Thanks for previewing Google's new tag documentation! This site is in public beta. (Feedback)

Manage consent settings (web)

How you enable and use Consent Mode depends on your implementation for obtaining consent and which tagging platform (Google Tag Manager (GTM) or gtag.js) you use:

  • Content Management Platforms (CMPs) that support Google Consent Mode provide:
    • Tag Manager templates in the Community Template Gallery that you should use to create tags for managing consent.
    • JavaScript code for sites using gtag.js to manage consent.
  • For custom implementations and CMPs that do not support Consent Mode:
    • If you use GTM, we recommend creating your own template using Tag Manager Consent APIs.
    • If you use gtag.js, you will have to manually add consent code to each page of your site as direct commands or in a custom HTML snippet.

This article outlines best practices and provides API examples. For related information, see:

Before you begin

Take the following into consideration before implementing Consent Mode:

  • It is best practice to configure the default consent settings to be region specific rather than for all visitors. This helps avoid losing measurement of users from regions where consent banners are not required if your default consent mode is set to denied. See Region-specific behavior.

  • If you use a CMP, consent update commands must be configured to target visitors from the same regions specified in the default consent command. This will give users the opportunity to update their consent state if it is set to denied by default.

  • When writing your own templates or Custom HTML tags, any commands executed in callbacks or commands that use gtag() are not guaranteed to be available before the next trigger fires. To ensure that consent information is available as quickly as possible, use (or create) a tag template that uses the Tag Manager Consent APIs to set consent states.

The default consent state should immediately be set on page load according to the defaults your organization requires. The CMP or custom consent management solution should then prompt the visitor to grant or deny consent for the applicable consent types. Because Consent Mode does not store consent choices, it is also imperative that the consent management solution issue a Consent Mode update command based on the user's consent choices as early as possible on every page after consent is given.

The gtag('consent','update',...) method should not be used instead of updateConsentState because it would be queued after all other pending messages and may not be processed before the next event begins. For more information, please see How data layer information is processed.

The following sections provide examples of the gtag.js and Tag Manager APIs to:

The default value for consent state is granted if it is not explicitly set. We recommend setting a default value for each storage type you are using. The consent state values in this article are only examples. You are responsible for making sure that default consent mode is set for each of your measurement products to match your organization's policy.

gtag.js

To adjust the default measurement capabilities, call the gtag('consent', 'default', ...) command on every page of your site before any commands that send measurement data (such as config or event). For example, to deny ad_storage and analytics_storage by default, specify the settings in consent parameters:

gtag('consent', 'default', {
  'ad_storage': 'denied',
  'analytics_storage': 'denied'
});

Tag Manager

We recommend using a Consent Mode template from the Community Template Gallery to manage consent. See Configure consent in Tag Manager templates for information on creating your own with Tag Manager APIs. The following example shows how to use the Tag Manager API to set default consent states for all consent types.

const setDefaultConsentState = require('setDefaultConsentState');

setDefaultConsentState({
  'ad_storage': 'denied',
  'analytics_storage': 'granted'
});

When users specify consent, or change their consent choice, update measurement behavior.

gtag.js

Consent status will only be changed for fields that are provided to the update call. In the example below, only the ad_storage value was changed. If analytics_storage was set to denied, it would still be denied after this call. It is up to you to ensure the correct values are set for all consent types. For full details on supported types, see consent in the API reference.

Pass in updates as soon as possible on every page. After a user grants consent, persist their choice and call the update command accordingly on subsequent pages. Because Consent Mode does not store consent choices, it is also imperative that the consent management solution issue a Consent Mode update command based on the user's consent choices as early as possible on every page after consent is given.

The example uses hardcoded ‘granted’/’denied’ values, but in practice, these should be determined at runtime using the user’s actual consent collected by the consent management solution. The following code grants consent when user agrees to allow advertising cookies:

gtag('consent', 'update', {
  'ad_storage': 'granted'
});

Tag Manager

The following example shows the updateConsentState call for a visitor that indicated they consent to all types of storage.The example uses hardcoded values for granted, but in practice, these should be determined at runtime from the consent collected by the consent management solution.

const updateConsentState = require('updateConsentState');

updateConsentState({
  'ad_storage': 'granted',
  'analytics_storage': 'granted'
});

If your CMP loads asynchronously, it might not always run before your Google Tags. To handle such situations, specify wait_for_update along with a millisecond value to control how long to wait before data is sent.

For example, to deny ad_storage on a particular page by default, but to allow your CMP to update consent status, use wait_for_update. In the following code, ad_storage defaults to denied, and the consent tool is given 500 milliseconds to call gtag('consent', 'update', ...) before tags fire:

gtag('consent', 'default', {
  'ad_storage': 'denied',
  'wait_for_update': 500
})

Implementation example

The following example sets ad_storage to denied by default. After the user indicates they consent to the features behind ad_storage, it is updated to granted.

gtag.js

The order of the code here is vital. If your consent code is called out of order, consent defaults will not work. Depending on business requirements, specifics may vary, but in general, code should run in the following order:

  1. Load the global site tag. This is your default snippet code. The default snippet should be updated (see below) to include a call to gtag('consent', 'default', ...). If you don't set any defaults, all tagging functionality will be enabled.

  2. Load your consent solution. If your consent solution loads asynchronously, see Integrating with asynchronous consent management platforms for how to make sure this happens in the correct order.

  3. If not handled by your consent solution, call gtag('consent', 'update', ...) after the user indicates consent.

<script>
// Define dataLayer and the gtag function.
window.dataLayer = window.dataLayer || [];
function gtag(){dataLayer.push(arguments);}

// Default ad_storage to 'denied' as a placeholder
// Determine actual values based on your own requirements
gtag('consent', 'default', {
  'ad_storage': 'denied'
});
</script>
<!-- Global site tag (gtag.js) - Google Ads: CONVERSION_ID -->
<script async src="https://www.googletagmanager.com/gtag/js?id=AW-YYYYYY">
</script>
<script>
  window.dataLayer = window.dataLayer || [];
  function gtag(){dataLayer.push(arguments);}

  gtag('js', new Date());
  gtag('config', 'AW-YYYYYY');
</script>

<!-- Update this section based on your business requirements. -->
<script>
  function consentGranted() {
    gtag('consent', 'update', {
      'ad_storage': 'granted'
    });
  }
</script>

<body>
  ...
  <button onclick="consentGranted">Yes</button>
  ...
</body>

Tag Manager

For sites using Tag Manager, we recommend using a CMP to handle updates of visitor consent choice. CMPs provide templates in the Community Template Gallery to create a tag for managing Consent Mode. If you cannot use a provided template, you can create a template yourself to integrate your consent solution.

If using a template is not possible, you can instead update the code on your page as follows. The order of the code here is vital. If your consent code is called out of order, consent defaults will not work.

 <script>
   // Define dataLayer and the gtag function.
   window.dataLayer = window.dataLayer || [];
   function gtag(){dataLayer.push(arguments);}

   // Default ad_storage to 'denied'.
   gtag('consent', 'default', {
     'ad_storage': 'denied'
   });
 </script>

 <!-- Google Tag Manager -->
 <script>(function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start':
 new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0],
 j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src=
 'https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f);
 })(window,document,'script','dataLayer','GTM-XXXXXX');</script>
 <!-- End Google Tag Manager -->

 <!-- Update this section based on your business requirements -->
 <script>
   function consentGranted() {
     gtag('consent', 'update', {
       'ad_storage': 'granted'
     });
   }
 </script>

