How does Google’s Consent Mode work?
Legal notice: This article explains how Google’s Consent Mode technologically operates. We recommend obtaining authorization from your legal department before using this feature.
Technical note: This article focuses on the process of how Google tags are triggered in systems such as Google Analytics 4, Google Ads or Floodlight (DoubleClick) via Google Tag Manager.
Since the EU’s vote on the General Data Protection Regulation (GDPR) in 2016, users (including web and mobile site visitors and customers) have become increasingly aware that their online activities are being tracked. They therefore expect greater privacy protection, which means companies need to change their practices.
Whether in Europe, California, other American states, Canada or Quebec, legislators are protecting users by safeguarding their privacy.
As a major player in online advertising, Google needed to offer a data collection solution that would let them obtain users’ consent while minimizing any potential damage to advertising activities. Google’s solution to this problem is called Consent Mode (official documentation).
Both timely and relevant, this solution has landed at the right moment, just as stages 2 and 3 of Law 25 (Quebec’s equivalent to Europe’s GDPR) just came into effect on Friday, September 22, 2023.
Let’s take a closer look!
Profiling involves collecting and using personal information (PI) to determine certain characteristics of a physical person.
PI types include:
Personally identifiable information, or PII, such as an email address. These identifiers are sometimes collected by web technologies, but not by Google Analytics.
Depersonalized (pseudonymous) data, which don’t allow anyone to directly identify the person behind the pseudonym without correlation with other systems. Web cookies and user identifiers generally fall into this category.
Anonymized data are, as the name indicates, anonymous. This type of personal information is impossible to connect with the user who supplied it. With Consent Mode, Google Analytics can collect this type of information.
Consent Mode organizes user consent based on purpose. A purpose is the way the data were intended to be used. For example, the advertising purpose covers all use cases related to targeting and ad performance (conversion, remarketing, etc.).
What Consent Mode does
In a general sense, Consent Mode allows developers to inform Google of the purposes for which consent was given by a user, which permits compatible tools to automatically adapt the type of data collection based on the consent given.
To date, as of October 2023, this mode mainly applies to Google Ads, Floodlight and Google Analytics platforms.
In practice, Consent Mode is really just to inform Google’s marketing script (Google tag) of the purposes for which the user agreed to provide consent. Then, this Google marketing script adapts its behaviour automatically to send events respectful of user consent. The analytics purpose and the advertising purpose are supported by Google’s Consent Mode.
There are other purposes that are compatible with Google Tag Manager, such as those involving security, features or personalization. However these are not used by Google Analytics at this time.
With Consent Mode,100% of the data collected can be reflected in the Google Marketing Platform suite of tools (Analytics, Ads, Campaign Manager, DV360 and SA360), even if the consent rate is less than 100%.
For Google Analytics
In short, Consent Mode in Google Analytics (GA) allows information about anonymous events to be sent.
In practice, when Consent Mode is activated for data collection in Google Analytics and the user did not give their consent for the related purposes, Google Analytics generates a random fake GA client identifier, before collecting any data, that is not stored as a cookie. This identifier is refreshed every time the page is loaded.
This means every page view (excluding cases specific to single page applications) will be attributed to a new user identifier and a new session, which makes users, sessions and page views totally independent. Additional events are identified with the same identifier as that of the page on which they took place.
💡Note that in the case of single page application sites, pages are not refreshed as the user browses. This means the user identifier will not be erased if the page isn’t manually refreshed or if new tabs are not opened.
For Google Ads or Floodlight
In the case of a media performance indicator tool, two types of events will be sent to servers by Google scripts:
information about the user’s level of consent;
conversion events that don’t contain any user identifier created by the library.
Take note: Whether for Google Analytics or Google Ads, URLs containing GCLID- or DCLID-type information can be collected. However, Google promises not to use it except to generate estimations of traffic on your website’s acquisition channels.
Without Consent Mode
With Consent Mode
For a full understanding of how Consent Mode operates, we recommend you take a look at Google’s official documentation, available here. The documentation includes practical examples of what happens based on the type of consent provided by the user.
What Consent Mode doesn’t do
It does not prevent the collection of:
event parameters containing personally identifiable information (PII) or de-identified data (user_id, transaction_id, URL parameters or other event parameters);
parameters required by the HTTP protocol, which facilitates communication between a range of online entities (clients and servers), such as the IP address and User Agent.
How to fill the gap
As specialists in Google Tag Manager configuration, it’s our job to condition the data that may contain personally identifiable or de-identified information to reflect user consent.
In other words, if the user has not given their consent, values identified as being personally identifiable or de-identified must be deleted or replaced.
The parameters of the HTTP protocol also need to be looked at, with particular concern for the following:
- Google Analytics 4 never keeps IP addresses. These are only used during data collection to determine the geographical location of the user down to the specific city (see the official documentation).
- Google Ads and Floodlight don’t store IP addresses unless the user has given their consent. In case of refusal, these tools behave the same way as Google Analytics 4 and never save IP addresses beyond the purposes of geolocation during collection.
- In the overwhelming majority of cases, User Agent does not permit identification of a user, since these elements are too common to too many users (device, operating system, browser and their versions).
- Collection of device and geolocation data can be deactivated by region if needed. However, deactivation affects the modelling of conversions (see the official documentation).
If this isn’t enough, for Google Analytics only there is one final defence possible through server-side tagging (Google Tag Manager - Server-Side).
The process is simple: All trackable events must pass through a server you control, which allows these events to be changed as you see fit before finally sending them on to Google Analytics 4, including the IP address or User Agent (see this article by Simo Ahava).
Will these configurations guarantee tracking without PII or de-identified data? Yes. But for how long?
Data collection is constantly developing, so you should expect that you may sometimes collect personal information you shouldn’t have by mistake. To identify these cases, you can establish two processes:
- monitoring and detection of PII or de-identified data that lack consent;
a procedure for deleting personal data collected by mistake.
What will my data look like after collection?
In the Google Analytics 4 interface (estimation of users, sessions and conversions)
In the Google Analytics 4 interface, Google promises to set up statistical inference to provide credible estimations. Data from consenting users are used as a set of training data for machine learning algorithms in order to model the data of non-consenting users. Their volume and the opt-in rate will have a big impact on the quality of the final modelled result.
You can find more information on how Google will model data by consulting the official documentation.
Google Analytics 4 event data are crucial for setting up advanced use cases based on behavioural data, such as personalized attribution models or the prediction of consumer purchase behaviour based on their profile and actions. However, BigQuery data will be as raw as when they are collected. So the promise of modelling doesn’t apply to the exporting of data in their native format with BigQuery.
For events without consent, almost the entirety of these data will be available, but without session or user identifiers. This means it will be impossible to calculate all the metrics without establishing statistical inference techniques.
You should therefore develop your own model to obtain precise estimations on the actual number of sessions and users or their traffic sources.
To obtain statistics modelled by Google for your data warehouse, you can also retrieve the aggregated statistics via the Google Analytics 4 API.
Above all, Consent Mode particularly enables analysts to effortlessly take advantage of modelling of their actual marketing performance based on Google’s years of experience in this industry.
In addition, Google’s Consent Mode greatly facilitates the establishment of rules for triggering tags and scripts. It provides developers with:
a significant gain in productivity;
optimization of limited warehouse space for configurations;
much simpler maintenance over time;
standardization in managing Consent Mode across the industry.
Basically, it leaves it up to platforms to determine which features correspond to which purposes and to adapt their data collection and features based on the consent granted.
In this article, Brian Clifton claims that Google’s Consent Mode does not respect the GDPR. However, by combining Consent Mode with an appropriate data collection configuration, it is possible to not collect information that would enable the identification of a user.
Does collecting completely anonymized data, which is data that is impossible to identify with a user, for the purposes of aggregated statistical estimation comply with privacy legislation? We’ll leave that up to you to decide, along with your legal experts.
Acknowledgements This article was conceived and written in collaboration with Guillaume Wagner. It is also based on pre-existing content and expertise belonging to Axel Queffeulou and Victor Meyer.