Google Consent Changes and Best Practices: Understanding Website Data Privacy

Businesses that use audience and user data tracking in services such as Google Ads and Google Analytics are now mandated by Google’s data privacy policies and Terms of Use Agreement to collect user consent before tracking personalized data.

In this article, we’ll explore the specifics of what’s allowed under the new system (and what isn’t) and cover the basic steps your organization should follow to remain compliant.

What changed with Google's consent policies and why should my firm care?

Understanding Google’s changes to collecting consent requires a basic understanding of the current data privacy environment.

A look at the current privacy landscape

Over the past several years, countries around the world have passed legislation that regulates how data can be collected, stored, and used. Specifically, the European Union’s (EU) General Data Protection Regulation (GDPR) went into effect in May of 2018, sparking the current debate about privacy by giving residents more control over how companies can interact with user data.

The GDPR was unique in that it imposed restrictions not only on how data was collected from EU residents but also on how it was stored and how it could be transferred outside the European Economic Area.

This legislation also imposed heavy fines and penalties on organizations that break these rules, with Meta recently being fined $1.3 billion for not sufficiently protecting user data transferred from the EU to servers based in the United States (US).

In the United States, legislatures across the country began to follow suit, culminating in California passing the California Consumer Privacy Act (CCPA) in 2020 and other states soon following with similar legislation.

As of the publication of this article, 15 states have passed consumer data privacy laws, with additional legislation making its way down pipelines nationwide.

The 15 states whose consumer data privacy laws have changed.

Changes to Google’s policies

In response to this heightened awareness of data privacy, companies that collect user data have regularly updated their privacy policies and terms of service to avoid fines and reduce their exposure to risky data practices.

As a global leader in the booming data service sphere, Google has found itself especially exposed to changing privacy laws and has increasingly taken steps to reduce its liability.

For example, the change from Universal Analytics to Google Analytics 4 in 2023 coincided with their move to depreciate 3rd-party cookies across the web, giving users more control over what types of data businesses can collect. Similarly, the recent release of Google Consent Mode v2 aims to reduce the risk of liability when it comes to collecting, storing, and using information gained from residents of the European Union.

How might your business be impacted?

Failing to properly account for the new consent tagging structure means that some Google services, such as Google Ads and Google Analytics 4, will either no longer work for your business or become limited in their ability to function as they should.

Marketers and business leaders need to understand that these changes from Google are happening in response to changing privacy legislation, meaning that organizations should follow suit to ensure they’re adhering to industry data privacy protection best practices.

Best practices for using Google Consent Mode in 2024

Examples of a consent cookie pop-up window and a consent cookie management page.

The best practice for managing consent on your websites is generally to trigger a pop-up when a user first lands on your site, asking whether they consent to any tracking scripts on the website.

If the user accepts this form of tracking, your scripts will function normally. If they deny tracking (or only allow necessary scripts), some platforms, such as Google Analytics 4, will use behavioral modeling and other related technology to model and predict the behavior of users who decline analytics cookies based on the behavior of similar users who accept cookies.

In this situation, modeled data allows you to gain valuable insights from your Analytics reports while respecting your users’ privacy.

Google has partnered with several industry leaders to create the Google Consent Mode Partner Program, which lists numerous data privacy solutions that can help you quickly get up to speed on handling user consent.

The best practice moving forward is to install and configure a solution from one of these trusted partners on your website (or another solution that integrates with Google Consent Mode v2) to begin collecting user consent before firing tags on your website.

Frequently asked questions (FAQs)

Below, we’ll answer several questions the organizations commonly have about the data privacy debate.

How much will setting up cookie consent cost for my organization’s website?

While there’s no way to provide a specific number without knowledge of your website setup, we can offer some thoughts on what you should expect.

In general, there are three steps to setting up cookie consent where you may incur costs, with the final total depending greatly on your strategy, current setup, and chosen level of implementation:

1. Choose a Cookie Consent Management Platform (CCMP) or a plugin that serves the same purpose (or ask your developer for their recommendations) — This step involves choosing the platform you intend to use to manage cookie consent. In general, you should expect to spend somewhere in the double digits per month for a basic implementation of the most common cookie consent platforms (OneTrust, CookieYes, etc.). If your website is hosted on WordPress, you may also be able to install a cookie management plugin at a lower cost than more managed solutions.
2. Install your chosen platform or solution on your site—This step involves designing the look and functionality of your consent banner and then installing it on your site. Often, this means paying a fee for the developer’s time to set up and test your chosen solution.
3. Have legal counsel review and update your privacy policy — The final step in the process is to have legal counsel review and update your existing privacy policy to ensure it complies with all applicable laws and is coordinated with your chosen cookie consent management platform. The time it takes for the attorney to perform this action (whether in-house or billed) will be the final resource cost of the project.

We only use GA4 to track essential user traffic and engagement data, do we need to use consent mode?

The answer to this question is a bit of a gray area and is currently a subject of ongoing legal battles in the EU and across the United States.

Recent case law generally says that GA4’s default configuration is not GDPR compliant and, depending on your usage, is also not compliant with the CCPA or other state-specific privacy laws.

For this reason, it’s highly recommended that sites implement a banner to collect user consent, even if they’re only using GA4 for basic analytics data, to ensure a stronger level of compliance and legal protections.

Can we just block traffic from the EU?

Technically, yes. However, as noted above, legislation in the United States may also apply, including the CCPA and numerous other state-specific laws. This means that your organization would have to take a reactive position should a claim arise, rather than proactively solving the problem with a cookie consent banner or another solution.

Additionally, tracking users by geolocation isn’t an effective way to ensure ongoing compliance because of how imprecise current solutions are at accurate location identification, meaning that some users may still fall through the cracks.

What if we’re running Google Ads?

Using any form of targeting or analytics for your ads that collect data from visitors to your website  (such as retargeting, remarketing, or conversion tracking) means you must actively collect user cookie consent.

What happens if we collect data from users without their consent or don’t follow current privacy laws?

In most cases, the individual whose data you’ve collected will be able to bring a civil lawsuit against your firm relating to the collection, storage, and use of their data if they choose. These cases often settle through steep fines paid to the plaintiff and requirements that the business change its data policies.

What’s the easiest way to deal with Google’s policies and the new data privacy laws?

Install a cookie consent solution on your website, such as one found in Google’s Consent Management Platform (CMP) Partner Program. Alternatively, if you have a WordPress site, you can install a cookie consent plugin with the help of a developer.

Both are relatively easy lifts you can complete in a short amount of time.

Finding the next steps for your organization

Staying up to date on recent privacy laws can be challenging, which is why it’s wise to rely on a partner who understands the nuances of the privacy space and can help you take action when the landscape shifts.

For most organizations, the next step will be installing a privacy banner on your website. For businesses that already leverage a consent banner, you should confirm your privacy policy is updated and your solution is configured properly for the recent switch to Consent Mode v2.

Whatever your case may be, the most important takeaway is that data privacy is an increasingly important part of operating and managing a website, and your business will benefit from taking strategic, proactive steps to ensure you’re safeguarding your users’ data.

Further Reading & Resources

From Google:

1. List of Google Consent Management Program (CMP) Certified Partners
2. Updates to consent mode for traffic in European Economic Area (EEA)
3. Learn More About Consent Mode
4. Set Up Consent Mode on Websites

From industry sources:

1. Consent Mode V2: Google Shares Shares Key Details For Advertisers (Search Engine Journal)