Home/ Writing/ N°09 · E-commerce
GA4 sessions chart showing 30 days of real data followed by a dotted line of consent mode v2 modelled conversions where declined EEA visitors were never collected
N° 09 · E-commerce · Published Jul 2026 · 14 min read

What Consent Mode v2 is doing to your attribution data. And how to fix it.

On 6 March 2024, Google changed the rules on how it can collect your EEA conversion data. Most brands implemented something, ticked a box, and moved on — and the something is usually wrong. The result isn't a broken dashboard. It's a stable, healthy-looking report quietly missing a fifth or more of what actually happened. This piece covers what a proper GDPR Google Analytics 4 setup requires, the four mistakes almost every consent mode v2 ecommerce implementation makes, and the two ways to fix them for good.

Jimmy Okoth
Author
Jimmy Okoth
Audience
EEA/UK DTC & SaaS founders
Revenue range
$500K – $10M
Reading time
14 minutes
Published
Jul 2026
Key takeaways 05 in 40 seconds
  1. Consent Mode does not make you GDPR compliant. It is a data collection behaviour control — it decides how Google's tags behave when a visitor declines or hasn't answered your banner yet. It is not a cookie banner and not a legal shield.
  2. Almost every setup we audit has at least one of four mistakes: the CMP fires after GTM, consent signals aren't mapped to GTM variables, the account is stuck on Basic when it should be Advanced, or there is no server-side layer catching what ad blockers stop.
  3. Basic mode throws away real signal. On Basic, declined visitors send nothing and Google guesses the gap from zero. On Advanced, declined visitors send anonymous cookieless pings, giving Google's modelling actual data to work from.
  4. The exposure is quantifiable. Modelled share of conversions ≈ EEA traffic share × EEA decline rate. At 50% EEA traffic and a compliant banner's ~55% decline rate, roughly a quarter of your reported conversions are estimates, not records.
  5. There are exactly two real fixes. CMP + GTM wiring closes the compliance gap and improves modelling. Server-side tagging is the complete fix — it also recovers the ~40% of European traffic sitting behind ad blockers.

On 6 March 2024, if you sell to anyone in the EEA, Google changed the rules on how it is allowed to collect your conversion data. Most brands implemented something around that date, ticked a box, and moved on. The something is usually wrong.

The result is a quiet hole in your attribution data — not a broken dashboard or an obvious error. A stable, healthy-looking set of reports that happen to be missing a fifth or more of what actually happened, because the sessions that would have filled the gap were never collected. If you run paid media against those numbers, you are optimising toward a picture that flatters itself.

This is the piece on what Consent Mode v2 ecommerce setups are really doing to your data, what is almost certainly misconfigured in yours, and the two ways to fix it properly. It is written for EMEA-facing DTC and SaaS brands specifically, because you feel this harder than anyone.

PART 01What Consent Mode v2 actually is

Strip away the product marketing and Consent Mode is one specific thing: a mechanism for telling Google's tags how to behave when a visitor has declined, or has not yet answered, your cookie banner. That is the whole job.

It is worth being blunt about what it is not. Consent Mode does not make you GDPR compliant on its own. It is not a cookie banner, and it is not a legal shield. It is a data collection behaviour control. Google made it mandatory from 6 March 2024 for any advertiser serving EEA or UK users who wants to keep using measurement, remarketing, and ad personalisation, driven by the EU's Digital Markets Act. Getting it wrong does not usually trigger a fine. It quietly degrades your GDPR Google Analytics 4 data instead, which is arguably worse because nobody notices.

PART 02The signals it controls

Consent Mode works by passing consent states to Google as a set of signals. Two are the ones that shape your analytics:

Version 2 added two more, ad_user_data and ad_personalization, which govern whether user data can be sent to Google for advertising and used for personalisation. All four default to denied until the visitor consents.

The failure most brands do not know they have is treating these as one on/off switch. They are separate signals, and a setup that grants or denies them incorrectly either leaks data you had no consent to collect, or blocks data you were allowed to keep.

PART 03Basic mode versus Advanced mode

This is the technical crux, and it is where most of the damage is done.

In Basic consent mode, when a visitor declines, Google's tags are blocked entirely and never load. No data is sent, not even an anonymised signal. Google then estimates the missing conversions after the fact through modelling.

In Advanced consent mode, the tags load before the banner is answered, and when a visitor declines they still send cookieless pings: no identifiers, no cookies, but enough of a signal that Google's modelling has real data to work from rather than a guess.

Most brands are on Basic, often without knowing it, because Basic is the simpler thing a CMP does out of the box. Advanced takes deliberate configuration, and it is the difference between modelling built on signal and modelling built on very little.