 <body>
   ...
   <button onclick="consentGranted">Yes</button>
   ...
 </body>
 ```

Advanced consent features include the ability to:

  • Set behavior for a geographic region.
  • Pass ad click, client id, and session id information in URLs when users have not granted consent for cookies.
  • Fully redact (remove) ad information when users deny consent for ad cookies.

Region-specific behavior

To change the default behavior of your tags for users from certain regions, specify a region in your consent command. By providing a region value, you can fine tune defaults based on your users' geographic locations. See Geographical IDs for more information on identifying regions.

The following example sets analytics_storage to denied for users from Spain and Alaska, and to set ad_storage to denied for all users.

gtag.js

gtag('consent', 'default', {
  'analytics_storage': 'denied',
  'region': ['ES', 'US-AK']
});

gtag('consent', 'default', {
  'ad_storage': 'denied'
});

Tag Manager

If you are using a template to create your tag as recommended above, it likely has the controls to set region-specific defaults. If you are building a template tag on your own, the following code shows an example of setting region-specific consent state defaults.

const setDefaultConsentState = require('setDefaultConsentState');

setDefaultConsentState({
  'analytics_storage': 'denied',
  'region': ['ES', 'US-AK']
});
setDefaultConsentState({
  'ad_storage': 'denied'
});

Most specific takes precedence

If two default consent commands occur on the same page with values for a region and subregion, the one with a more specific region will take effect. For example, if you have ad_storage set to 'granted' for the region US and ad_storage set to 'denied' for the region US-CA, a visitor from California will have the more specific US-CA setting take effect. For this example, that would mean a visitor from US-CA would have ad_storage set to 'denied'.

Region ad_storage Behavior
US 'granted' Applies to users in the US that are not in CA
US-CA 'denied' Applies to users US-CA
Unspecified 'granted' Uses the default value of 'granted'. In the example, applies to visitors that aren't in the US or in US-CA

Passing ad click, client ID, and session ID information in URLs

When a user lands on your website after clicking an ad, information about the ad may be appended to your landing page URLs as a query parameter. In order to improve conversion accuracy, Google tags usually store this information in first-party cookies on your domain.

However, if ad_storage is set to denied, Google tags will not save this information locally. To improve ad click measurement quality when ad_storage is denied, you can optionally elect to pass ad click information through URL parameters across pages using URL passthrough.

Similarly, if analytics_storage is set to denied, URL passthrough can be used to send event and session-based analytics (including conversions) without cookies across pages.

The following conditions must be met in order to use URL passthrough:

  • Consent-aware Google tags are present on the page.
  • The advertiser has opted in to using the URL passthrough feature.
  • Consent Mode is implemented on the page.
  • The outgoing link refers to the same domain as the current page's domain.
  • A gclid/dclid is present in the URL (Google Ads and Floodlight tags only)

gtag.js

To enable this capability, set the url_passthrough parameter to true:

gtag('set', 'url_passthrough', true);

Tag Manager

If you use a template tag that sets consent state, it may have an option to set url passthrough using the gtagSet custom template API. Or, you can use the following options to set it in Conversion Linker and/or analytics tags.

For Google Ads and Floodlight tags:

To enable this capability, create (or use an existing) conversion linker tag and ensure Enable linking on all page URLs is checked. See basic setup for instructions on how to create a conversion linker tag.

For Google Analytics tags:

  1. In Tag Manager, navigate to Fields to Set:
  2. When the Fields to Set section is expanded, click Add Row.
  3. For Field Name, enter the correct value:
    • For Google Analytics: GA4 Configuration tags, enter url_passthrough.
    • For Google Analytics: Universal Analytics tags using the Google Analytics settings variables, enter urlPassthrough.
  4. For Value, enter 'true'.
  5. Save the tag and publish.

Alternatively, you can set the url_passthrough parameter to true on every page of your site before the GTM install snippet.

window.dataLayer = window.dataLayer || [];
function gtag(){window.dataLayer.push(arguments);}
gtag('set', 'url_passthrough', true);

When using URL passthrough, a few query parameters may be appended to links as users navigate through pages on your website:

  • gclid
  • dclid
  • gclsrc
  • _gl
  • wbraid

For best results, ensure that:

  1. Redirects on your site pass all the above query parameters.
  2. Your analytics tools ignore these parameters in page URLs.
  3. These parameters do not interfere with your site behavior.

Redact ads data

When ad_storage is denied, new cookies will not be set for advertising purposes. Additionally, third-party cookies previously set on google.com and doubleclick.net will not be used except for spam and fraud purposes. Data sent to Google will still include the full page URL, including any ad click information in the URL parameters.

To further redact your ads data when ad_storage is denied, if you are using gtag, set ads_data_redaction to true.

gtag('set', 'ads_data_redaction', true);

When ads_data_redaction is true and ad_storage is denied, ad click identifiers sent in network requests by Google Ads and Floodlight tags will be redacted. Network requests will also be sent through a cookieless domain.

Tag Manager includes several features that work together to help you manage how tags behave in response to consent settings. Tag Manager features a consent initialization trigger, tag settings for consent management, and a Consent Overview page. Several third-party consent management providers have built integrations with Consent Mode into their products. Learn more about Tag Manager consent features.

For more information on verifying and debugging your Consent Mode configuration, see Tag Assistant Consent Mode debugging.

Legacy tag controls

If you use legacy Google tags, such as ga.js, analytics.js, or conversion.js, you should update to gtag.js or Google Tag Manager.

To learn more about other legacy tag's privacy controls, see the following documentation: