Consent mode v2: basic vs advanced — which one do you actually need?

I’ve had the same conversation with at least fifteen different clients in the past six months. They read Google’s documentation about consent mode v2, got confused, called their legal team, got more confused, and then called me.

The confusion is understandable. Google’s docs mix technical implementation details with compliance language in a way that makes it genuinely hard to figure out what you actually need. And the stakes feel high: get it wrong and you either lose your Google Ads remarketing audiences in the EEA, or you expose yourself to GDPR fines.

Let me cut through the noise.

Why there are two modes in the first place

Google introduced consent mode in 2021 as a way to adjust tag behavior based on user consent choices. The original version was simple: if a user denied consent, tags didn’t fire.

Then regulators got stricter. The Digital Markets Act (DMA) forced Google to prove it was respecting consent signals. Google responded with consent mode v2 in late 2023, adding new parameters and splitting the implementation into two approaches: basic and advanced.

The split exists because Google wanted to satisfy two conflicting demands. Privacy regulators wanted less data collection. Google’s advertising business needed enough signal to keep its models running. Basic mode serves the regulators. Advanced mode serves the ad business. That tension is the source of all the confusion.

Basic consent mode: what it actually does

When you implement basic consent mode, here’s what happens:

User grants consent: Tags fire normally. Cookies are set. Data flows to GA4, Google Ads, and other Google services. No difference from a standard implementation.

User denies consent: Tags are completely blocked. No HTTP requests to Google’s servers. No cookies set. No data collected whatsoever. From Google’s perspective, that user doesn’t exist.

That’s it. Basic mode is a binary switch. Consent granted means full tracking. Consent denied means zero tracking.

The implementation in GTM is straightforward. Your consent management platform (CMP) communicates the user’s choice to GTM through the consent API. Tags configured with consent checks (which all Google tags now have by default) either fire or don’t fire based on the consent state for analytics_storage and ad_storage.

// Basic consent mode - default state (before user interaction)
gtag('consent', 'default', {
  'ad_storage': 'denied',
  'ad_user_data': 'denied',
  'ad_personalization': 'denied',
  'analytics_storage': 'denied'
});

// After user grants consent
gtag('consent', 'update', {
  'ad_storage': 'granted',
  'ad_user_data': 'granted',
  'ad_personalization': 'granted',
  'analytics_storage': 'granted'
});

// After user denies consent: nothing changes, defaults remain

The ad_user_data and ad_personalization parameters are the v2 additions. They give more granular control over what Google does with the data. With basic mode, all four are denied by default and only flip to granted when the user explicitly opts in.

Advanced consent mode: what it actually does

Advanced mode behaves identically to basic mode when a user grants consent. The difference is what happens when a user denies consent.

User denies consent with advanced mode: Google tags still send requests to Google’s servers. But these requests are modified. They contain no cookies, no user identifiers, and no personally identifiable information. Google calls these “cookieless pings.”

What these pings include:

• Timestamp
• User agent (browser, OS)
• Referrer information
• Page URL
• Consent state metadata
• A randomly generated identifier that resets each page view (not persistent)

What these pings do NOT include:

• First-party cookies
• Client ID or User ID
• gclid (Google click ID)
• Any form of cross-session identification

Google takes these cookieless pings and feeds them into its behavioral modeling system. The models estimate how many of those unconsented users probably would have converted, based on patterns observed from consented users with similar characteristics. Google then fills in the gaps in your reports and your Google Ads conversion data with these modeled numbers.

I wrote a full analysis of the compliance implications of consent mode v2 when it first rolled out. The modeling aspect remains the most debated part.

The trade-off, plainly stated

Basic mode: You lose all data from users who deny consent. In the EEA, where consent rates for advertising typically run between 30-50%, that means you’re blind to a huge portion of your audience. No remarketing, no conversion modeling, no audience building for those users.

Advanced mode: You recover some of that data through modeling. Google reports that behavioral modeling can recover 50-70% of the data gap. You get modeled conversions in Google Ads, modeled user counts in GA4, and your remarketing audiences include modeled users.

The privacy trade-off is that you’re still sending requests to Google’s servers when a user has denied consent. Those requests don’t contain identifying information. But you are sending something. That “something” is what splits legal opinions.

When to use basic consent mode

Use basic mode if any of these apply:

Your Data Protection Authority (DPA) has a strict interpretation. Some European DPAs (notably Austria’s DSB and France’s CNIL in certain rulings) have signaled that any data transmission after consent denial could be problematic. If your primary market falls under a strict DPA, basic mode is the safer choice.

Your legal team has a low risk tolerance. Some companies, especially those in regulated industries like healthcare and financial services, default to the strictest possible interpretation of GDPR. If your legal team says “no data transmission without consent, period,” use basic mode and don’t fight them.

You don’t rely on Google Ads for remarketing. If you’re not running remarketing campaigns in the EEA, or your Google Ads strategy doesn’t depend on audience signals from your website, you’re not giving up much by choosing basic mode. The data recovery from advanced mode is most valuable for Google Ads optimization.

You operate primarily outside the EEA. If your EEA traffic is a small percentage of your total, the data you’d recover with advanced mode isn’t significant enough to justify the compliance discussion.

