Consent Mode v2 and server-side GTM: GDPR in practice

Consent Mode v2 sounds like more bureaucracy, but it's really a simple idea: tell Google and Meta whether the visitor gave consent to be tracked — and adjust what data is sent accordingly. Here's how it works with server-side GTM and what you actually need to set up.

What Consent Mode v2 is

Consent Mode is how your site tells Google's advertising and analytics tools what consent the visitor gave. Since March 2024, version v2 is mandatory for anyone targeting users in the EEA who wants to use remarketing or audiences in Google Ads.

Version v2 added two new signals to the original two. There are four in total:

• ad_storage — consent to store cookies for advertising;
• analytics_storage — consent to analytics cookies (GA4);
• ad_user_data — consent to send user data to Google for advertising purposes;
• ad_personalization — consent to personalized advertising and remarketing.

Basic vs. Advanced mode

Consent Mode has two modes, and it matters which one you use:

• Basic mode: until the visitor consents, no tags fire and nothing is sent to Google at all. After consent, measurement runs normally. Simpler, but you lose all data from people who decline.
• Advanced mode: even without consent, a cookieless ping is sent — an anonymous signal with no cookies and no identifiers. From those pings, plus the behavior of people who did consent, Google computes modeled conversions. That gives you an estimate even where you'd otherwise have a zero.

Where server-side fits in

One common misconception is worth clearing up: server-side tracking does not bypass consent. Consent signals are still evaluated — server-side only changes where the data is processed.

But server-side gives you two practical advantages:

• One place for the rules. The server-side GTM container is a central point where you decide what gets forwarded based on consent state and what gets dropped. You don't have to handle it tag by tag.
• Less data leaves the browser. Instead of dozens of calls to third-party domains, the browser makes a single request to your domain. The server then respects consent signals when forwarding.

How to set it up

The process in short:

• 1. Deploy a certified consent management platform (CMP) — the banner that collects consent and passes it via gtag('consent', ...).
• 2. Set the default state of all four signals to denied before tags load.
• 3. After the visitor interacts with the banner, send an update with the real values.
• 4. In the server-side GTM container, read the consent state from the incoming event and decide whether to forward it to GA4, Meta CAPI and others.

You'll find a detailed walkthrough in the docs: Google Consent Mode V2 with server-side GTM.

What happens when a visitor declines

In Advanced mode, a cookieless ping is still sent after a decline and Google computes modeled conversions from it. In Basic mode, nothing is sent. For most stores that rely on conversion accuracy for Google Ads, Advanced mode is the better choice — provided you pair it with a correct banner and default state.

Common mistakes

• Missing default state. If you don't set the default to denied before tags, Google treats Consent Mode as not implemented.
• Forgetting the new signals. Without ad_user_data and ad_personalization you lose remarketing audiences in the EEA.
• Assuming server-side "handles consent." It doesn't — you still need a banner and a CMP.

Summary

Consent Mode v2 isn't optional — it's mandatory for targeting the EEA. Server-side GTM doesn't bypass it, but it gives you a single central place to enforce consent rules cleanly and consistently. A correctly configured banner, Advanced mode and server-side forwarding is the best way today to measure accurately while respecting GDPR. Try DataNostro for free.