the four you have. You can see it yourself:
- Open GTM Preview mode and load your site.
- Accept cookies, then in a fresh session decline them, watching the Tag Firing column each time.
- In GA4 DebugView, confirm whether events fire or hold back depending on the consent state.
- Use Google Tag Assistant to read the actual values of
ad_storageandanalytics_storagebefore and after a choice is made.
PART 07The attribution impact, quantified¶
It is easy to wave at this problem in the abstract. The point lands only when you put numbers to it, so here they are, and they are lower than the reassuring figures many vendors quote.
Aggregated across 2024 and 2025 studies, the overall cookie consent rate sits between roughly 42% and 47%, with individual sectors diverging sharply from that midpoint. Financial services and healthcare tend to run higher on the trust they already hold, ad-supported media runs lower, and ecommerce sits in the middle and shifts with your ratio of new to returning visitors.
Here is the part that matters. Those numbers assume a compliant banner. On a legally compliant design that gives the reject option equal weight, cookies requiring consent are rejected in around 60% of visits, and compliant design records roughly 14 percentage points less consent than a manipulative one. That is not a reason to build a manipulative banner — it is the honest cost of operating within the law. And most banners are not even compliant: a large-scale Usercentrics study of more than 250,000 European sites found that only 15% meet the minimum requirements for GDPR compliance.
For a US audience the picture inverts, because the opt-out model means acceptance often exceeds 80%. So your real exposure depends entirely on your EEA traffic share. The formula to run for yourself:
Modelled share of conversions ≈ EEA traffic share × EEA decline rate
If the EEA is half your traffic and half of those visitors decline, roughly a quarter of your total conversions are modelled estimates rather than measured events. Push the decline rate to 60%, which a compliant banner comfortably reaches, and it climbs toward a third. That is the hole. It is not exotic, and it is almost never visible in the reports themselves.
PART 08How to fix it properly¶
There are two paths. Choose based on how complete you need the data to be.
Option 1 · CMP plus GTM, the minimum viable fix
This gets you compliant and recovers some of the modelling signal you are currently throwing away.
- Choose a TCF 2.2 compliant, Google-certified CMP. Cookiebot, Usercentrics, and OneTrust are the common choices.
- Configure the CMP to fire before the GTM container in your load order.
- Map your consent categories to the Google signals (
ad_storage,analytics_storage,ad_user_data,ad_personalization) inside GTM. - Switch from Basic to Advanced mode so denials send cookieless pings.
- Validate the whole thing in GTM Preview and GA4 DebugView before you call it done.
This is the right first move for most brands. It closes the compliance gap and improves the quality of your modelled conversions. What it does not do is recover the data lost to ad blockers, because those still sit between the browser and Google.
Option 2 · Server-side tagging, the complete fix
The mature answer is to move your GA4 and Google Ads tags off the visitor's browser and onto a server you control. This is server-side tagging GA4, and it changes the economics of the problem.
Because the tags run server-side, they are no longer sitting in the browser where ad blockers can stop them, which recovers a meaningful slice of that 40% ad blocker loss. Consent is still respected, processed on the server rather than in the page. And it opens the door to durable first-party, cookieless tracking ecommerce measurement rather than the third-party cookie model that is disappearing anyway.
It is the point at which your measurement stops leaking by design. If you want the reporting layer that actually shows you the split between measured and modelled data, rather than blending them into one comforting number, that is exactly what the Decision-First Dashboard Kit is built to surface.
PART 09What to tell your media agency¶
If your agency reports on GA4 attribution without accounting for the consent gap, their numbers are incomplete. Not because they are careless, but because the tool is handing them incomplete data and presenting it as whole.
Ask them: what consent rate are we seeing in our EEA traffic, and how much of our reported conversion volume is modelled rather than measured? If they can answer with a real number, you are in good hands.
If they cannot, that is the conversation to have, because every budget decision you have made this quarter was made on data neither of you had characterised. This is exactly Layer 1 of every audit we run — consent mode status is the first thing we check, before we look at anything else.
Download the free checklist
The Data Audit Checklist walks through the five-minute consent check in this piece, step by step. Free, no email gate.
→ Get the checklistBook a 20-minute audit call
We will run the five-minute check on your actual GTM container together. If the cause is obvious, we will tell you on the call.
→ Book a callPART 10Frequently asked questions¶
Is Consent Mode v2 mandatory?
Yes, since 6 March 2024, for any advertiser serving EEA or UK users who wants to keep using Google's measurement, remarketing, and ad personalisation features. It is driven by the EU Digital Markets Act. Without it, Google stops collecting data on new EEA users through its ad and analytics platforms.
Does Consent Mode v2 make me GDPR compliant?
No. It is a data collection behaviour control, not a legal shield. You still need a compliant consent banner and a lawful basis for processing. Consent Mode governs how Google's tags respond to the choices your banner collects, nothing more.
Why is my GA4 data lower since Consent Mode v2?
Because sessions from visitors who decline consent are no longer fully collected, and on Basic mode they are not collected at all. If a large share of your EEA visitors decline, a large share of your conversions are now modelled estimates rather than measured events, which usually reads as a drop in recorded data.
What is the difference between Basic and Advanced consent mode?
Basic blocks Google's tags entirely when a visitor declines, so Google models the gap from nothing. Advanced loads the tags and sends anonymous cookieless pings on denial, giving the modelling real signal to work from. Advanced produces meaningfully better attribution data and is the recommended setup.
The takeaway
Consent Mode v2 is not a box you tick. It is a live control over how much of your own data you get to keep, and most implementations are quietly set to keep less than they could. Check your load order, map your signals, move to Advanced, and if the EEA is a real part of your business, go server-side. The alternative is to keep making decisions inside a gap you cannot see.
Consent Mode status is Layer 1 of every audit we run. If you want to know exactly where yours is leaking, download the free Data Audit Checklist and run the five-minute test above yourself, or book a 30-minute audit call and we will tell you inside ten minutes what is broken. No prep needed.
Sources. Google Ads Help and GA4 documentation on Consent Mode, Basic vs Advanced behaviour, and the EU Digital Markets Act requirement effective 6 March 2024; Usercentrics European consent benchmark study (250,000+ sites); aggregated 2024–2025 cookie consent rate studies; Statista and DataReportal ad blocker usage estimates for Europe; author's field notes from EEA e-commerce data audits 2023–2026.
