Table of Contents
Introduction
Google’s introduction of Consent Mode (beta) provides an organization the ability to technically modify the behavior of Google tags (Google Analytics, Google Ads Conversion and Remarketing, and Floodlight) to comply with privacy regulations while still collecting a minimum level of engagement data.
To start, it is important to understand what tags are, what cookies are, and how each works.
Tags are little snippets of code that execute on a webpage to collect and then send information from the user’s device to a third-party platform. Each third-party that you are using on your digital properties (Google Analytics, Google Ads, Evidon, etc.) will have tags embedded on relevant pages of each site.
Cookies are small text files that are used to store information on a user’s device which can be updated and/or referenced at a later time. Most often in the context of marketing and advertising, cookies will be placed on a user’s device with a unique identifier contained within it. Cookies are placed in the browser and the information contained in them is referenced by tags running on the site.
To tie it all together: tags are responsible for both reading and writing cookies on the user’s device. Cookies store a unique identifier to associate actions made by that device across the website. And tags will pull the unique identifier and include in the messages (data requests) that are sent to the third-party platforms for processing and reporting.
The Challenge
Traditionally, in order to comply with the requirements of explicit consent (ePrivacy and GDPR in EU) and/or requirements for opt-out (CCPA in US), Google Analytics tagging has been configured to not execute until after a user has indicated explicit consent for cookies to be accessed and/or personal data to be collected. This behavior is necessary because whenever a Google Analytics tag executes it will read and write a cookie on the user’s browser, as well as collect (from the cookie) a unique anonymous identifier that is associated with that device. This “out-of-the-box” behavior puts the tags in scope of relevant privacy regulation and requires affirmative user choice. There has not been a means to collect only fully anonymous interaction data without the placement and accessing of cookies, as well as the collection of a unique user identifier.
Impact on Analytics
No data is collected for a proportion of users. In our analysis, many European websites have seen a 40 to 60 percent drop in directly-measured (tracked) users once explicit consent mechanisms have been implemented – no conversion data, no traffic data, and no campaign data for those users.
Further, these blind spots make it so you can’t even know what proportion of total actions on the website are being tracked. This means reliable modeling to approximate your true numbers is out of reach. In effect, analytics only provides some pretty arbitrary numbers to look at giving an illusion of insight while in fact fully unmoored from reality.
Consent Mode (beta) addresses this challenge. It offers a native, technical method allowing you to still collect some fully anonymous interaction data for all users while only placing/accessing cookies and collecting information associated with the user for those that consent to such behavior. This fills gaps in reporting and provides baselines which enable modeling to fill in broader user and campaign information gaps.
How It Works
Consent Mode requires an additional script to execute prior to Google Analytics being loaded. The primary consent indication is made by the user (likely via a Consent Management Platform like Evidon, OneTrust, or Trust Arc). The Consent Mode script is configured to update based upon the indication from the CMP and then raise its own consent indication accordingly. Google Analytics then reads from the Consent Mode indication when it executes and behaves as instructed.
Options Available
Consent Mode provides two main indicators which are read by Google tags and then two additional options for enhanced granularity:
- Primary indicators
- ‘ads_storage’ – Indication if Google tags can read from and set storage information (cookies) on the user’s device for advertising functionality
- ‘analytics_storage’ – Indication if Google tags can read from and set storage information (cookies) on the user’s device for analytics functionality
- Additional options
- ‘ads_data_redaction’ – Additional ads data redaction
- ‘url_passthrough’ – Passes URL parameters to all pages
Let’s explore how Google Analytics behaves when these different options are either enabled or disabled.
For all requests sent to Google Analytics, regardless of the Consent Mode indications, certain information will be collected:
- Functional information
- Timestamp
- User agent (web only)
- Referrer
- Aggregate / non-identifying information
- Indication if the current or previous page in the user’s journey contained ad-click information in the URL
- Boolean information about the consent state
- Random number generated on each page load (web only)
Behavior and data collected outside of these always-on defaults will depend upon the consent indication as defined in the Consent Mode script options.
All Consent Mode Options Granted
Tag Behavior
- Web
- Cookies pertaining to advertising may be read and written
- IP addresses are collected
- The full web page URL, including ad-click information in URL parameters (e.g., GCLID / DCLID) is collected
- Third-party web cookies, previously set on google.com and doubleclick.net, and first-party conversion cookies (e.g., _gcl_*) are accessible
- Mobile apps
- Advertising identifiers (e.g., Advertising ID / IDFA) may be collected
- The app-instance ID generated by the Google Analytics for Firebase SDK is collected
Impact on Analytics
This is the default for Google Analytics tags (barring the use of other configurations either via the fields in the Google Analytics tags or advertising options in the UI). When both of the options are enabled (or not defined, unless otherwise configured), Google Analytics will set and read the first-party cookie with a unique device identifier as well as read/access first-party advertising cookies.
This behavior allows for total reporting capabilities. This means that there is full direct measurement of users and their interactions with the sites. These users are part of audiences that can be created in Google Analytics and activated across linked Google Ads platforms, as well as supplemented by Google Signals information about the users.
In essence, you can think of this as full-featured Google Analytics with all advertising features/Google Signals enabled.
Ad Storage Denied
Tag Behavior
- Web
- No new cookies pertaining to advertising may be written.
- No existing first-party advertising cookies may be read.
- Third-party cookies previously set on google.com and doubleclick.net may be sent in request headers (but limited to use for spam and fraud purposes).
- Google Analytics will not read or write Google Ads cookies and Google Signals features will not accumulate data for this traffic.
- Full page URL is collected which may include ad-click information in URL parameters (e.g., GCLID / DCLID). Ad-click information will only be used to approximate accurate traffic measurement.
- IP addresses are used to derive IP country, but are never logged by Google Ads and Floodlight systems. They are immediately deleted upon collection. Note: Google Analytics collects IP addresses as part of normal internet communications (this can be anonymized).
- Mobile apps
- No Advertising ID, IDFA, or IDFV may be collected.
- Google Signals features will not accumulate data for this traffic.
- IP addresses are used to derive IP country, but are never logged by our Google Ads and Floodlight systems. They are immediately deleted upon collection. Note: Google Analytics collects IP addresses as part of normal internet communications (this can be anonymized).
Impact on Analytics
The big impact when disabling Ad Storage is a change in how you can activate the data collected for the associated user and leverage it for targeting. Essentially, this has the effect of turning off advertising features/Google Signals within your Google Analytics property. The features in Google Analytics which rely on Advertising Cookies are the abilities to:
- Create Remarketing Audiences based on specific behavior, demographic, and interest data, and share those lists with Google Ads
- Use demographic and interest data in your Analytics reports
- Create Segments based on demographic and interest data
- Google Display Network Impression Reporting
When the Google Analytics tags are not reading from nor writing to the advertising cookies, then none of the users with this condition applied will be included in reporting or activation associated with the listed features.
What is maintained, however, is all measurement functionality related to core analytics reporting. Google Analytics will still be reading and writing to the first-party analytics cookies so the Device ID will be accessed and collected. All interaction data will be collected and associated with the Device ID so you will still have conversions, events, user metrics, session metrics, acquisition data, and attribution. Direct measurement data in this scenario is not impacted.
Ad Storage Denied and Data Redaction Enabled
Tag Behavior
- No new cookies pertaining to advertising may be written.
- No existing advertising cookies may be read.
- Requests are sent through a different domain to avoid previously set third-party cookies from being sent in request headers.
- Google Analytics will not read or write Google Ads cookies and Google signals features will not accumulate data for this traffic.
- Ad-click identifiers (e.g., GCLID / DCLID) in consent and conversion pings are redacted.
- IP addresses used to derive IP country, but are never logged by our Google Ads and Floodlight systems. They are immediately deleted upon collection. Note: Google Analytics collects IP addresses as part of normal internet communications (this can be anonymized).
- Page URLs with ad-click identifiers are redacted.
Impact on Analytics
This configuration takes things one step further with regards to advertising cookies. When Ad Storage is denied and Ads Data Redaction is enabled, no advertising cookies will be written or read and URL parameters which associate traffic with advertising campaigns will be redacted. This has the impact of effectively disabling the advertising features but will also impact campaign tracking information (acquisition reporting). With ad-click identifiers redacted, Google Analytics has no way to associate users with the campaigns which brought them to your website. All other direct measurement (conversions, events, etc.) will again not be impacted.
Analytics Storage Denied
Tag Behavior
- Web
- Will not read or write first-party analytics cookies
- Cookie-less pings will be sent to Google Analytics for basic measurement and modeling purposes
Impact on Analytics
This is the true “cookie-less” solution for Google Analytics. When setting Analytics Storage along with Ads Storage, no cookies will be written nor read by the Google Analytics tag. With the standard Google Analytics behavior, a device ID is set in a first-party analytics cookie. This Device ID persists and is used as a unique anonymous identifier for the user, tying together their behavior across page loads, events, and sessions. This enables any user and session reporting, as well as attribution and pathing insights. With no cookies being read or written, this ID will be a random number unique reset on each new page load. Therefore, no user, session, pathing, nor direct attribution reporting would be available for users where this storage is denied. However, interaction data (events, conversions, goals, etc.) will still be collected. This allows for a base level of truly anonymous reporting even for users that have not consented to cookies or processing of personal data. More importantly, it will also provide an indication of what proportion of users are consenting (which opens opportunities to model user and attribution insights based upon the behavior of consenting users to fill in direct measurement gaps).
In summary, you will maintain a base level of reporting for interactions such as events, page loads, and conversions. Event reporting and acquisition reporting would not be impacted while any user, session, and attribution insights will not be possible for users where Analytics Storage is denied. The caveat to this last point is that these insights can be modeled to provide a full view of user behavior – it just won’t be directly measurable in the traditional sense.
Implications for Privacy & Compliance
Consent Mode is a privacy-focused solution to allow for compliant direct measurement and the ability to more specifically respect user choice. This is a dramatic shift from the current ways in which Google Analytics is viewed with respect to consent requirements. To help frame this portion of the conversation, let’s explore the requirements of consent/user choice as outlined in the three privacy regulations with the widest business impact, and how Consent Mode addresses each concern.
ePrivacy Directives (Europe)
Consent Requirements
User consent is required to place or access any information stored on a user’s device that is not considered strictly necessary for the operation of the website (in the web context this often means cookies).
*This is very much a simplification. Requirements are country-specific and there is nuance from country to country.*
How Consent Mode Addresses Cookies
When disabling the broadest options in consent mode (i.e. setting both ‘ad_storage’ and ‘analytics_storage’ to ‘denied’), Google Analytics is not placing nor accessing any cookies from the user’s device. Only generic information about the interactions occurring on a particular page are sent to the Google Analytics servers. There is no identifier that can associate those actions to a particular user or device. There is not even an identifier that persists from one page load to another to tie actions together in the same visit.
Due to no information being stored nor accessed from the user’s device, there is no action for which the user needs to consent. This allows the collection of fully anonymous interaction data without a consent indication from the user.
Once the user does consent to analytics and/or advertising cookie usage, then we can update the functions in Consent Mode accordingly to alert Google Analytics to begin placing and accessing cookies. At this point, you are enabling the full suite of functionality with the platform.
General Data Protection Regulation (Europe)
Requirement for Consent & User Choice
GDPR requires a legitimate legal basis of processing for any Personal Data processed. Personal Data is any information related to an identified or identifiable natural person. The data subjects are identifiable if they can be directly or indirectly identified. The legitimate legal basis of processing for Google Analytics data is either going to fall under “Legitimate Interest” or “Consent,” depending upon the organization. If the legal basis is “Consent,” then explicit informed consent is required before processing occurs. If the legal basis is “legitimate interest” then there needs to be a balance test conducted to prove that the business value of the processing outweighs the privacy risk to the user.
How Consent Mode Addresses Personal Data
When disabling the broadest options in consent mode (i.e. setting both ‘ad_storage’ and ‘analytics_storage’ to ‘denied’) Google Analytics is not placing nor accessing any identifier which is associated with the device (i.e. unique device/client id stored in an analytics cookie). Only generic information about the interactions occurring on a particular page are sent to the Google Analytics servers. There is no identifier that can associate those actions to a particular user or device. There is not even an identifier that persists from one page load to another to tie actions together in the same visit.
Due to no identifier being collected at all, none of the information collected would fall under the “Personal Data” definition and would therefore not be in scope of GDPR. Even if only the disabling ‘ad_storage’ until a user consented to the collection of personal data for purposes of advertising, the nature of data collected would present a low bar for having a defensible position when assessing with a balance test for legitimate interest processing (if using this as the legal basis).
A potential objection could be raised due to the collection of IP addresses, which Google Analytics does collect in normal processing. There is a setting which can be applied for “IP Anonymization” with Universal Analytics and for GA4 IP anonymized by default. Again, this makes even these identifiers not unique to a person/device and outside the scope of “Personal Data” as defined in GDPR.
Again, Consent Mode allows for this fully anonymous and statistical data processing when disabling ads and analytics storage. Once a user consents to this processing, then the functions can be updated, and Google Analytics will operate with its full feature set from that point forward.
California Consumer Protection Act (US)
Requirement for Consent & User Choice
The CCPA allows for the refusal of the “sale” of any Personal Information by a user. Personal Information in this context is any information which can be associated with a person or household. When this data is “sold” (the definition of ‘sold’ is interpreted differently by various organizations but can be considered as ‘any data exchanged for a business consideration making or sharing for advertising purposes in scope’), the user has the right to opt-out of such sale.
How Consent Mode Addresses Personal Information
When disabling the broadest options in Consent Mode (i.e. setting both ‘ad_storage’ and ‘analytics_storage’ to ‘denied’), Google Analytics is not placing nor accessing any unique identifiers via cookies from the user’s device. Only generic information about the interactions occurring on a particular page is sent to the Google Analytics servers. There is no identifier that can associate those actions to a particular user nor device. There is not even an identifier that persists from one page load to another to tie actions together in the same visit.
Without any kind of unique identifier, there is no data which can be associated with the person or household. There is no data which calls within the scope of “Personal Information” as defined in CCPA.
Introducing a bit of nuance, it is also arguable that when just disabling Ads Storage, this would also satisfy the refusal of “sale” requirement for a user opting out under CCPA. When Ads Storage is disabled, as previously outlined, then information for that user is not eligible to be shared with linked Google Ads accounts and therefore is only being used by the collecting organization for first-party analytics purposes. Consent Mode provides these different levels of configuration options to align with your legal team’s interpretations of requirements and acceptable levels of risk.
Summary
Google’s new Consent Mode (beta) is a powerful privacy-focused solution that is the first step towards a future which satisfies both the rights of users, as well as the needs of businesses. It provides organizations with a new level of control for how Google Analytics is operating on their digital properties. In all scenarios, a basic level of direct measurement is conducted to understand how a digital property is performing while only allowing for user reporting and data use following the user’s consent to such practices.
The combination of Consent Mode with Google Analytics 4’s event-based data model solves a significant problem for business, allowing for gaps of measurement to be filled and insights to be modeled based upon the behavior of consenting users. Turns out, effective analysis is possible in a privacy-focused market after all!