Changing privacy regulations and what to do with Google Tags - Consent Mode

What Is Google Consent Mode and Do You Need It?

Consent Mode, developed by Google, offers a framework aimed at assisting businesses in managing the interaction between Google's services on their website and users' consent preferences regarding cookies and data gathering. This becomes particularly relevant in light of privacy regulations such as the GDPR (General Data Protection Regulation) in the European Union and the CCPA (The California Consumer Privacy Act) in the United States.

With Consent Mode, websites can modify the behavior of Google tags, including Google Ads and Google Analytics, based on users' consent status. This allows websites to honor user decisions regarding data collection while still facilitating some level of analytics and personalized advertising in compliance with privacy standards.

Benefits? It ensures adherence to privacy regulations while retaining data measurement accuracy. Allows for conversion modeling, enabling you to reclaim insights from non-consenting users. Enhances data versatility, empowering personalization across multiple platforms.

How Consent Mode works

• A customer visits your website and makes their consent selection for the use of cookies on your consent banner
• Consent Mode adjust how your Google tag behaves, based on the customer's consent choices
• If consent is granted, the conversion is reported normally. If not, Consent Mode recovers the conversion using modeling

Only when Advanced Consent Mode is implemented will the modeling function work. When Basic Consent Mode is implemented modeling will not work.

What aspects of the website are affected, and how - AirHelp case

The website

• First, the push consent default is fired, which passes on the status of specific categories as denied. When the user accepts consents or adjusts them in some way (e.g. accepts analytics, rejects marketing), a later push consent update is fired, similar to the default, except that if a category has been agreed to by the user, a 'granted' value is transferred.

{
  0: "consent,
  1: "default",
  2: {
    ad_storage: "denied",
    analytics_storage: "denied",
    ad_personalization: "denied",
    ad_user_data: "denied",
    wait_for_update: 500
  }
}

• Request to the GTM is fired, by a code embedded on the website: https://gtm.airhelp.com/g/collect?v=2&tid=G-xxx&gtm=xxx&_p=xxx&gcs=G100(...)
• gcs param is changing depending on user consent choices
• gcd param transmits the status of ad_personalization and ad_user_data consents

OneTrust

OneTrust CMP is a Consent Management Platform designed to assist businesses in adhering to global privacy regulations such as GDPR. It enables website owners to effectively manage user consent for data processing activities. By facilitating transparent collection, documentation, and management of consent, it ensures compliance and enhances user trust in data handling practices.

• The popup appears with marketing, analytics, ad_personalization i ad_user data consent set to denied. If the user picks cookies settings, a new call is pushed to the GTM, for example https://gtm.airhelp.com/g/collect?v=2&tid=G-xxx&gtm=xxx&_p=xxx&gcs=G111(...). This new push updates the user’s previous pushed data.
• OnetrustActiveGroups data layer variable is created with C0001 value (strictly necessary consent mode state). Values change depending on user consent choices.

GTM

HTML - OneTrustGroupsUpdated tag is fired, which adds OneTrustGroupsUpdated event to the data layer.

The OneTrust tool itself issues the OneTrustGroupsUpdated push, which also passes on information about which consents have been accepted by the user and is issued on page views. Tag from GTM: OneTrustGroupsUpdated was added manually so that the OneTrustGroupsUpdated push is also issued on SPA (Single Page Application) pages, i.e. where the history change flies.

In GTM, we have some tags (e.g. GA4, Google Ads) that have consents built-in:

Cookies, analytics & conversion

Cookies

Only strictly necessary cookies are created before any interactions with the consent banner.

Even if users refuse to give consent for cookies, it still allows the sending of anonymous pings to Google without cookies for modeling purposes. This enables websites to retrieve certain data for Google Ads and GA4, even if user consent is not given.

Analytics

When you implement a consent banner for your website or app, Analytics will be missing data for users who decline consent. Data will be sent to the GA4 but anonymized and used in a behavioral modeling approach. Behavioral modeling for consent mode uses machine learning to model the behavior of users who decline analytics cookies based on the behavior of similar users who accept analytics cookies. Modeled data allows you to gain useful insights from your Analytics reports while respecting your users’ privacy.

To see modeled data in your reports, choose the Blended reporting identity.

The following features don't support using modeled behavioral data:

• Audiences
• User explorer, cohort, and user lifetime explorations
• Segments with a sequence
• Retention reports
• Predictive Metrics
• Data export (e.g., BigQuery export).

Conversion

If a user consents, conversion measurement reporting continues normally. If a user does not consent, the relevant Google tags will adjust accordingly and not use ads cookies, instead measuring conversions at a more aggregate level.

Q&A

• What if the user does not consent to marketing (ads) cookies?

The setting of advertising cookies is prevented and cookies that have already been set are not read. Individual 3rd party cookies, which are used to identify spammers and click fraudsters, will continue to be used.

The (anonymized) IP address is sent to collect the location of the visitor but is deleted immediately afterward.

• What if the user does not consent to analytics cookies?

Without Analytics consent, page views and events are recorded, but completely anonymized and purely on an aggregated basis.

Conversions or other interactions cannot be assigned to any session or user, but the information that the interaction has taken place is available in Google Analytics.

A client ID is not assigned and, if it already exists, not read. In terms of attribution, it can be used to measure where visitors come from overall. So it can be measured how many users came to the website, for example from a Facebook post, but not what they then did on the website.

For example, if a user does not consent to ad cookies (and therefore ad tracking is disabled), but still gives consent to analytics cookies, advertisers can measure website behavior and conversions in Analytics because the “analytics_storage” setting is enabled.

Server-side tags

Server-side tags are strictly related to the client-side-based. If the user does not consent to the ads tracking, it needs to be reflected in the server-side-based tags by checking the gcs parameter. The tag trigger needs to have a proper exception added.

Example for Facebook Conversion API:

Passing the consent data from the client-side to server-side GTM

To pass any data to the server-side container related to user consent (or any other), both containers need to be connected.

• Add server_container_url param to the client-side GA4 client configuration
• Set a trigger to the GA4 client in the server-side container

All the data passed from the client is accessible in the Event Data GTM variable, on the server-side.

Using the GTM preview mode, the x-ga-gcs value can be seen in the Event Data tab for a page_view event.

Glossary of terms

GCS param

When Consent Mode is active, there are additional parameters sent with each analytics and advertising request to Google’s services.

You can use the Network tab of your browser’s developer tools.

For the original version of consent mode, if you’re looking at the network requests, the parameter you’re looking for is called &gcs, and it has a value in the following format: G1xy.

x stands for consent to Google Ads cookies and is either 1 (granted) or 0 (denied).

y stands for consent to Google Analytics cookies and is either 1 (granted) or 0 (denied).

Possible values:

• G100 No consent for analytical and marketing cookies.
• G110 Consent only for marketing cookies.
• G101 Consent for analytical cookies only.
• G111 Consent for analytical and marketing cookies.

GCD param

OnetrustActiveGroups

The OneTrust data layer variable stores users' consent preferences which repopulates on every page load once the script is executed and when the user updates their consent preferences. The possible values:

• C0001 – strictly necessary
• C0002 – analytics_storage
• C0004 – marketing_storage

Conclusion

Implementing Google Consent Mode presents challenges such as navigating technical intricacies during integration and potentially experiencing a revenue impact due to restricted data gathering.

Ensuring precise configuration of parameters holds significant importance.

Adhering to best practices involves transparently communicating data collection procedures to users, providing clear consent choices, and offering user-friendly interfaces for preference management.

Regular monitoring and updates are vital to maintain compliance with evolving privacy regulations. Striking a balance between safeguarding user privacy and leveraging data effectively is crucial. This requires thoughtful consideration of data collection and usage practices, with a commitment to continuous improvement over time.