March 24, 2026

GTM Consent Mode: Most Setups Are Wrong and Here's Why

You have a cookie consent banner. It looks professional. Users can accept or decline. You checked the compliance box.

But open GTM Preview mode, decline all cookies, and watch what happens. In most setups we audit, every single tag fires anyway. The banner is decorative.

Google Consent Mode v2 has two states:

  • consent: 'default' — set when the page loads, before the user interacts with the banner. Typically denies analytics_storage and ad_storage.
  • consent: 'update' — sent when the user makes a choice. Grants or continues denying each storage type.

When properly configured:

  1. Page loads → consent defaults to denied
  2. Tags that require consent don’t fire
  3. User clicks “Accept” → consent updates to granted
  4. Tags fire with full functionality

When improperly configured (the common case):

  1. Page loads → consent is never set (or defaults to granted)
  2. All tags fire immediately
  3. User clicks “Decline” → nothing changes because the tags already fired

The three most common mistakes

The cookie banner handles cookies (setting/deleting them) but has no integration with GTM’s Consent Mode API. The banner is a standalone UI element — GTM doesn’t know it exists.

How to check: In GTM Preview mode, look for consent events in the dataLayer timeline. If there are none, Consent Mode isn’t implemented.

Mistake 2: Defaults set to granted

Some implementations set the consent defaults to granted for everything — then update to denied only if the user explicitly declines. This means the window between page load and user interaction has full tracking enabled.

In the EU, this is backwards. The legal requirement is denial by default, not grant by default.

How to check: Look at the first consent event in the dataLayer. If analytics_storage: 'granted' appears before the user interacts with the banner, the defaults are wrong.

Even with Consent Mode properly sending signals, individual GTM tags need to be configured with Built-in Consent settings. A Google Analytics tag should require analytics_storage. A Google Ads tag should require ad_storage.

If a tag’s consent settings are blank, it fires regardless of consent state.

How to check: In GTM, open each tag and look for “Consent Settings” in the Advanced section. If it says “Not set,” the tag ignores consent.

What a correct implementation looks like

  1. Before the banner loads: gtag('consent', 'default', { analytics_storage: 'denied', ad_storage: 'denied' }) — this must be the very first thing in your GTM container, before any other tags.

  2. CMP integration: Your cookie management platform (OneTrust, Cookiebot, Iubenda, etc.) pushes a consent: 'update' to the dataLayer when the user makes a choice.

  3. Tag consent settings: Every GA4, Google Ads, Meta, and third-party tag has its appropriate consent requirements configured in GTM.

  4. Testing: In Preview mode, decline consent and verify that no measurement tags fire. Grant consent and verify they fire. Revoke consent and verify they stop.

Why this matters beyond compliance

Consent Mode affects your data quality, not just your legal risk. Tags firing without proper consent can result in:

  • Inflated user counts — the same user gets counted before and after consent
  • Attribution errors — ad platforms see events they shouldn’t, skewing optimization
  • Google Ads policy violations — Google requires Consent Mode v2 for EU traffic. Without it, your ads can be flagged

The 5-minute test

  1. Open your site in an incognito window
  2. Open browser DevTools → Console
  3. Before interacting with the consent banner, type: dataLayer.filter(e => e[0] === 'consent')
  4. If this returns nothing, Consent Mode isn’t implemented
  5. If it returns a default event, check if storage types are denied
  6. Decline cookies via the banner
  7. Run the filter again — you should see an update event maintaining denied
  8. Open GTM Preview mode and check which tags fired before you interacted with the banner

If any measurement tag fired before consent was granted, your implementation is broken.

Consent Mode configuration is included in every GTM setup and audit. It’s one of the first things we check because it affects everything downstream.

Is your GTM container costing you money?

Find out in 3 minutes with the free GTM Health Scorecard.

Get Your Free GTM Health Score

← All posts