Google is on a tight deadline to have their advertising customers comply with the new consent regulations in the European Economic Area (EEA = EU plus Iceland, Liechtenstein and Norway). If you are not providing Google with the consent information that they want by the 6th of March 2024, which is when the new Digital Markets Act (DMA) (Google Article) comes into force, you will lose features like ad personalisation in those regions. This includes audience and remarketing-based ads as well as enhanced conversions.

Consent Mode V2 is Google’s new requirements to make advertisers compliant before Google will enable those advertising features in the EEA.

We’ve recently released our Google Consent Mode V2 solution for our Tag Rocket app on BigCommerce which supports both the built in BigCommerce consent banner as well as third party Consent Management Platforms (CMPs) like Cookiebot. I wrote an article on my research into Google Consent Mode V2.

Legal Disclaimer

I’m not a lawyer or a privacy expert. Please consult your legal counsel or Data Protection Officer (DPO) on what you must do to comply with your local privacy and consent laws.

Laws vary per country and even state. For example, the EEA uses GDPR and the ePrivacy Directive (EPD), which define an opt-in mechanism, meaning users from their countries have to explicitly give consent before you can use their personal data or track them (even if you are not from those countries). In contrast, some states in the US use an opt-out mechanism where you can use their personal data and track them unless they explicitly ask you not to.

Tag Rocket provides settings to let you configure your consent system and tracking code in a compliant way. If it does not provide an option you need, please don’t hesitate to contact us.

Tag Rocket mainly defaults to conservative settings to minimise the chance of legal issues. This incudes using the Basic implementation and not setting the new consent options that BigCommerce do not yet support. However, if you had previously enabled Consent Mode in Tag Rocket, then you will default to the Advanced implementation which is closer to how Consent Mode V1 worked. Please review the settings with your legal counsel to see if you can switch to less conservative options.

Google Consent Mode V2

The fundamental change with Google Consent Mode V2 is that Google is requiring you to explicitly tell Google about what consent the user has given. Before, it was optional with no signal meaning consent was granted. Now, no signal means consent is denied in the EEA.

They also added two new consent options for the users. Ad Personalization relates to Google letting you create audiences and remarketing ads. Ad User Data relates to using user information for things like enhanced conversions.

Google also document two ways to implement Consent Mode. Basic or Advanced:

  • Basic: No tracking happens until the appropriate consent is granted.
  • Advanced: Tracking always happens in a consent-aware way.

Not using a consent banner

This will be if you have the BigCommerce consent banner switched off and no third-party Consent Management Platform.

In this case, you will be tracking users without their consent! Please check with your legal counsel about this.

In Tag Rocket, leave the Consent Source at “BigCommerce consent banner if enabled”:

If there is no consent banner, Tag Rocket will not enable Consent Mode as it has no explicit information to tell Google. This means that Google will currently assume consent is denied in the EEA and the related features are disabled.

Using the built-in BigCommerce consent banner

Enabling the BigCommerce Cookie Consent Banner Setting

If you switch on the built-in consent banner, leave the consent source at “BigCommerce consent banner if enabled”.

In this case, you have the option to use the Basic or Advanced implementation, with Basic being the default. Advanced is a bit controversial as it still sends limited data (pings) to Google when consent is not granted, so please check with your legal counsel before switching to this implementation.

BigCommerce does not explicitly support the new consent options. Tag Rocket allows you to set them based on the users setting for “Targetting;Advertising”. Enabling these settings mean you will be indicating the user explicitely granted permission for the new consent options when they did not, so talk to your legal counsel before doing so.

If you go for the Advanced implementation, you have a few extra options:

Using a third-party Consent Management Platform (CMP)

If you have installed a CMP, we still recommend enabling the BigCommerce consent banner. That way Tag Rocket will pass on any consent changes to BigCommerce so its consent system can correctly control scripts. Tag Rocket hides the BigCommerce consent banner so it does not get in the way.

Enabling the BigCommerce Cookie Consent Banner Setting

In this scenario, you want to set the consent source to “Third-party Consent Management Platform”:

Tag Rocket then expects the CMP to tell it about the current consent status and any consent changes. If it does not, it considers no consent is granted.

Wait For Update Setting

CMPs can be a little slow to establish the correct consent state. Tag Rocket has a “Wait For Update” setting that makes it wait an amount of time for the CMP to updated consent, before processing consent related things. It defaults to 2 seconds.

There are three ways to trigger Tag Rocket to start processing:

  • The CMP uses Google Consent Mode to update the consent states
  • The “Wait For Update” time is reached
  • Tag Rocket already knows what the current consent is

Tag Rocket locally stores the latest consent states (a cache). If it has a copy when the page loads it will set the default consent to that, and start processing. This avoids the delays caused by CMPs and reduces the risk of data loss. Because of this, it is best to not have the CMP set defaults unless they are based on the true consent states.

Using Google Tag Manager (GTM)

If your CMP is implemented in Google Tag Manager (GTM), it most likely supports Google Consent Mode. e.g. Cookiebot can be GTM-based and has a Consent Mode option that you want enabled.

Directly adding the CMP to your store

Some CMP solutions let you add their scripts directly onto your pages.

Sometimes, like with Cookiebot and Cookie Script, the instructions include setting default consents of ‘denied’ before any other code. Tag Rocket can implement this for you via its “Set Default If No Cache” setting, which is off by default.

If the CMP correctly supports Consent Mode, then Tag Rocket will automatically respond to consent changes. If not, you will have to implement Consent Mode for the CMP. Find out how you can listen to their consent changes. When consent changes, add code like this to enable Consent Mode. Ensure the settings for each parameter is correctly set to ‘denied’ or ‘granted’ based on information from the CMP:

gtag("consent", "update", {
   "ad_storage": "granted",
   "ad_user_data": "granted",
   "ad_personalization": "granted",
   "analytics_storage": "granted",
   "functionality_storage": "granted",
   "personalization_storage": "granted",
   "security_storage": "granted"
});

Iubenda inline solution

In some scenarios the Iubenda inline implementation does not support Consent Mode. If Consent Mode is not working, we have developed an onPreferenceExpressedOrNotNeeded script that you can add to your embed code, which enables Consent Mode. In your Iubenda admin:

  1. Dashboard
  2. Select site
  3. Scroll down a little to “Privacy Controls and Cookie Solution”
  4. EDIT
  5. Scroll down on the left
  6. Advanced settings
  7. Find “onPreferenceExpressedOrNotNeeded”
  8. Insert the code
  9. Save and go to embedding
  10. Copy embedding
  11. Replace it on the site (I’d use the BigCommerce Script Manager and place it in the Footer)

The Google Tag Manager (GTM) Consent System

We often see tags implemented in GTM that do not honour consent. i.e. they still run even when consent is not granted.

Setting Consent States via Consent Mode also informs GTM of those consent states. This means your tags in GTM can also be set up to comply with consent. e.g. if you want to restrict a tag to only fire when ad_storage is granted, add this advanced setting to your tag:

Tag Rocket sends a ‘bc_consent_update’ to GTM whenever the user updates their BigCommerce consent. If you want to make your tags respond when the user changes their consent options, you can trigger off that event. Third-party CMPs also tend to fire events like that.

Adding Scripts to The Themes Template Files

Any script you directly add into the theme will not be consent aware. If they need to be consent aware, please add them via the Script Manager where you can specify their Script category. If BigCommerce Consent is active, it will use the Script category to decide if a script should be loaded based on the related consent state.

Other privacy related settings worth reviewing

Enhanced Conversions (In the Global Tag Values settings)

If enabled, this sends user data such as their email to GA4 and Google Ads. If the user has granted ad_storage and ad_user_data permission, this can be used to find their related Google account and with that help Google track them. e.g. It may help connect their ad clicks to conversions.

Tag Rocket gathers user data if they are logged in, or checkout as a guest, or contacts you, or subscribe.

Google Ads Data Redacted (In the Global Tag Values settings)

If using advanced mode and consent is required, this will further redact your ads data until consent is given (documentation).

Google Url Pass Through (In the Global Tag Values settings)

In advanced mode, if consent mode is enabled and consent has not been granted yet, this feature allows Google to pass ads information through URL parameters across pages in order to improve measurement quality (documentation).

Allow Ad Personalization Signals (GA4, Google Ads)

The default of this parameter is set to true. When you set the parameter’s value to false, it will disable the usage of the data for personalised ads. This parameter does not disable conversion tracking.

We now recommend you control these settings in the GA4 admin.

Conversion Linker Cookie (Google Ads)

When enabled, the tag uses a first-party cookie to link ads with conversions. Switch it off if you don’t want Google Ads to set first-party cookies on your site (documentation).

Microsoft Consent Mode (Microsoft/Bing)

This lets the tag work in a consent aware way. With this disabled, lack of relevant consent causes tracking to be completely removed (documentation).

Limited Data Use (Meta/Facebook)

This does not work when using a third-party Consent Management Platform (CMP). Apply Limited Data Use for people in US states that require it, unless the user has specifically consented (documentation).

Meta Consent Mode (Meta/Facebook)

Use Meta’s consent revoke/grant mechanism to control the pixel. If this is off and consent is required, the pixel is not added to the page until consent is granted. If on and consent is required, the pixel is added but consent is revoked until consent is given.

Meta Advanced Matching (Meta/Facebook)

Send customer data (email, name) to help Meta work out who they are (documentation).

Pinterest Enhanced Matching (Pinterest)

Use enhanced match to get improved visibility into your conversion data – passing back email data on a conversion lets us attribute it better to an event on Pinterest. Note that this must be enabled for back end events to work (documentation).

Pinterest Data Use (Pinterest)

This does not work when using a third-party Consent Management Platform (CMP). It apply Limited Data Use (LDU) unless users have specifically consented using the BigCommerce consent banner (documentation).

X User Parameters (X/Twitter)

Send users email and phone number in events to improve measurement coverage (documentation).

TikTok Advanced Matching (TikTok)

Send customer data (email, name) to help TikTok work out who they are (documentation).

Yahoo Enhanced Matching (Yahoo/Verizon)

If enabled, and a customer is logged in, their email is sent to Yahoo to help them match the customer (documentation).

Testing

The Google Tag Assistant is the easiest tool to test if the correct consent signals are being sent.

First, select the destination you’d like to check. Either Google Ads or GA4. Only data related to the selected tag is shown.

On the left, it lists all the events that happened within the tag. If you select an event, it will show you what messages were sent to Google in that event in the “Hits Sent” tab. Often, events send no data because they relate to a different destination than the one you selected. The “History Changed” events are where page views are sent.

The Consent tab will tell you the consent status when the message was sent to Google. In this case, consent was granted when the page view was sent:

Consent events are when the consent status is updated. A good initial test is to check the consent status in these Consent events to see if it matches the actual current consent. The “On-page Update” column shows the current consent status.

If you’re using the Advanced Implementation, you should see all hits sent with the appropriate consent settings.

If you’re using the Basic implementation, you should not see hits being sent until the appropriate consent has been granted.

Leave a Reply

Your email address will not be published. Required fields are marked *