PART 04What modelled conversions are, and why they aren't enough alone

When a visitor declines and no data is collected, the conversion does not vanish from your reports. Google fills it back in with an estimate, based on the observed behaviour of visitors who did consent. The model is directionally useful. It is not measured data.

The problem is proportion. If a large share of your EEA visitors decline, a large share of your reported conversions are estimates rather than records, and estimates tend to be optimistic. Your ROAS looks a little better than reality, and the gap is invisible because modelled and measured conversions sit in the same number. This is the same class of problem as the gap between GA4 and Shopify revenue: the reporting looks stable, so nobody questions what is underneath it.

PART 05What is probably broken in your current setup

Almost every setup we audit has at least one of the following four issues. This is the section worth screenshotting.

The four most common Consent Mode v2 implementation mistakes: CMP fires after GTM, consent signals not mapped, stuck on Basic instead of Advanced mode, and no server-side tagging
Four problems, four fixes. Almost every audit turns up at least one.
  1. The CMP fires after GTM. Your consent banner loads after the GTM container has already fired GA4, so a slice of every session is collected before consent is even requested. This is both a compliance problem and a data problem. The fix is load order: the CMP must initialise before the container.
  2. Consent signals are not mapped to GTM variables. Your CMP is collecting choices and your tags are running, but the two are not wired together, so the consent state never actually reaches your tags. The fix is mapping your CMP's consent categories to the Google signals inside your Google Consent Mode setup in GTM.
  3. You are on Basic mode when you should be on Advanced. You are throwing away the cookieless pings that make modelling work. The fix is configuring the CMP to send signals on denial rather than block outright.
  4. There is no server-side tagging. Client-side tags are still blocked by ad blockers regardless of consent state, and ad blocker usage across Europe sits at roughly 40% of internet users, close to half in markets like Germany. Consent Mode does nothing about that layer of loss. Server-side is the only complete answer, and we come to it below.

PART 06How to check your own setup in five minutes

You do not need us to tell you which of the four you have. You can see it yourself:

  1. Open GTM Preview mode and load your site.
  2. Accept cookies, then in a fresh session decline them, watching the Tag Firing column each time.
  3. In GA4 DebugView, confirm whether events fire or hold back depending on the consent state.
  4. Use Google Tag Assistant to read the actual values of ad_storage and analytics_storage before and after a choice is made.
Reading the result. If tags fire before you answer the banner, that's mistake one. If the consent state never changes the signal values, that's mistake two. If declining kills all data flow rather than sending pings, that's mistake three.

PART 07The attribution impact, quantified

It is easy to wave at this problem in the abstract. The point lands only when you put numbers to it, so here they are, and they are lower than the reassuring figures many vendors quote.

Aggregated across 2024 and 2025 studies, the overall cookie consent rate sits between roughly 42% and 47%, with individual sectors diverging sharply from that midpoint. Financial services and healthcare tend to run higher on the trust they already hold, ad-supported media runs lower, and ecommerce sits in the middle and shifts with your ratio of new to returning visitors.

Here is the part that matters. Those numbers assume a compliant banner. On a legally compliant design that gives the reject option equal weight, cookies requiring consent are rejected in around 60% of visits, and compliant design records roughly 14 percentage points less consent than a manipulative one. That is not a reason to build a manipulative banner — it is the honest cost of operating within the law. And most banners are not even compliant: a large-scale Usercentrics study of more than 250,000 European sites found that only 15% meet the minimum requirements for GDPR compliance.

For a US audience the picture inverts, because the opt-out model means acceptance often exceeds 80%. So your real exposure depends entirely on your EEA traffic share. The formula to run for yourself:

Modelled share of conversions ≈ EEA traffic share × EEA decline rate
Worked example: 50 percent EEA traffic share multiplied by 55 percent EEA decline rate equals roughly 27 percent of GA4 conversions being modelled estimates, not measured records
Run the maths on your own store. The inputs are your EEA traffic share and your banner's decline rate.

If the EEA is half your traffic and half of those visitors decline, roughly a quarter of your total conversions are modelled estimates rather than measured events. Push the decline rate to 60%, which a compliant banner comfortably reaches, and it climbs toward a third. That is the hole. It is not exotic, and it is almost never visible in the reports themselves.

PART 08How to fix it properly

There are two paths. Choose based on how complete you need the data to be.

Option 1 · CMP plus GTM, the minimum viable fix

This gets you compliant and recovers some of the modelling signal you are currently throwing away.

  1. Choose a TCF 2.2 compliant, Google-certified CMP. Cookiebot, Usercentrics, and OneTrust are the common choices.
  2. Configure the CMP to fire before the GTM container in your load order.
  3. Map your consent categories to the Google signals (ad_storage, analytics_storage, ad_user_data, ad_personalization) inside GTM.
  4. Switch from Basic to Advanced mode so denials send cookieless pings.
  5. Validate the whole thing in GTM Preview and GA4 DebugView before you call it done.

