Adjust tag behavior based on consent

Depending on the products and features configured, Google measurement products use mechanisms such as reading and writing cookies or sending HTTP requests to support analytics, conversion measurement, and remarketing.

These mechanisms can be configured to only be used in a consent-aware way. For example, you can configure your Google tags to not read or write cookies until consent is provided from the user. When consent-aware, tags will work in a limited capacity until user consent is provided. After consent, functionality is restored based on how you choose to update behavior.

Adjusting tag behavior to based on user consent status is supported by the following:

  • Google Ads
  • Floodlight
  • Google Analytics
  • Conversion Linker

Adjusting tag behavior

Consent-aware tag behavior must be configured on every page of your website. On each page, there are usually two points where this is configured:

  1. On page load

    When the page loads, you should only use measurement capabilities that align with your users expectations. This is configured through the gtag('consent', 'default', ...) command.

  2. After visitor provides a consent status, or if consent status is known

    After the visitor provides their consent status (or if it was persisisted from a previous page load), enable the measurement features they have consented to (such as reading/writing cookies) through the gtag('consent', 'update', ...) command.

Configure default behavior

To adjust the default measurement capabilities, call the gtag('consent', 'default', ...) command on every page of your site before any commands that send measurement data (such as config or event). For example, to deny ad_storage and analytics_storage by default:

gtag('consent', 'default', {
  'ad_storage': 'denied',
  'analytics_storage': 'denied'

This will set the default values for 'ad_storage' and 'analytics_storage' to 'denied'. For full details on supported keys, see consent in the API reference.

This command must be called on every page on your site.

Update behavior

When your users provide consent, commonly through interacting with a consent banner, or their consent status is known from a previous page load, update your tags behavior with the gtag('consent', 'update', ...) command. For example, for a user that has granted consent to use advertising cookies:

gtag('consent', 'update', {
  'ad_storage': 'granted'

Only fields that are provided to the update call will be changed. Above, only the 'ad_storage' value was changed. If 'analytics_storage' was set to 'denied' (like in configure default behavior), it would still be denied after this call. It is up to you to ensure the correct values are set for all consent keys. For full details on supported keys, see consent in the API reference.

This command should be called as soon as possible on every page. After the user indicates their consent, you should persist their choice and call the update command accordingly on subsequent pages.

Implementation Example

The following example sets 'ad_storage' to 'denied' by default. After the user indicates they consent to the features behind 'ad_storage', it is updated to 'granted'.

The order of the code here is vital. If your consent code is called out of order your consent defaults will not work. Depending on your business requirements, the specifics may vary, but broadly speaking your code should run in the following order:

  1. Load the global site tag. This is your default snippet code. The default snippet should be updated (see below) to include a call to gtag('consent', 'default', ...). If you don't set any defaults all tagging functionality will be enabled.
  2. Load your consent solution. If your consent solution loads asynchronously, see asynchronous tools for how to make sure this happens in the correct order.
  3. If not handled by your consent solution, call gtag('consent', 'update', ...) after the user indicates consent.
<!-- Global site tag (gtag.js) - Google Analytics -->
<script async src=""></script>
  window.dataLayer = window.dataLayer || [];
  function gtag(){dataLayer.push(arguments);}

  // Default ad_storage to 'denied'.
  gtag('consent', 'default', {
    'ad_storage': 'denied'

  gtag('js', new Date());
  gtag('config', 'GA_MEASUREMENT_ID');

<!-- TODO this section should be updated based on your business requirements. -->
  function consentGranted() {
    gtag('consent', 'update', {
      'ad_storage': 'granted'

  <button onclick="consentGranted">Yes</button>

asynchronous tools

Region-specific behavior

To change the default behavior of your tags for users from certain regions, specify an ISO 3166-2 region in your consent command. By providing this value, you can fine tune defaults based on your users geographic locations. For example, to set ad_storage to 'denied' for users from Spain and Alaska, and to set analytics_storage to 'denied' for all users:

gtag('consent', 'default', {
  'ad_storage': 'denied',
  'region': ['ES', 'US-AK']
gtag('consent', 'default', {
  'analytics_storage': 'denied'

Most specific takes precedence

If two default consent commands occur on the same page with values for a region and subregion, the one with a more specific region will take effect. For example, if you have ad_storage set to 'granted' for the region US and ad_storage set to 'denied' for the region US-CA, a visitor from California will have the more specific US-CA setting take effect. For this example, that would mean a visitor from US-CA would have ad_storage set to 'denied'.

Region ad_storage Behavior
US 'granted' Applies to users in the US that are not in CA
US-CA 'denied' Applies to users US-CA
Unspecified 'granted' Uses the default value of 'granted'. Applies to users that aren't in US or US-CA

URL passthrough

When ad_storage is set to 'denied', Google Ads, Floodlight, and Google Analytics tags will not create or save cookies for advertising purposes. When analytics_storage is denied, Google analytics tags will not create or save cookies. However, you can optionally elect to pass information through URL parameters across pages in order to improve measurement quality.

To enable this capability, set the url_passthrough parameter to true through the following command:

gtag('set', 'url_passthrough', true);

To only enable url_passthrough for Google Ads, set the url_passthrough parameter within one or more Google Ads config commands on your page:

gtag('config', 'AW-XXXXXX', {'url_passthrough': true});

Added Parameters

When using URL passthrough, a few query parameters may be appended to links on your website:

  • gclid
  • dclid
  • gclsrc
  • _gl
  • wbraid

For best results, ensure that:

  1. Redirects on your site pass all the above query parameters.
  2. Your analytics tools ignore these parameters in page URLs.
  3. These parameters do not interfere with your site behavior.

Redact ads data

When 'ad_storage' is 'denied', new cookies will not be set for advertising purposes. Data sent to Google will still include the full page URL, including any ad click information in the URL parameters.

To further redact your ads data when 'ad_storage' is 'denied', set 'ads_data_redaction' to true.

gtag('set', 'ads_data_redaction', true);

When 'ads_data_redaction' is true and 'ad_storage' is 'denied', ad click identifiers sent in network requests by Google Ads and Floodlight tags will be redacted. Network requests will also be sent through a cookieless domain.

Asynchronous tools

If your consent tool loads asynchronously, it might not always run before your Google Tags. To account for this, specify 'wait_for_update' along with a millisecond value to control how long to wait before sending data.

In the following example, 'ad_storage' is defaulted to 'denied' and the consent tool is given 500 milliseconds to call gtag('consent', 'update', ...) before tags fire:

gtag('consent', 'default', {
  'ad_storage': 'denied',
  'wait_for_update': 500

Legacy tag controls

If you use legacy Google tags, such as ga.js, analytics.js, or conversion.js, you should update to gtag.js or Google Tag Manager.

To learn more about other legacy tag's privacy controls, see the following documentation: