Real Cookie Banner is compatible with Google Consent Mode (v2 and newer). This allows you to obtain consent according to this standard on your WordPress website. In this article, we explain what the Google Consent Mode is, when you should activate it and how to set up your Google Consent Mode compatible cookie banner with Real Cookie Banner.
What is Google Consent Mode?
Google Consent Mode is a framework developed by Google that helps website operators to transmit consents for specific purposes or services via the Google Tag (gtag.js). This tag can be added to a website to use a variety of Google products and services and to connect the tag to multiple destinations.
Consent by consent type (purpose) helps website operators to control the behavior of Google services on their website. For example, if the website visitor does not consent to cookies and other data processing technologies, Google will not set any new non-security cookies. Google also promises to be able to collect basic data (aggregated and anonymized) in Google services without consent by using Google Consent Mode, while at the same time respecting the privacy of the website visitor.
Data protection criticism of Google Consent Mode
Google promises to be able to collect limited data about website visitors without their consent by using Google Consent Mode (called “Advanced Mode” or “Advanced Consent Mode”). This is in the interests of both website operators and Google. However, the prerequisite for this is that the corresponding Google services must be loaded on the website before consent is given.
By loading the services, the IP address of the website visitor is necessarily transmitted to Google’s servers. The IP address is generally regarded as personal data, which means that there must be a legal basis for data processing in accordance with Art. 6 GDPR. Usually, only consent comes into question here.
Google’s communication focuses on reducing the use of cookies and thus complying with the provisions of the ePrivacy Directive. Google also has special obligations to comply with this, as its scripts ultimately execute the setting and reading of cookies etc. However, Google leaves possible data protection violations caused by the transfer of personal data to Google, triggered and therefore presumably also liable by the website operator, to the website operator.
Google Consent Mode can also be used in such a way that Google services are only loaded after consent, whereby the greatest advantages of Google Consent Mode for website operators are lost, with additional complexity for the website operator. In this form, we believe that the use of Google Consent Mode is uncritical in terms of data protection law.
Obligation to use the Google Consent Mode
Google Consent Mode is supported by Google Analytics, Google Ads, Floodlight and the Google Conversion Linker, among others. From March 2024, Google will require website operators to obtain consent in accordance with Google Consent Mode (v2 or newer) in order to continue using all features of the named services.
From Google’s sparse communication, it can be concluded that the following features will in future only work with consent in accordance with Google Consent Mode. Other features may also be subject to mandatory Google Consent Mode after the introduction of the obligation.
- Google Analytics: Audiences
- Google Ads: Conversion tracking and subsequently remarketing campaigns
Google requests consent from website operators in accordance with Google Consent Mode, as the company was named a gatekeeper (company with a key role in the digital market) by the EU in the Digital Markets Act and must therefore comply with comprehensive legal obligations in the EU and EEA.
New features in Google Consent Mode v2
Google Consent Mode v2 differs from the originally introduced Google Consent Mode, in particular through the introduction of the consent types ad_user_data and ad_personalization. These allow finer control over which data may be processed on the basis of consent.
Changes that would make Google Consent Mode more privacy-friendly are, however, not part of version 2.
Google Consent Mode adds further disclosures and options for your website visitors to your cookie banner. We consider this to be the only justifiable way in terms of data protection law to be able to obtain as effective consent as possible on your WordPress website within the given structural restrictions of the framework. At the same time, the greater complexity of the cookie banner can have a negative impact on website visitors, so you should consider whether you want to use Google Consent Mode.
In concrete terms, the following elements are added to your cookie banner as soon as at least one standard consent type (purpose of data processing) is requested according to Google Consent Mode. All consents given for purposes are always applied to all services, as Google Consent Mode does not allow consent per service.
- In the first view of the cookie banner, all purposes for which you request consent according to the Google Consent Mode are disclosed (can be deactivated).
- In the individual privacy settings, there is a new section for data processing according to Google Consent Mode, in which consent can be given for the respective purposes.
- In the individual privacy settings, in the details of each service, it is disclosed which purposes the respective service requests under Google Consent Mode according to you as the website operator (consent to the purposes always applies to all services).
Google’s obligation to obtain verifiable consent for data processing purposes is based on Recital 37 Digital Market Act. Accordingly, the gatekeeper must ensure that websites that use its services “proactively present a user-friendly solution to the end user to provide, modify or withdraw consent in an explicit, clear and straightforward manner” within the meaning of the GDPR. “[C]onsent should be given by a clear affirmative action or statement establishing a freely given, specific, informed and unambiguous indication of agreement by the end user”.
To put it simply, if you apply the GDPR standards, it is important that the website visitor knows exactly what they are consenting to before they give their consent (informed consent). They must also be able to understand the consequences of their consent. The Digital Market Act further stipulates here that “where applicable, the end user should be informed that not giving consent can lead to a less personalised offer, but that otherwise the core platform service will remain unchanged and that no functionalities will be suppressed”. Consent must also be explicit (check the checkbox). It should also be remembered that consent may not be enforced if a data processing purpose is not absolutely necessary (voluntary). Since Google services can also be used in a less personalized form without consent to the purposes according to Google Consent Mode, each purpose must be optional.
Therefore, in our legal opinion, it is essential to display further information and checkboxes in the cookie banner in order to obtain effective consent. Other cookie banners may not offer such a possibility, as Google itself does not prescribe this for cookie banner developers, but leaves the legal assessment to the website operators and developers of cookie banners.
In which case should you use Google Consent Mode?
It is recommended to use Google Consent Mode in the following cases:
- Google Ads: Advertising campaigns are placed on Google Ads with conversion tracking and/or remarketing campaigns.
- Google Analytics: Audiences are actively evaluated in Google Analytics and/or modeled data in Google Analytics is particularly relevant for business decisions.
- Google Tag Manager: As “Additional consents”, consents to all services can be transferred to Google Tag Manager via Google Consent Mode in order to fire tags only if consent has been given. We have provided details on the configuration of Google Tag Manager with Google Consent Mode in a separate article.
- Use of Google services without consent: When integrating Google services, e.g. on the legal basis of a legitimate interest, data processing can be restricted and extended data processing can only be performed with consent. Please note the data protection issues described above!
If none of the cases mentioned apply to you, we advise you not to use Google Consent Mode to keep your cookie banner as slim as possible.
You can use Real Cookie Banner to set up Google Consent Mode for your WordPress website. The following steps are required:
- In your WordPress backend, navigate to Cookies > Settings > Google Consent Mode and activate Google Consent Mode.
- You must then decide whether you want to activate or deactivate the “Google Tag Manager Integration” option. You must activate this option if you already use or intend to use Google Tag Manager on your website.
- All other Google Consent Mode options are configured by default to be as privacy-friendly as possible. Please check whether you want to reconfigure them for your individual case! You can find more detailed explanations below in this article.
- After saving the settings it is possible that Real Cookie Banner will ask you to adjust settings in the configurations of individual services (if fields have not yet been pre-filled). For services primarily used by Google, you must define which types of consent you request according to Google Consent Mode. You will find a new section for this purpose in the form for editing/adding services.
And that’s it 🥳 Google Consent Mode is now active on your WordPress website and the collected consents are automatically transferred to the respective services for you via the Google Tag.
Options for Google Consent Mode
The data transfer and compliance with information obligations can be configured for Google Consent Mode depending on the objective. All options are explained in more detail below.
Google Tag Manager integration
In addition to the standard consent types (purposes of data processing primarily for Google services), Google Consent Mode can transfer so-called “additional consent types” to Google Tag Manager. Real Cookie Banner uses this option to transfer the collected consents and legitimate interests for all services disclosed in your cookie banner to Google Tag Manager.
You can use these “additional consent types” in Google Tag Manager to fire tags only if there is a legal basis for doing so. Therefore, activate this option if you use Google Tag Manager!
We have written a separate article with detailed explanations on configuring Google Tag Manager with Google Consent Mode.
Show recommendations for using Google services without consent
As explained in the section “Data protection criticism of Google Consent Mode” earlier in this article, in simple terms, Google Consent Mode only takes care of the setting/reading of cookies (primarily Google’s responsibility), but not the transfer of personal data such as the IP address (primarily your responsibility as the website operator). Google therefore communicates that Google Consent Mode allows data to be collected in Google services without consent. However, the prerequisite for this is that Google services are loaded without consent, which necessarily leads to the transmission of the IP address to Google servers without consent.
If the IP address is considered personal data (ECJ ruling dated 19 October 2016, Case C‑582/14), this requires a legal basis in accordance with Art. 6 GDPR. In addition to consent, only the legitimate interest comes into question, which in this case must be viewed critically in terms of data protection law.
Real Cookie Banner therefore recommends by default not to load Google services before consent. The only possible legal basis under the GDPR would be legitimate interest (Art. 6 para. 1 lit. f GDPR), although it should be clear at this point that Google Analytics and Co. cannot be used on the basis of legitimate interest.
If you would still prefer to see recommendations on your liability risk, how you need to configure services in order to use Google Consent Mode as advantageously as possible and at the same time commit data protection violations, activate this option.