This is the right first move for most brands. It closes the compliance gap and improves the quality of your modelled conversions. What it does not do is recover the data lost to ad blockers, because those still sit between the browser and Google.

Option 2 · Server-side tagging, the complete fix

The mature answer is to move your GA4 and Google Ads tags off the visitor's browser and onto a server you control. This is server-side tagging GA4, and it changes the economics of the problem.

Because the tags run server-side, they are no longer sitting in the browser where ad blockers can stop them, which recovers a meaningful slice of that 40% ad blocker loss. Consent is still respected, processed on the server rather than in the page. And it opens the door to durable first-party, cookieless tracking ecommerce measurement rather than the third-party cookie model that is disappearing anyway.

Two ways to run it: self-hosted server-side GTM on your own cloud infrastructure, or a managed host that handles the plumbing for a modest monthly cost. It is a one-time engineering effort rather than an ongoing burden, and for an EMEA brand where a third of the data is at stake, it is rarely overkill.

It is the point at which your measurement stops leaking by design. If you want the reporting layer that actually shows you the split between measured and modelled data, rather than blending them into one comforting number, that is exactly what the Decision-First Dashboard Kit is built to surface.

PART 09What to tell your media agency

If your agency reports on GA4 attribution without accounting for the consent gap, their numbers are incomplete. Not because they are careless, but because the tool is handing them incomplete data and presenting it as whole.

Ask them: what consent rate are we seeing in our EEA traffic, and how much of our reported conversion volume is modelled rather than measured? If they can answer with a real number, you are in good hands.

If they cannot, that is the conversation to have, because every budget decision you have made this quarter was made on data neither of you had characterised. This is exactly Layer 1 of every audit we run — consent mode status is the first thing we check, before we look at anything else.


Self-diagnose first

Download the free checklist

The Data Audit Checklist walks through the five-minute consent check in this piece, step by step. Free, no email gate.

→ Get the checklist
Not sure which mode you're on?

Book a 20-minute audit call

We will run the five-minute check on your actual GTM container together. If the cause is obvious, we will tell you on the call.

Book a call

PART 10Frequently asked questions

Is Consent Mode v2 mandatory?

Yes, since 6 March 2024, for any advertiser serving EEA or UK users who wants to keep using Google's measurement, remarketing, and ad personalisation features. It is driven by the EU Digital Markets Act. Without it, Google stops collecting data on new EEA users through its ad and analytics platforms.

Does Consent Mode v2 make me GDPR compliant?

No. It is a data collection behaviour control, not a legal shield. You still need a compliant consent banner and a lawful basis for processing. Consent Mode governs how Google's tags respond to the choices your banner collects, nothing more.

Why is my GA4 data lower since Consent Mode v2?

Because sessions from visitors who decline consent are no longer fully collected, and on Basic mode they are not collected at all. If a large share of your EEA visitors decline, a large share of your conversions are now modelled estimates rather than measured events, which usually reads as a drop in recorded data.

What is the difference between Basic and Advanced consent mode?

Basic blocks Google's tags entirely when a visitor declines, so Google models the gap from nothing. Advanced loads the tags and sends anonymous cookieless pings on denial, giving the modelling real signal to work from. Advanced produces meaningfully better attribution data and is the recommended setup.

The takeaway

Consent Mode v2 is not a box you tick. It is a live control over how much of your own data you get to keep, and most implementations are quietly set to keep less than they could. Check your load order, map your signals, move to Advanced, and if the EEA is a real part of your business, go server-side. The alternative is to keep making decisions inside a gap you cannot see.

Consent Mode status is Layer 1 of every audit we run. If you want to know exactly where yours is leaking, download the free Data Audit Checklist and run the five-minute test above yourself, or book a 30-minute audit call and we will tell you inside ten minutes what is broken. No prep needed.


Sources. Google Ads Help and GA4 documentation on Consent Mode, Basic vs Advanced behaviour, and the EU Digital Markets Act requirement effective 6 March 2024; Usercentrics European consent benchmark study (250,000+ sites); aggregated 2024–2025 cookie consent rate studies; Statista and DataReportal ad blocker usage estimates for Europe; author's field notes from EEA e-commerce data audits 2023–2026.

Jimmy Okoth
Written by

Jimmy Okoth

Actuary-trained data consultant. Helps e-commerce and SME founders build pricing and data infrastructure that reflects the real economics of their business. EMEA remote · PI insured.

→ Book a call
← Previous · N° 08

Why GA4 and Shopify numbers never agree

All pieces →

Browse the full archive

Ready to find out what's breaking in your data infrastructure?

Book a discovery call