Thanks for previewing Google's new tag documentation! This site is in public beta. (Feedback)

Manage consent settings (web)

Privacy regulations, such as the European Union's GDPR, restrict websites from gathering information about visitors without their consent. Users commonly provide consent by interacting with a consent banner. Depending on how your products are configured, Google uses mechanisms such as cookies or HTTP requests that include user data to support analytics, conversion measurement, and remarketing.

You can configure these mechanisms to be consent-aware. When consent-aware, tag functionality depends upon the level of consent. For example, you can configure Google tags to not write or read cookies until the user provides consent. When a visitor grants consent, it restores tag functionality, based on the behavior you configure.

If you need to manage consent settings yourself, we recommend using a template from the Community Template Gallery. If you prefer to use gtag commands, you should hard code them on each page rather than using GTM, to ensure that they fire before any other page tags.

You can adjust tags depending on user consent for the following products:

  • Google Ads
  • Floodlight
  • Google Analytics
  • Conversion Linker

Before you begin

You should take the following into consideration before implementing Consent Mode:

  • It is best practice to configure the default consent settings to be region specific rather than for all visitors. This helps avoid losing measurement of users from regions where consent banners are not required if your default consent mode is set to denied. See Region-specific behavior.

  • If you use a CMP, consent update commands must be configured to target visitors from the same regions specified in the default consent command. This will give users the opportunity to update their consent state if it is set to denied by default.

  • When writing your own templates or Custom HTML tags, any commands executed in callbacks or commands that use gtag() are not guaranteed to be available before the next trigger fires. To ensure that consent information is available as quickly as possible, use (or create) a tag template that uses the Tag Manager Consent APIs to set consent states.

If you choose to manage consent status yourself, you must implement consent- aware tag behavior on every page of your website. The consent status is either granted or denied and determines whether other tags that contain information about user identity will fire.

On each page, you need to set tag behavior depending on whether user consent is unknown or known:

  • When consent status is unknown: When a page loads, you should only use measurement capabilities that align with user expectations. The gtag('consent', 'default', ...) command sets the default status when users' wishes are not known.

  • After visitor provides consent status, or if consent status is known After the visitor provides consent status (or if it was persisted from a previous page load), enable the measurement features they have consented to (such as reading/writing cookies) with the gtag('consent', 'update', ...) command.

Configure default behavior

The default value for consent mode is granted. You can set a default consent mode value for each google measurement product you are using. If you don't explicitly set consent to denied for a product, consent will be granted.

gtag.js

To adjust the default measurement capabilities, call the gtag('consent', 'default', ...) command on every page of your site before any commands that send measurement data (such as config or event). For example, to deny ad_storage and analytics_storage by default, specify the settings in consent parameters:

gtag('consent', 'default', {
  'ad_storage': 'denied',
  'analytics_storage': 'denied'
});

Tag Manager

We recommend that you use a consent management platform or a template from the Community Template Gallery to manage consent. If you decide to use gtag commands, do not use them in a custom HTML tag with GTM, instead you will need to hard code them on each page.

Configure update behavior

When users specify consent or their consent status is known from a previous page load, update measurement behavior with the gtag('consent', 'update', ...) command. Call update as soon as possible on every page. After a user grants consent, persist their choice and call the update command accordingly on subsequent pages.

For example, the following code grants consent when user agrees to allow advertising cookies:

gtag('consent', 'update', {
  'ad_storage': 'granted'
});

Consent status will only be changed for fields that are provided to the update call. In the example, only the ad_storage value was changed. If analytics_storage was set to denied, it would still be denied after this call. It is up to you to ensure the correct values are set for all consent keys. For full details on supported keys, see consent in the API reference.

If your CMP loads asynchronously, it might not always run before your Google Tags. To handle such situations, specify wait_for_update along with a millisecond value to control how long to wait before data is sent.

For example, to deny ad_storage on a particular page by default, but to allow your CMP to update consent status, use wait_for_update. In the following code, ad_storage defaults to denied, and the consent tool is given 500 milliseconds to call gtag('consent', 'update', ...) before tags fire:

gtag('consent', 'default', {
  'ad_storage': 'denied',
  'wait_for_update': 500
})

Implementation Example

The following example sets ad_storage to denied by default. After the user indicates they consent to the features behind ad_storage, it is updated to granted.

The order of the code here is vital. If your consent code is called out of order, consent defaults will not work. Depending on business requirements, specifics may vary, but in general, code should run in the following order:

  1. Load the global site tag. This is your default snippet code. The default snippet should be updated (see below) to include a call to gtag('consent', 'default', ...). If you don't set any defaults, all tagging functionality will be enabled.

  2. Load your consent solution. If your consent solution loads asynchronously, see Integrating with asynchronous consent management platforms for how to make sure this happens in the correct order.

  3. If not handled by your consent solution, call gtag('consent', 'update', ...) after the user indicates consent.

gtag.js

<script>
// Define dataLayer and the gtag function.
window.dataLayer = window.dataLayer || [];
function gtag(){dataLayer.push(arguments);}

// Default ad_storage to 'denied'.
gtag('consent', 'default', {
  'ad_storage': 'denied'
});
</script>
<!-- Global site tag (gtag.js) - Google Ads: CONVERSION_ID  -->
<script async src="https://www.googletagmanager.com/gtag/js?id=AW-YYYYYY"></script>
<script>
  window.dataLayer = window.dataLayer || [];
  function gtag(){dataLayer.push(arguments);}

  gtag('js', new Date());
  gtag('config', 'AW-YYYYYY');
</script>

<!-- Update this section based on your business requirements. -->
<script>
  function consentGranted() {
    gtag('consent', 'update', {
      'ad_storage': 'granted'
    });
  }
</script>

<body>
  ...
  <button onclick="consentGranted">Yes</button>
  ...
</body>

Tag Manager

If you are not using a CMP to handle the update commands:

  1. Use a template tag from the Community Template Gallery that utilizes the Tag Manager Consent APIs to set the updated consent state.
  2. Set the tag to fire with the Consent Initialization trigger. See Consent configuration.

Alternatively, you can update the code on your page as follows:

 <script>
   // Define dataLayer and the gtag function.
   window.dataLayer = window.dataLayer || [];
   function gtag(){dataLayer.push(arguments);}

   // Default ad_storage to 'denied'.
   gtag('consent', 'default', {
     'ad_storage': 'denied'
   });
 </script>

 <!-- Google Tag Manager -->
 <script>(function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start':
 new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0],
 j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src=
 'https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f);
 })(window,document,'script','dataLayer','GTM-XXXXXX');</script>
 <!-- End Google Tag Manager -->

 <!-- Update this section based on your business requirements -->
 <script>
   function consentGranted() {
     gtag('consent', 'update', {
       'ad_storage': 'granted'
     });
   }
 </script>

 <body>
   ...
   <button onclick="consentGranted">Yes</button>
   ...
 </body>
 ```

Advanced consent features include the ability to:

  • Set behavior for a geographic region.
  • Pass ad click, client id, and session id information in URLs when users have not granted consent for cookies.
  • Fully redact (remove) ad information when users deny consent for ad cookies.

Region-specific behavior

To change the default behavior of your tags for users from certain regions, specify a region in your consent command. By providing a region value, you can fine tune defaults based on your users' geographic locations. For example, to set ad_storage to denied for users from Spain and Alaska, and to set analytics_storage to denied for all users:

gtag('consent', 'default', {
  'analytics_storage': 'denied',
  'region': ['ES', 'US-AK']
});
gtag('consent', 'default', {
  'ad_storage': 'denied'
});

Most specific takes precedence

If two default consent commands occur on the same page with values for a region and subregion, the one with a more specific region will take effect. For example, if you have ad_storage set to granted for the region US and ad_storage set to denied for the region US-CA, a visitor from California will have the more specific US-CA setting take effect. For this example, that would mean a visitor from US-CA would have ad_storage set to denied.

Region ad_storage Behavior
US 'granted' Applies to users in the US that are not in CA
US-CA 'denied' Applies to users US-CA
Unspecified 'granted' Uses the default value of 'granted'. Aplies to users that aren't in US or US-CA

Passing ad click, client ID, and session ID information in URLs

When a user lands on your website after clicking an ad, information about the ad may be appended to your landing page URLs as a query parameter. In order to improve conversion accuracy, Google tags usually store this information in first-party cookies on your domain.

However, if ad_storage is set to denied, Google tags will not save this information locally. To improve ad click measurement quality when ad_storage is denied, you can optionally elect to pass ad click information through URL parameters across pages using URL passthrough.

Similarly, if analytics_storage is set to denied, URL passthrough can be used to send event and session-based analytics (including conversions) without cookies across pages.

The following conditions must be met in order to use URL passthrough:

  • Consent-aware Google tags are present on the page.
  • The advertiser has opted in to using the URL passthrough feature.
  • Consent Mode is implemented on the page.
  • The outgoing link refers to the same domain as the current page's domain.
  • A gclid/dclid is present in the URL (Google Ads and Floodlight tags only)

gtag.js

To enable this capability, set the url_passthrough parameter to true:

gtag('set', 'url_passthrough', true);

Tag Manager

For Google Ads and Floodlight tags:

To enable this capability, create (or use an existing) conversion linker tag and ensure Enable linking on all page URLs is checked. See basic setup for instructions on how to create a conversion linker tag.

For Google Analytics tags:

  1. In Tag Manager, navigate to Fields to Set:
  2. When the Fields to Set section is expanded, click Add Row.
  3. For Field Name, enter the correct value:
    • For Google Analytics: GA4 Configuration tags, enter url_passthrough.
    • For Google Analytics: Universal Analytics tags using the Google Analytics settings variables, enter urlPassthrough.
  4. For Value, enter 'true'.
  5. Save the tag and publish.

Alternatively, you can set the url_passthrough parameter to true on every page of your site before the GTM install snippet.

window.dataLayer = window.dataLayer || [];
function gtag(){window.dataLayer.push(arguments);}
gtag('set', 'url_passthrough', true);

When using URL passthrough, a few query parameters may be appended to links as users navigate through pages on your website:

  • gclid
  • dclid
  • gclsrc
  • _gl
  • wbraid

For best results, ensure that:

  1. Redirects on your site pass all the above query parameters.
  2. Your analytics tools ignore these parameters in page URLs.
  3. These parameters do not interfere with your site behavior.

Redact ads data

When ad_storage is denied, new cookies will not be set for advertising purposes. Additionally, third-party cookies previously set on google.com and doubleclick.net will not be used except for spam and fraud purposes. Data sent to Google will still include the full page URL, including any ad click information in the URL parameters.

To further redact your ads data when ad_storage is denied, set ads_data_redaction to true.

gtag('set', 'ads_data_redaction', true);

When ads_data_redaction is true and ad_storage is denied, ad click identifiers sent in network requests by Google Ads and Floodlight tags will be redacted. Network requests will also be sent through a cookieless domain.

Tag Manager includes several features that work together to help you manage how tags behave in response to consent settings. Tag Manager features a consent initialization trigger, tag settings for consent management, and a Consent Overview page. Several third-party consent management providers have built integrations with Consent Mode into their products. Learn more about Tag Manager consent features.

Legacy tag controls

If you use legacy Google tags, such as ga.js, analytics.js, or conversion.js, you should update to gtag.js or Google Tag Manager.

To learn more about other legacy tag's privacy controls, see the following documentation: