An overview of Consent Mode V2, and how to comply

The Piwik Pro and CookieYes logos. A hint for the two CMPs I recommend.

(Please note, the following information is to the best of my knowledge. I have spent many hours implementing cookie banners and privacy compliance code for businesses, while liaising with experts and data controllers. However, I myself do not fully know the ins and outs of it’s implications)

What is consent mode v2?

Consent mode v2 is part of a policy framework that cookie banners need to comply with, if you use Google products on your website such as Google Analytics and Google Ads.

The original version of consent mode was introduced in 2020, with the v2 update released to be inline with the new Digital Markets Act, that came into effect in March 2024.

Cookie banners started out with good intentions to comply with user privacy, and they started getting a lot of attention when the Cambridge Analytica scandal came to light. However, in recent years, compliancy has become unwieldy. Where implementing it fully now takes expertise, or a monthly cost to use a CMP (content management platform). More on CMPs later…

Why is consent mode v2 required?

Contrary to popular belief, ‘consent mode v2’ is not a policy needed for everyone, like a cookie banner is. It is only necessary if your website uses a Google product, like Analytics or Google Ads. However, like the implementation of cookie banners, many businesses are ignoring consent mode v2 because of the cost or expertise required to implement it.

With cookie banners, there is the belief that it won’t affect them legally from a GDPR regulatory view. Which is largely true for smaller businesses. But like ‘fiddling the books’, it might catch up with you sooner or later. Depending on how big your company is, and if a customer reports their data being compromised. A typical example is when a user still gets a newsletter, despite unsubscribing, so they decide to report the business.

In regards to consent mode v2 specifically, it is not a compliance or privacy issue that will land you in hot water without implementation. But if you continue to use Google’s products without it, their usefulness is greatly reduced. Ad personalisation features are at risk for remarketing, and Analytics loses a portion of it’s ability to track conversions, via their conversion modelling algorithm.

However, consent mode v2 should not just be seen as a necessary evil. Like ‘privacy policy’ pages and ‘terms and conditions’, it can also act as a trust signal, reassuring users that you care about their online privacy and the use of their data.

Can I get away with not having consent mode v2, or even no cookie banner at all?!

If you do not use any Google products, consent mode v2 is not required and most of this article can be ignored! However, user privacy should still be respected with the use of a cookie banner, even if you use alternative traffic monitoring software, like Matamo or Plausible.

Unless you use cookies only for the absolute necessary operation of your website, such as logging into an admin area, a cookie banner is required. Even just embedding a Youtube video means creating third party cookies, therefore the need for a banner. And using first (instead of third) party cookies for any of these things won’t get you out of needing to be compliant either.

With this in mind, some companies are taking a leap of faith by getting rid of cookie tracking altogether, so they don’t carry the baggage of compliance at all. An interesting article about a company that did this, and how they adapted, can be read at https://blog.sentry.io/we-removed-advertising-cookies-heres-what-happened/

Removing all forms of tracking isn’t a terrible move, but it is something that can scare CEOs or shareholders. Because when big budgets are spent on online marketing, it requires a shift in mindset to put more trust and confidence in the quality and creativity of your marketing assets, rather than using metrics to justify their performance.

Even so, metrics are becoming more skewed over time, with an increasing amount of users taking privacy into their own hands with ad blockers. Over time, Internet browsers are also becoming more privatised, with Google Chrome going cookieless later on this year. On average, around 47% of user sessions are already private. And this is only going to increase, until most (if not all) user journey data is hidden.

This means that even the performance data that marketers use at the moment is only ever going to reveal part of the picture. Which can cause misleading insights, even for skilled individuals. Beyond pulling out top-level trends and broad insights, creating nuance out of the metrics data we already have is a foggy endeavour.

How do I implement consent mode v2?

I’ve spent many hours reviewing different CMPs (consent management platforms) over the last few weeks. Seeing how their plans differ, and what you get for their monthly costs. Because I work mostly with SMBs, implementing a CMP to manage their user privacy feels like being nickel and dimed. Because most of them charge £10 or more every month.

However, there is flexibility with some of the CMPs I discovered. A list of the main ones available are listed on Google, at https://support.google.com/tagmanager/answer/14009343

From the dozen or so I reviewed, I found https://www.cookieyes.com/ the most appropriate for the small businesses I work with, who have a brochure style website. Their free plan scans up to 100 pages, to review what cookies you use, and the level of compliance needed for them. Also, as long as your monthly page views are under 25,000, it’s an easy and free way to stay compliant. With no coding experience required, beyond a few moments to copy and paste a snippet of code into your sites template file. The only downside is that their cookie banner shows their logo in the bottom corner of your site.

For clients that have 1,000s of pages, or more than 25k users a month, I’ve been recommending Piwik Pro. They’re a platform for setting up traffic analytics, tags for conversion tracking, and managing user consent. They offer a free plan, as long as your site stays under 500k user actions a month. And they have no limit on the amount of pages they scan to review the cookies you use.

Using Piwik Pro for a basic cookie banner is easy enough, by copying and pasting some code, or installing a WordPress plugin. However, if you want your cookie banner to be consent mode v2 compliant, it will take someone with coding knowledge and a familiarity of the Piwik platform to set it up.

In a nutshell, CookieYes is the easiest way to implement compliancy that considers consent mode v2, as long as your site is small. And Piwik Pro, is the more comprehensive CMP for bigger websites. Using Piwik Pro is fine as long as you have a background in programming, or are willing to hire someone for a few hours to integrate ‘consent mode v2’ for you. To get an idea of the documentation that needs to be followed to implement consent mode v2 with Piwik, check out https://help.piwik.pro/support/integrations/google-consent-mode-v2-integration/. If such documentation looks bewildering though, best to get a helping hand!

Choosing either of the above two options avoids having to pay a monthly fee for a CMP plan. Only if you are an international company, or a corporate, do I suggest paying for a CMP like OneTrust (which KFC use) or Didomi (which Decathlon use). This is because having a paid plan ensures that all your pages are scanned regularly, so you know all the cookies your site has to offer consent for. A paid plan also has the advantage of keeping privacy compliance up to date for users in different countries, and auto-generating documents for evidence each time a user grants consent. Which may be a requirement in the future if you get audited. What a faff!

What are others doing in response to respecting user privacy and consent mode v2?

As I’ve mentioned with examples like KFC and Decathlon, if you check any big brand websites, you’ll notice that they all use a different CMP, so there is no real consensus. For now, going fully cookieless feels like a brave or overzealous approach, considering the little time it takes to be compliant. But in the future, if more businesses become cookieless, it may be worth doing the same to stay inline with what’s considered friendly to the latest privacy standards.

If you haven’t already noticed, my site uses Piwik Pro to be compliant. So you get an idea of what the banner looks like and the options available.

What is the future for consent mode v2?

‘consent mode v2’ is starting to become an unwieldy beast, causing the need for businesses to hire developers to get it implemented, or to pay a monthly fee for a CMP plan. Which no one asked for!

However, there might be some good news that comes out of this in the future. As users become more informed about how the Internet uses their data, we may be able to start relying on people to manage privacy in their own Internet browsers, without every site needing a banner. Banners which are forcing us to make extra, annoying clicks during our browsing experience. As mentioned earlier, Google Chrome will be going totally private by the end of the year, so it might not be a pipe dream (Update: They’ve put this on hold now, as of July 2024).

In regards to how marketers will adapt, they’ll have to be more traditional in their approach. In the sense that they’ll need to focus on writing good copy, drawing distinctive creative, and responding to customer feedback and trends. Instead of going down data rabbit holes, and pulling out misleading stats to please upper management. All the while using metrics that only show half the picture. And this picture is only going to get smaller over time.

On a final note, for a bit of fun

If you want to check if a competitor website is already consent mode v2 compliant, follow point 2 in the guide at https://www.cookieinfo.net/en/knowledge-base/check-if-google-consent-mode-v2-is-implemented/. It has some JavaScript code you can copy and paste into the developer window of your Internet browser, to see if they’re managing user consent correctly.