When to use advanced consent mode

Use advanced mode if:

You need remarketing audiences in the EEA. Google has been clear: without advanced consent mode (or a “certified” CMP with advanced consent mode), your Google Ads remarketing audiences for EEA users will shrink significantly. For advertisers who depend on remarketing for a meaningful share of their revenue, this is the deciding factor.

You want behavioral modeling in GA4 and Google Ads. The modeled data fills gaps in your reports. If you’re making budget decisions based on GA4 data and half your users deny consent, your reports are showing a skewed picture. Modeling corrects some of that skew.

You’re using Smart Bidding and need maximum signal. Smart Bidding works better with more conversion data. The modeled conversions from advanced consent mode give the algorithm a more complete picture. For high-spend accounts, this can directly impact CPA and ROAS.

Your legal team is comfortable with cookieless pings. Some legal interpretations view the cookieless pings as compliant because they don’t contain personal data under GDPR’s definition. No name, no email, no persistent identifier, no cookie. The argument is that anonymous, non-identifying telemetry isn’t “processing personal data.” This position is defensible but not universally accepted.

Implementation differences in GTM

The actual implementation difference is minimal, which is part of why the decision feels more legal than technical.

Basic mode implementation

In your web GTM container, the default consent state blocks all tags:

// Set in your CMP template or custom HTML tag
// Fires before any other tags
gtag('consent', 'default', {
  'ad_storage': 'denied',
  'ad_user_data': 'denied',
  'ad_personalization': 'denied',
  'analytics_storage': 'denied',
  'wait_for_update': 500  // ms to wait for CMP
});

Google tags check the consent state before firing. With basic mode, tags configured to require ad_storage simply won’t fire if it’s denied. No pings, no data, nothing.

In GTM, make sure your Google tags have the built-in consent checks enabled (they are by default in new tag templates). Under tag settings > consent configuration, you’ll see the required consent types listed.

Advanced mode implementation

The consent default looks similar, but you add one configuration change:

gtag('consent', 'default', {
  'ad_storage': 'denied',
  'ad_user_data': 'denied',
  'ad_personalization': 'denied',
  'analytics_storage': 'denied',
  'wait_for_update': 500
});

The difference is that in advanced mode, you do not use the “Require additional consent” setting that blocks tag loading entirely. Instead, you allow Google tags to load and let them handle the consent state internally. The tags recognize the denied state and switch to sending cookieless pings instead of full tracking hits.

In GTM terms: with basic mode, you configure triggers to prevent tags from firing at all when consent is denied. With advanced mode, you let tags fire regardless, but they adjust their behavior based on the consent signals.

The practical difference in your container is often just one setting: whether your Google tags use “require additional consent” (basic) or “additional consent checks not required” (advanced).

The compliance question: my honest assessment

Is advanced consent mode GDPR-compliant? Here’s my position: it’s defensible but not bulletproof.

Arguments in favor of compliance:

• Cookieless pings don’t contain personal data as defined by GDPR
• No persistent identifiers are set or transmitted
• The data cannot be used to identify an individual
• Google’s modeling happens on Google’s side using aggregated data
• The ePrivacy Directive targets “storing information on user devices” (cookies), and advanced mode doesn’t do that when consent is denied

Arguments against:

• The user said “no” and data was still transmitted to a third party
• IP addresses are transmitted (though Google truncates them)
• The combination of user agent, referrer, and timestamp could theoretically be used for fingerprinting (even if Google says it doesn’t)
• GDPR’s “spirit of the law” arguably covers any data processing after a denial, not just personal data

I’ve seen legal opinions going both ways. My practical advice: if you implement advanced consent mode, document your reasoning. Have your DPO or legal counsel sign off explicitly. Keep a record of Google’s documentation about what data the cookieless pings contain. And consider whether implementing server-side tagging gives you more control over what data leaves the browser, since sGTM lets you inspect and filter outbound requests.

No regulator has explicitly ruled that advanced consent mode violates GDPR as of today. But the regulatory environment is still evolving. Austria’s DSB and Italy’s Garante have been the most aggressive on tracking after consent denial, especially on iOS, and either one could issue guidance that changes the picture.

Making the decision

Here’s my framework, which I use with every client:

1. Where are your users? If less than 20% EEA traffic, go basic and stop worrying.
2. Do you run Google Ads remarketing in the EEA? If no, go basic.
3. What’s your consent rate? If above 60%, the data gap is small. Basic is fine.
4. What does your legal team say? If they say basic, go basic. Fighting legal over a modeling feature isn’t worth it.
5. How much do you spend on Google Ads? If under $5K/month in the EEA, the data recovery from advanced mode won’t meaningfully change your performance. Go basic.

If you answered “yes, significant EEA traffic, yes remarketing, low consent rates, legal is flexible, and high ad spend,” then advanced mode makes sense. For everyone else, basic mode is simpler, safer, and costs you less data than you think.

The reality is that most businesses outside the top tier of ad spend are overthinking this. Pick one, implement it correctly, document your reasoning, and move on. The bigger risk isn’t choosing the wrong mode. It’s spending three months debating it while your tracking setup stays broken.