Collect additional data via URL parameters
If consent is not granted for the consent types (purposes) ad_storage and/or analytics_storage of Google Consent Mode, this option can be used to transfer data that is typically stored in cookies as GET parameters in internal links. This is particularly relevant if you place advertisements in Google Ads and conversion tracking should also work without consent. Please note that data can only be collected if you download the respective Google services before obtaining consent. As client IDs can be transmitted, among other things, which can be regarded as personal data, we consider this data transmission to be questionable in terms of data protection law.
Practical example: A website visitor is searching on Google and accesses the landing page of your website via an advert that you have placed using Google Ads. In this case, there is a gcid in the URL, e.g. https://example.com/landing-page/?gcid=123456, which can clearly assign the click to the ad, e.g. for conversion tracking. If the website visitor now switches from the landing page to a contact form page (e.g. https://example.com/contact/), the gcid would be lost (may not be saved in cookies without consent). This option now ensures that Google manipulates all internal links on your landing page so that the gcid is appended to the links and the website visitor does not switch to https://example.com/contact/, but to https://example.com/contact/?gcid=123456. This means that a conversion is still possible when the contact form is sent.
Redact ads data without consent
If consent is not given for the ad_storage purpose of Google Consent Mode, no new cookies will be set for advertising purposes, except to fight fraud and spam. In addition, this option allows measurements for clicks on advertising to be routed through the domain googleadsyndication.com instead of doubleclick.net or google.com, on which no cookies are set for advertising, and identifiers for clicks and page URLs are removed from advertising links. This enables more data protection-friendly conversion tracking with the simultaneous loss of detailed information on the attribution of target achievement.
Unfortunately, Google itself does not explain which data is not tracked in which case. As an advertiser, this option means you make the greatest effort to do everything right, but without being able to assess the consequences for your advertising success.
Naming of requested consent types in first view
As a website operator, you have information obligations under the GDPR. In most national implementations of the ePrivacy Directive (e.g. the TTDSG in Germany), the legislator also bases the requirements for setting cookies and similar technologies on the principle of the GDPR.
This includes, among other things, that according to Art. 13 para. 1 lit. c GDPR “the purposes of the processing for which the personal data are intended as well as the legal basis for the processing” must be specified before consent is given. If you offer an “Accept all” button in your cookie banner, you must therefore also explain in the first view of the cookie banner the purposes for which consent is collected according to Google Consent Mode.
If you have a different legal opinion, you can hide the information about Google Consent Mode in the first view of your cookie banner. The Google Consent Mode is always shown in the individual privacy settings, as your website visitors must be able to consent to the individual consent types (purposes) voluntary consent according to GDPR.
Standard consent types according to Google Consent Mode
Google Consent Mode comes with so-called standard consent types. These are purposes for which Google primarily wants to use cookies and cookie-like technologies and process personal data. Data is only processed for these purposes if consent has been given by the website visitor.
Google provides the following standard consent types in Google Consent Mode v2. Which Google services request which types of consent in order to process as much of your website visitors’ data as possible can be found in the documentation of the individual Google service. Therefore, in Real Cookie Banner in the service templates, this information has already been researched and pre-filled by us for you for all relevant services.
ad_storage: Storing and reading of data such as cookies (web) or device identifiers (apps) related to advertising.ad_user_data: Sending user data to Google for online advertising purposes.ad_personalization: Evaluation and display of personalized advertising.analytics_storage: Storing and reading of data such as cookies (web) or device identifiers (apps), related to analytics (e.g. visit duration).functionality_storage: Storing and reading of data that supports the functionality of the website or app (e.g. language settings).personalization_storage: Storing and reading of data related to personalization (e.g. video recommendations).security_storage: Storing and reading of data related to security (e.g. authentication functionality, fraud prevention, and other user protection).
Region-dependent consents in Google Consent Mode
In Real Cookie Banner, you can use the geo-restriction feature to specify that only website visitors from certain countries should see the cookie banner. For all website visitors who live in a country without strict privacy laws do not necessarily have to see a cookie banner and implicit consent can be granted.
At the same time, Google Consent Mode expects to be informed of the type of treatment when the website is loaded – in other words, before the cookie banner is displayed – if the treatment of website visitors differs from region to region. As a result, website visitors who have given implicit consent can e.g. be tracked especially well.
If you have the geo-restriction feature and Google Consent Mode active at the same time, Real Cookie Banner therefore automatically transmits to Google Consent Mode how website visitors should be treated per country. You youself do not need to send any manual settings or advanced instructions via the gtag.