Consent Mode v2 & GDPR Compliance

Tags that fire before consent are a regulatory problem. Tags that stop firing entirely after consent are an analytics problem. The job is solving both at once.

If your tracking is firing before users have made a choice, you’ve got a compliance issue. If it stops firing entirely when they decline, you’ve got an analytics blackout. Consent Mode v2, when properly set up, bridges the two. Most setups I see are missing pieces, misclassified, or quietly non-compliant.

I do two things here: full audits of your tracking and consent compliance, and Consent Mode v2 implementations across major CMPs.

Two ways to work with me.

1. Consent & GDPR Compliance Audit

A thorough audit of your tracking and consent setup against UK GDPR, EU GDPR and PECR:

  • CMP review - Cookiebot, OneTrust, CookieYes, Iubenda, others

  • Cookie classification - whether categories are correct, whether anything’s unclassified or dropping silently

  • Tag-by-tag review of what fires before consent vs after, including the order things fire in

  • Privacy policy review against what’s actually being tracked

  • Third-party services inventory - what’s loading, what data it collects, where it goes

  • Data subject request readiness

  • A prioritised report covering immediate/short-term/medium-term actions

Inquire

2. Consent Mode v2 Setup

Full Consent Mode v2 implementation in GTM, integrated with your CMP:

  • CMP installation (I recommend Cookiebot - but I work with whatever you’ve already got)

  • Per-tag consent gating in GTM, including built-in and additional consent checks

  • Consent state signals correctly passed to GA4, Google Ads, Meta and other platforms

  • Default consent states and update mechanics configured properly

  • Cookieless modelling configured so GA4 still reports usefully when consent is declined

  • Testing in every consent state - granted, denied, partial, undecided

What "compliant" actually means.

  • Tags don’t fire before consent is given (the most common issue I find)

  • "Reject all" is available on the first layer, not buried two clicks deep — a known regulator focus

  • All cookies are correctly classified: strictly necessary, preferences, statistics, marketing

  • No unclassified cookies dropping silently

  • Privacy policy describes what’s actually tracked, not a generic template

  • Users can withdraw consent as easily as they gave it

  • A clear, defensible record of consent is kept

Inquire

How it Works.

1. Scope

Quick call to understand what you’ve got — CMP, tracking stack, regions you operate in. From there I’ll suggest whether you need an audit first, a setup project, or both.

2. Audit 0r build

Audit: I go through tracking, CMP and consent behaviour systematically and produce a written report with prioritised actions. Build: I configure CMP, Consent Mode v2, per-tag gating and testing across consent states.

3. Validation

Every consent state tested - granted, denied, partial, undecided. Tag firing checked against consent signals. Cookieless modelling confirmed where applicable.

4. Document & hand over

You get a clear record of what’s in place, why, and what to do when something changes - a new third-party service, a new region, a new platform.

Regions and regulations I cover.

  • UK GDPR and PECR

  • EU GDPR

  • US state laws — California (CCPA / CPRA), Virginia (VCDPA), Colorado, Connecticut and others as needed

  • Cookie consent rules for any jurisdiction where you’ve got significant traffic

This is for you if…

  • You honestly don’t know whether your tracking is firing before consent

  • A compliance or legal review has flagged your cookie banner as a risk

  • You’re moving into new regions and aren’t sure what changes you need to make

  • You’ve just installed a CMP and aren’t confident it’s wired up properly

  • Your CMP is in place but your GTM tags aren’t actually gated by it

  • You want to set up Consent Mode v2 but don’t know where to start

  • You’ve heard about cookieless modelling and want to know if it applies to you

  • You’re losing analytics signal because of how consent is configured — and want it back without breaking compliance

Recent work.

  • A full consent and GDPR compliance audit for a London chambers — surfaced tags firing before consent, a "Reject all" buried on a second layer, and a partially unclassified cookie inventory. Delivered with prioritised immediate / 30-day / 90-day actions

  • Consent Mode v2 setup with Cookiebot for a UK ecommerce brand, integrated with their existing GTM container and tested across consent states

  • CMP and consent review for a multi-region B2B business covering UK, EU and US - including jurisdictional differences in default behaviour

Get compliant, without losing your analytics.

Whether you need an audit, a setup project, or both, get in touch and I’ll point you towards whichever actually applies.