ConverlayConverlay
Back to Blog
Consent ModeGDPRShopify

Google Consent Mode v2 for Shopify: The Complete Guide to Staying Compliant

ConverlayFebruary 20, 202612 min read

What Is Google Consent Mode v2?

Google Consent Mode is a framework that controls how Google tags—including Google Ads, Google Analytics 4, and Floodlight—behave based on the consent choices made by each visitor. Rather than forcing a binary choice between full tracking and no tracking at all, Consent Mode introduces a middle ground: tags can still load and send limited, cookieless signals even when a user declines consent, allowing Google to model the data it cannot directly observe.

Version 2 of Consent Mode, which Google began requiring in March 2024 for advertisers targeting users in the European Economic Area (EEA), introduced two additional consent parameters that must be set alongside the original ones. These four parameters now form the complete consent signal that Google expects:

  • ad_storage — controls whether cookies related to advertising (such as conversion cookies) can be read or written.
  • analytics_storage — controls whether cookies related to analytics (such as Google Analytics cookies) can be read or written.
  • ad_user_data — controls whether user data can be sent to Google for advertising purposes, including hashed identifiers used for Enhanced Conversions and Customer Match.
  • ad_personalization — controls whether Google can use the collected data for ad personalization, including remarketing lists and similar audience targeting.

If you were running the original Consent Mode with only ad_storage and analytics_storage, you are on version 1. Google now considers this incomplete. Without the two new v2 parameters—ad_user_data and ad_personalization—your implementation does not meet the current requirements, and you lose access to critical advertising features for EEA traffic.

Why Google Consent Mode v2 Matters for Shopify Merchants

If you sell to customers in the European Economic Area and run Google Ads, Consent Mode v2 is not optional. Google enforced this requirement starting March 2024, and as of 2026, the consequences for non-compliance are concrete and measurable.

The March 2024 Enforcement Deadline

In late 2023, Google announced that advertisers targeting EEA users would need to implement Consent Mode v2 by March 6, 2024. After that date, any advertiser who had not implemented the required consent signals would lose access to audience building, remarketing, and conversion modeling for European traffic. This was not a soft recommendation. Google actively restricts features for accounts that do not pass the correct consent signals.

What You Lose Without Consent Mode v2

The impact on Shopify merchants who have not implemented Consent Mode v2 falls into several categories:

  • Complete loss of conversion data from non-consenting users: When a visitor declines cookies on your store and you do not have Consent Mode active, that visitor simply vanishes from your data. If they browse five product pages, add items to their cart, and complete a purchase, none of those events reach Google. Your Google Ads account never learns that the click converted. This is the single most damaging consequence—you are paying for clicks that generate revenue, but your ad platform cannot see the return.
  • No remarketing audiences from EEA traffic: Google cannot build remarketing lists or similar audiences from users whose consent status is unknown. Without Consent Mode v2, all EEA visitors fall into this category, effectively eliminating your ability to retarget European shoppers.
  • Degraded Smart Bidding performance: Google’s automated bidding strategies—Target ROAS, Target CPA, Maximize Conversions—depend on accurate conversion data to function. When a significant portion of your conversions from EEA traffic are invisible, the algorithm optimizes on incomplete data, leading to poor bid decisions and wasted ad spend.
  • GA4 reporting gaps: Google Analytics 4 cannot model user behavior for visitors who declined consent unless Consent Mode is properly active. Your European traffic reports will show significant undercounting of sessions, events, and conversions.

The Scale of the Problem

Consider the numbers. In most European markets, cookie consent acceptance rates hover between 50% and 70%, depending on the banner design and the store’s audience. That means 30% to 50% of your European visitors are declining cookies. Without Consent Mode v2, every single one of those visitors is a data blind spot. If your Shopify store generates 20% of its revenue from EEA countries, you could be losing visibility into 6% to 10% of your total conversions. For a store spending thousands per month on Google Ads, that missing signal translates directly into worse bidding, higher acquisition costs, and lower return on ad spend.

Basic vs. Advanced Consent Mode: Understanding the Difference

Google defines two implementation levels for Consent Mode v2, and the difference between them is significant. Choosing the right one determines how much data recovery you get from users who decline cookies.

Basic Consent Mode

With basic consent mode, Google tags are completely blocked from loading until the user makes a consent choice. If the user grants consent, tags load and operate normally. If the user declines, tags do not load at all and no data is sent to Google—not even anonymized or cookieless signals.

Basic mode satisfies the compliance requirement. Google recognizes that you have Consent Mode v2 implemented, and you retain access to remarketing audiences and other features for users who do consent. However, you gain no behavioral modeling for users who decline. Their data is simply lost.

Advanced Consent Mode

Advanced consent mode is where the real benefit lies. With advanced mode, Google tags load immediately when the page loads, before the user interacts with the consent banner. The tags operate in a restricted, cookieless state by default: no advertising cookies are written, no analytics cookies are set, and no personally identifiable data is collected.

While in this restricted state, the tags send cookieless pings to Google. These pings contain limited, privacy-safe information—such as the fact that a page was viewed, a timestamp, a consent state indicator, and a random identifier that is not linked to any user profile. No cookies are stored on the visitor’s device.

When the user interacts with the consent banner, Consent Mode sends an update command. If the user grants consent, the tags switch to full operation with cookies and complete data collection. If the user declines, the tags remain in the restricted state for the duration of the session, continuing to send only cookieless pings.

The critical advantage of advanced mode is that Google uses those cookieless pings as input for behavioral modeling. Google’s machine learning algorithms analyze patterns in the cookieless data alongside the complete data from consenting users to estimate what the non-consenting users likely did. This includes modeled conversions—Google can estimate how many of the users who declined cookies actually completed a purchase, based on the behavior patterns it observes from users who did consent.

The Practical Impact of Behavioral Modeling

Without consent mode (or with basic mode only), if 40% of your EEA visitors decline cookies, you lose 40% of your European conversion data entirely. Google Ads has no idea those conversions happened, and your bidding algorithms are working with 60% of the real picture.

With advanced consent mode and behavioral modeling active, Google can recover a significant portion of those missing conversions through statistical estimation. While the modeled data is not a perfect one-to-one replacement, it gives Google’s algorithms enough signal to bid effectively and allocate budget toward the audiences and placements that actually drive revenue.

Google reports that behavioral modeling through advanced consent mode can recover a substantial share of conversions that would otherwise be lost, depending on the volume of consenting traffic available for model training. For Shopify merchants with meaningful EEA traffic, this recovery can translate directly into better ROAS and lower CPA.

How Google Consent Mode v2 Works Technically

Understanding the technical flow helps you verify that your implementation is correct and diagnose issues when something is not working.

The Default-Then-Update Pattern

Every Consent Mode v2 implementation follows a two-step pattern. First, a default command runs before any Google tags load, setting all consent parameters to their initial state. For EEA visitors, this should always be denied: 

gtag('consent', 'default', {
  'ad_storage': 'denied',
  'analytics_storage': 'denied',
  'ad_user_data': 'denied',
  'ad_personalization': 'denied',
  'wait_for_update': 500
});

The wait_for_update parameter tells Google tags to wait up to 500 milliseconds for a consent update before proceeding. This gives your consent banner time to load and check for previously stored consent preferences.

Second, an update command fires when the user interacts with the consent banner, changing the parameters based on their choice: 

gtag('consent', 'update', {
  'ad_storage': 'granted',
  'analytics_storage': 'granted',
  'ad_user_data': 'granted',
  'ad_personalization': 'granted'
});

If the user declines, the update either does not fire or fires with all parameters remaining denied. The key point is that the default command must execute before any Google tags—this is what enables Google to properly categorize traffic and apply behavioral modeling.

Region-Specific Defaults

If your Shopify store serves both EEA and non-EEA customers, you can configure region-specific defaults. Google’s Consent Mode supports a region parameter that lets you set denied defaults only for specific countries while defaulting to granted for regions where GDPR does not apply: 

gtag('consent', 'default', {
  'ad_storage': 'denied',
  'analytics_storage': 'denied',
  'ad_user_data': 'denied',
  'ad_personalization': 'denied',
  'region': ['AT', 'BE', 'BG', 'HR', 'CY', 'CZ', 'DK', 'EE',
    'FI', 'FR', 'DE', 'GR', 'HU', 'IE', 'IT', 'LV', 'LT',
    'LU', 'MT', 'NL', 'PL', 'PT', 'RO', 'SK', 'SI', 'ES', 'SE',
    'IS', 'LI', 'NO']
});

This prevents unnecessary data loss from non-European visitors while maintaining full GDPR compliance for EEA traffic. However, some merchants prefer to apply consent requirements globally as a privacy best practice.

Implementing Consent Mode v2 on Your Shopify Store

There are several approaches to implementing Consent Mode v2 on Shopify, each with different levels of complexity and control.

Option 1: Shopify’s Customer Privacy API

Shopify provides a built-in Customer Privacy API that manages consent collection and integrates with Shopify’s native cookie banner. This API exposes JavaScript methods that apps and scripts can call to check whether a visitor has consented to analytics tracking, marketing tracking, and sale of personal data.

When combined with a compatible consent banner, the Customer Privacy API can communicate consent status to Google tags through Consent Mode. Shopify’s native cookie banner handles the consent UI, and the API broadcasts consent changes that your tracking scripts can listen for and pass to Google via the gtag consent update command.

