Secure Privacy and Google Consent Mode: Best CMP Tool for IAB TCF

Google’s Consent Mode API is set to help both publishers and advertisers meet GDPR cookie consent requirements.

Secure Privacy Team

October 27, 2020·9 min read

Google’s Consent Mode API is set to help both publishers and advertisers meet GDPR cookie consent requirements.

If you use Google’s products and intend to continue doing so after the company integrated with IAB Europe’s Transparency and Consent Framework (TCF v2.0), the Consent Mode API will offer you increased flexibility in how you use Google’s products alongside your preferred Consent Management Platform (CMP).

What is Google Consent Mode?

Google Consent Mode is a new API for publishers and advertisers that you implement in your Consent Management Platform to gather valuable insights from the personal information you collect from users when using solutions such as Google Analytics and Google Ads, in a GDPR compliant way.

Why is Google Consent Mode Important?

The introduction of the General Data Protection Regulation (GDPR) in May 2018 introduced a new framework for publishers and advertisers in the European Union.

One of the core requirements under the EU’s data privacy law is the obligation to allow website visitors the choice to opt-in or opt-out of the placement of non-essential cookies in their devices.

This development introduced a fresh set of challenges for advertisers and publishers regarding how to determine the effectiveness of digital campaigns in cases where the user does not provide consent for the use of marketing or third-party cookies.

The GDPR set the precedent for the introduction of other international data privacy regulations with the major ones that have followed being the California Consumer Protection Act (CCPA) and Brazil’s LGPD.

How does Google Consent Mode Work?

The aim of the Google Consent Mode API is to close the gap between the advertising industry and the data protection world.

The new API introduces two new tags to manage the behavior of other Google tags and cookies. The tags are;

Ad_storage
Analytics_storage

The Google Consent Mode API works in integration with your CMP, whereby it gets information whether the user opted-in or out of the use of cookies directly from your preferred Consent Management Platform.

Therefore, the Consent Mode API allows Google to use pings to check three vital metrics instead of using cookies. These metrics are;

Consent Status

In this case, Pings are sent from every page accessed by your user where you have implemented consent mode, as well as in pages where consent changes from the one given initially.

The pings relay the consent choices for every type of cookie purpose.

Conversions

For this metric, pings are sent to show that a conversion has taken place.

Google Analytics

In this context, pings are relayed on every webpage where you have installed Google Analytics, which is then followed by the logging of both visits and the behavior of your users on the page.

On the other hand, In case a user gives consent to the placement of advertising cookies in their device, the associated tags will revert to normal functioning. This means that you can leverage Google Ads and Google Analytics cookies for measurement and retargeting.

Learn about Google Analytics GDPR Compliance..

Which Google Services are Supported by Consent Mode?

The new API supports a variety of solutions used by publishers, advertisers, and website owners who need to evaluate their performance online. The Google services supported by Consent Mode are;

Google Analytics
Google Ads (Google Ads Conversion Tracking and Remarketing)
Google Tag Manager
Gtag
Floodlight
Conversion Linker

How do I use Consent Mode with Google Ads?

When you implement Consent Mode, the ‘ad_storage’ tag manages the behavior of advertising cookies including the measurement of your conversions.

The “ad-storage’ tag relies on the user’s consent choices regarding marketing cookies.

Depending on whether the user opted-in or out of marketing cookies, this tag modifies how Google’s marketing cookies collect user information.

While you may miss out on the opportunity to gather personal information for retargeting and personalized ads, you will be able to monitor conversions from ad campaigns.

How do I Use Consent Mode with Google Analytics?

Similar to the ‘ad-storage’ tag, the ‘analytics_storage’ tag is responsible for managing the behavior of analytics cookies.

In case your user fails to opt-in to the use of statistics cookies, you will still collect actionable, aggregated, and anonymized personal information such as;

Timestamps of visits to your website
How the users got to your website
Ad-click data in the URL
Random number generated on each page load
Boolean information about the consent state
The user agent i.e whether users access your webpage

What are the GDPR Cookie Consent Requirements?

There are specific requirements for how to obtain valid consent when it comes to GDPR and cookies. Primarily, valid cookie consent under the GDPR must be;

Informed
unambiguous
freely given
Specific
Easily withdrawn

The EU’s data protection regulation explicitly states that some cookies involve the processing of personal information.

This point applies to all marketing, targeting, and analytics cookies that collect a consumer’s identifiers. Learn about the 11 GDPR Marketing Mistakes and How to Fix Them.

To obtain GDPR compliant cookie consent, website owners must;

Block all cookies except the necessary ones until the user has given consent
Provide visitors with the option to decline cookies and tracking
Inform your users of cookies and tracking on your website in the webpage’s cookies policy
Respect and remember your user’s privacy choices
Offer a simple way for consumers to withdraw or change the consent
Log and store all your visitor’s consents

For more information about the use of cookies on your website read our blog on the latest EDPB Guidelines here.

What is the IAB TCF v2.0?

the IAB Europe’s Transparency Consent Framework is a GDPR-compliant set of technical specifications and policies for website publishers to inform users about the type of personal data you collect and how you plan to use this information together with your third-party partners.

Therefore, the IAB TCF provides the publishing and advertising industry with a uniform way to demonstrate compliance with GDPR cookie consent requirements in the delivery of appropriate digital promotions and content.

In August 2019, IAB Europe together with IAB Tech Lab revealed that it was testing the second version of its Transparency Consent Framework v1.1.

IAB TCF v2.0 aims to empower consumers to exercise the right to object to the processing of their data, as well as their freedom to provide or deny the consent for this purpose.

Furthermore, it also allows consumers to enjoy more authority over whether and how vendors may use specific aspects of data processing such as the application of accurate geolocation.

For publishers, IAB TCF v2.0 gives you increased control and adaptability concerning how you integrate and partner with technology partners.

Essentially, the Interactive Advertising Bureau’s Transparency and Consent Framework v2.0 comes with new publisher functionality that allows you to limit the purposes for which personal data is processed by vendors on a publisher’s webpage.

Learn more about the differences between IAB TCF v1.1 and TCF v2.0 here.

What is a Consent Management Platform (CMP)?

This is a software tool that helps you meet data protection requirements on your website or application.

CMPs facilitate compliance by asking your users for consent for gathering and handling their information, as well as sharing this data with ad partners.

Commonly, the term CMPs is connected to IAB Europe’s Transparency and Consent Framework (TCF) and the Consent Management Platforms registered under it.

From a technical point of view, the term refers to a wider concept that goes beyond integration with the Interactive Advertising Bureau (IAB).

Nonetheless, the IAB TCF brings together registered CMPs of adtech vendors such that first parties can obtain user consent to manage personal data through vendors and share it with third-parties.

Through CMPs, IAB TCF guarantees transparency and responsibility in the advertising supply chain since publishers can rest assured that they are collaborating with an ad partner who is GDPR compliant and vice versa.

What is the Difference Between a Consent Management Platform and a Cookie Consent Banner?

A CMP collects consent and then passes this information to other vendors.

This ensures that there is transparent consent tracking between the publisher and downstream partners.

In contrast, a cookie notification banner is focused on making it possible for users to check or uncheck the installation of specific types of cookies.

To learn more about CMPs, read our detailed blog here

Secure Privacy and Google Consent Mode

Secure Privacy is a registered CMP under both the IAB Europe TCF v2.0 and integrates seamlessly with Google Consent mode.

Our solution helps you to:

Scan and detect all cookies and trackers on your website, and automatically block them until your end-users give their consent with our “Prior Consent” functionality.
Allow users to give their consent through a highly customizable consent banner on your website that is both simple and easy-to-understand for end-users. The Secure Privacy GDPR cookie consent banner allows users to opt-in or out of the placement of cookies for different purposes in their devices. Furthermore, they make it possible to withdraw consent easily.
Enable users to give consent across multiple domains with our industry-unique “cross-domain consent” functionality. Let's say that you run a travel company and you have a booking engine. When the user lands on your homepage, you may direct him/her to website number two, which may be an area search, and then eventually you redirect the customer to a hotel website.In such a scenario, you basically have one use case for the customer, but you don't want the customer to see the cookie banner and give consent at each step they are redirected to a new website. Secure Privacy’s cross-domain consent functionality allows you to put the websites together within one cross-domain group and make it easy for users to provide cookie consent in a single step.
Send the consent state of the user to the Google Consent Mode, which then determines the behavior of all tags and scripts from its services based on the consent state, e.g. through Google Analytics.

If you would like to receive additional information about Secure Privacy and Google Consent Mode or to have our data protection expert carry out a quick ‘check-up’ of your website, cookie consent banner, or your cookie policy, book a call today.

Schedule a call to learn more

Additional Resources:

Learn more about Google Consent Mode here.

Discover how to make your website compliant with GDPR with our detailed compliance guide.

Find out why Secure Privacy is the best CMP Tool for GDPR and CCPA Compliance for Publishers here.

Continue Reading

Explore more privacy compliance insights and best practices

Cookie Consent

WCAG Cookie Banner Requirements: Make Your Consent Accessible and Compliant

Your legal team just signed off on the cookie banner. Your developer shipped it. It blocks tracking scripts before consent, offers a Reject All button, and logs every choice. On paper, it is GDPR-compliant.

Cookie Compliance When Redesigning Your Website: What Companies Get Wrong

Your agency just delivered beautiful mockups for your website redesign. Development is migrating from WordPress to Webflow. Marketing is excited about the new analytics stack. Legal reviewed the privacy policy. Everyone assumes cookie compliance will "just work" on the new site.

Privacy Risks in LLMs: Governance Frameworks for Enterprise AI

Your data protection officer just discovered that product teams have been using ChatGPT to draft customer emails for six months. Marketing fine-tuned an LLM on your entire CRM database without consulting legal. Engineering embedded a third-party model in your core application, and nobody documented what data it processes or where inference happens.