This approach works well if you want to keep things within Shopify’s ecosystem without adding third-party consent management tools. However, the native banner offers limited customization options for the consent UI, and configuring the gtag integration still requires some technical work.

Option 2: Third-Party Consent Management Platforms

Tools like Cookiebot, OneTrust, Pandectes, and Consentmo offer dedicated consent management for Shopify stores with built-in Consent Mode v2 support. These platforms typically provide:

  • Customizable consent banner designs that match your store branding
  • Granular consent categories (necessary, analytics, marketing, preferences)
  • Automatic cookie scanning and categorization
  • Built-in Google Consent Mode v2 integration
  • Consent logging for compliance documentation
  • Geo-targeting to show consent banners only in regions where required

The advantage of a dedicated CMP is that it handles the entire consent flow end-to-end, including the Consent Mode default and update commands. The trade-off is an additional subscription cost and another third-party script loading on your store, which can affect page load performance.

Option 3: Manual Implementation

If you have developer resources, you can implement Consent Mode v2 manually by adding the consent default and update commands directly to your Shopify theme. This involves editing the theme.liquid file to inject the default consent command before the Google tag snippet, then writing JavaScript that listens for consent changes from your banner and fires the update command.

Manual implementation gives you full control but requires ongoing maintenance. Any changes to your consent banner, Google tag configuration, or Shopify theme updates need to be tested to ensure Consent Mode continues to work correctly.

How Converlay Handles Google Consent Mode v2 Natively

One of the challenges with Consent Mode v2 on Shopify is that it typically focuses on browser-side tags. But what about server-side tracking? If you are forwarding conversion events from Shopify’s backend to Google Ads or GA4 through server-side methods, those events also need to respect user consent.

Converlay is a Shopify app for server-side event forwarding. It sends conversion events—purchases, add-to-carts, page views, checkout initiations—directly from Shopify’s backend to ad platforms like Google Ads, bypassing the browser entirely. This eliminates data loss from ad blockers, browser crashes, and cross-domain checkout redirects.

Critically, Converlay supports Google Consent Mode v2 natively. It integrates directly with Shopify’s Customer Privacy API to detect each visitor’s consent status in real time. When a user interacts with your cookie consent banner—whether it is Shopify’s native banner or a third-party CMP—Converlay reads the consent state through the Customer Privacy API and adjusts the data it sends to Google accordingly.

How This Works in Practice

  • User grants consent: Converlay sends the full server-side event to Google with all available customer data, including hashed identifiers for Enhanced Conversions matching. The consent parameters are set to granted in the event payload.
  • User declines consent: Converlay sends a restricted event with consent parameters set to denied. No personally identifiable data is included. Google receives the cookieless signal and uses it for behavioral modeling, just as it would with an advanced Consent Mode implementation on the browser side.
  • No consent choice yet: Before the user interacts with the consent banner, Converlay treats the session as denied by default, matching the required default-then-update pattern.

This means you do not need to configure Consent Mode separately for your server-side tracking. Converlay handles it automatically. If you are already using Shopify’s native cookie banner, there is no additional consent setup required—the integration works out of the box.

Why Server-Side Consent Mode Matters

Many Shopify merchants implement Consent Mode v2 on their browser-side Google tags but forget about server-side events. This creates a compliance gap: your browser tracking respects consent, but your server-side tracking sends data regardless of the user’s choice. At best, this leads to inflated conversion numbers from double-counting. At worst, it is a GDPR violation.

With Converlay, both your browser-side and server-side tracking respect the same consent state. There is no gap, no mismatch, and no compliance risk. The consent status flows consistently from the user’s choice through every data pipeline that touches their information.

Best Practices for Google Consent Mode v2 on Shopify

Getting Consent Mode v2 right requires attention to several details beyond the basic implementation. These best practices will help you maximize both compliance and data recovery.

1. Always Use Advanced Mode When Possible

Basic consent mode meets the compliance requirement but leaves significant data recovery on the table. Advanced mode lets Google collect cookieless pings that feed behavioral modeling, which recovers a meaningful portion of the conversion data you would otherwise lose from non-consenting users. Unless you have a specific legal reason to use basic mode, advanced is always the better choice for ad performance.

2. Ensure the Default Command Fires Before Tags Load

The most common implementation mistake is loading Google tags before the consent default command executes. If gtag.js initializes before the consent default is set, Google treats the initial page load as if no consent framework exists. This breaks behavioral modeling and can cause compliance issues. Always verify in Google Tag Assistant that the consent default fires first in the tag execution sequence.

3. Include All Four v2 Parameters

Setting only ad_storage and analytics_storage without ad_user_data and ad_personalization means you are running Consent Mode v1, not v2. Google requires all four parameters to grant access to EEA remarketing, audience building, and conversion modeling features. Check your implementation to confirm all four parameters appear in both the default and update commands.

4. Optimize Your Consent Banner for Acceptance Rates

While respecting GDPR requirements, there are legitimate design choices that influence consent acceptance rates. Clear, plain-language explanations of why cookies are used tend to increase acceptance. Offering a prominent “Accept All” button alongside a “Manage Preferences” option (rather than an equally prominent “Reject All”) is common practice across major European retailers. The higher your consent acceptance rate, the more directly observed conversion data Google receives, which improves the accuracy of behavioral modeling for non-consenting users as well.

5. Verify Modeled Conversions Are Appearing

After implementing advanced Consent Mode v2, allow 48 to 72 hours for Google to begin generating modeled conversions. In Google Ads, navigate to your conversion actions and check whether modeled conversions are being reported alongside observed conversions. If your account meets the minimum data thresholds (typically requiring sufficient daily conversion volume), you should see modeled data filling the gaps left by non-consenting users. If modeled conversions are not appearing after a week, review your implementation for errors in the consent signal flow.

6. Test Across Scenarios

Verify your implementation across all consent scenarios: user accepts all cookies, user declines all cookies, user accepts analytics but declines marketing, user never interacts with the banner, and returning user with previously stored consent. Each scenario should produce the correct consent parameter values in both your browser-side tags and server-side events.

7. Do Not Forget Server-Side Tracking Compliance

If you use server-side tracking alongside browser-side tags, ensure that your server-side events also respect the user’s consent choice. As discussed above, Converlay handles this automatically through its integration with Shopify’s Customer Privacy API, but if you have built a custom server-side integration, you need to implement consent checking in your server-side event pipeline separately.

How to Verify Your Consent Mode v2 Implementation

Once everything is configured, run through these verification steps to confirm that Consent Mode v2 is working correctly on your Shopify store:

  1. Google Tag Assistant: Open your store in Chrome and launch Google Tag Assistant (or the Tag Assistant Companion extension). Check that the consent default command fires before your Google tags initialize. Verify that all four v2 parameters are present and set to denied for EEA traffic.
  2. Consent update verification: Interact with your consent banner—accept cookies, then reload and decline cookies. In Tag Assistant, confirm that the consent update command fires with the correct parameter values for each choice.
  3. Google Ads consent status: In your Google Ads account, go to Tools and Settings, then Conversions. Each conversion action should display a consent mode indicator showing that consent signals are being received from your site.
  4. GA4 consent reporting: In GA4, navigate to Admin, then Data Streams, and check the consent settings for your property. GA4 should confirm that consent signals are active.
  5. Modeled conversion check: After 48 to 72 hours of live traffic, check your Google Ads conversion reports for modeled conversions. If advanced Consent Mode is functioning and your account meets minimum volume thresholds, modeled data should appear alongside observed conversions.

Common Mistakes to Avoid

  • Missing the default command entirely: Without a consent default, Google has no way to know that your site uses a consent framework. Tags fire as if consent is irrelevant, and no behavioral modeling is applied.
  • Setting EEA defaults to granted: Defaulting to granted before collecting consent violates GDPR. EEA visitors must have all parameters denied by default until they actively opt in.
  • Only implementing v1 parameters: Using ad_storage and analytics_storage without ad_user_data and ad_personalization means Google does not recognize your setup as Consent Mode v2. You will still lose access to EEA remarketing and modeling.
  • Forgetting to test the decline flow: Many merchants test the acceptance flow but never verify what happens when a user declines. Test both paths to ensure declined users generate cookieless pings (advanced mode) or trigger no tag loading (basic mode), as expected.
  • Ignoring server-side consent: If you run server-side tracking and do not check consent status before sending events, you create a compliance gap. Server-side events must respect the same consent choices as browser-side tags.

Start Protecting Your Conversion Data Today

Every day without Consent Mode v2 is a day where your EEA traffic is invisible to Google’s optimization algorithms. You are losing remarketing audiences, conversion modeling, and bidding signals that directly impact your ad performance and revenue. For Shopify merchants who depend on Google Ads, this is not a compliance checkbox—it is a competitive disadvantage.

Getting both consent compliance and complete conversion data should not require weeks of development work. Converlay gives you server-side event forwarding with native Google Consent Mode v2 support, integrated directly with Shopify’s Customer Privacy API. Install the app, connect your Google Ads account, and your server-side tracking automatically respects every visitor’s consent choice—no extra configuration needed.

Get started with Converlay on the Shopify App Store →