Consent Mode exposes named consent signals that a Google tag reads before it fires. Each signal is either granted or denied, and it decides whether the tag may set cookies and which identifiers ride with each ping.
Below: how each of the four signals works and why ad_storage and ad_user_data behave differently. Then the default and update commands, plus a real example of what changes when a visitor accepts or rejects.
How the Consent Mode Signals Work (The Short Answer)
The consent signals are states, either granted or denied, that a CMP or gtag call sets on the page. Each Google tag checks the relevant signals before it fires. That check decides two things: whether it stores a cookie, and what data it sends with its measurement ping.
A tag never assumes consent. If no default command has run, the tag treats the signal as unset and applies the most restrictive behavior. Once a visitor interacts with a consent banner, an update command changes the signal's value. Every subsequent tag call on the page reads that new state.
The Four Google Consent Mode Signals and What Each One Controls
Two signals gate storage on the visitor's browser, and two signals govern how Google is allowed to process data it already received. The table below lists Google's own definition for each.
| Signal | What it controls | When granted | When denied |
|---|---|---|---|
ad_storage | Storage, such as cookies, related to advertising | Advertising cookies may be read and written; google.com and doubleclick.net third-party cookies are used for ad measurement | No new advertising cookies may be written and no existing first-party advertising cookies may be read |
analytics_storage | Storage, such as cookies, related to analytics, for example visit duration | Analytics cookies are read and written; GA4 measures sessions normally | Cookieless pings are sent to Google Analytics for future measurement and modeling |
ad_user_data | Sending user data related to advertising to Google | User data may be sent to Google for advertising, including enhanced conversions | That user data is not sent to Google |
ad_personalization | Personalized advertising | Data may be used for personalized ads and remarketing | Data is not used for personalized ads or remarketing |
Three more storage types exist in the API: functionality_storage, personalization_storage, and security_storage. They are not part of the Consent Mode v2 advertising and analytics requirement; the section below covers what each one does.
ad_storage: Advertising Cookies
ad_storage gates cookies tied to advertising measurement. Google defines ad_storage as storage related to advertising. In practice, that covers the cookies Google Ads and Floodlight tags use to track ad clicks and conversions.
When ad_storage is granted, a Google tag can read and write advertising cookies, and third-party cookies on google.com and doubleclick.net stay active for ad measurement. When it is denied, no new advertising cookies get written, and no existing first-party advertising cookie gets read.
Prior google.com and doubleclick.net cookies do not disappear when a visitor denies consent later. They persist on disk but stop contributing to ad targeting or measurement.
Google's own documentation states those cookies "won't be used except for spam and fraud purposes."
analytics_storage: Analytics Cookies
analytics_storage gates the cookies GA4 uses to measure sessions, such as visit duration and repeat visits. Granting it lets Google Analytics set and read its standard first-party cookies.
Denying analytics_storage does not silence measurement. GA4 uses cookieless pings for statistical modeling instead of cookie-based session stitching.
Google's Tag Manager reference states plainly: "Cookieless pings will be sent to Google Analytics for future measurement."
A site can also enable URL passthrough for a denied analytics_storage signal. That setting carries event and session data across pages in the URL itself, without setting a cookie, which is a separate mechanism from cookieless pings. These cookieless pings are the same mechanism behind how cookieless tracking works more broadly.
ad_user_data: Sending User Data to Google
ad_user_data is a Consent Mode v2 addition. It controls whether a Google tag may send user data, such as a hashed email from an enhanced conversion, to Google for advertising purposes.
Granting ad_user_data allows that data transfer, which Google Ads needs for tag-based conversion tracking and enhanced conversions. Denying it stops the transfer entirely, independent of whether ad_storage is granted or denied.
ad_personalization: Personalized Advertising and Remarketing
ad_personalization is the second v2 addition. It governs whether Google may use the data it already has to build personalized ads or remarketing lists.
Granting it lets a visitor's activity feed audience-based advertising, such as remarketing. Denying it blocks that specific use even if the same visitor's data reached Google through a granted ad_user_data signal for a different, non-personalization purpose.
Upstream vs Downstream: Why ad_storage and ad_user_data Behave Differently
ad_storage and analytics_storage are upstream qualifiers: they control which identifiers and cookies ride along with a tag's ping before that ping ever leaves the browser. ad_user_data and ad_personalization are downstream instructions: they travel with the ping and tell Google how it may process the data once received.
This distinction has a concrete consequence in advanced Consent Mode. Even when a visitor denies ad_user_data and ad_personalization, the underlying ping still reaches Google as a cookieless ping if ad_storage is granted or the site runs advanced mode. The two downstream signals then restrict what Google is allowed to do with that ping, not whether it arrives.
Independent analysis of Google's tag behavior draws the same line. Upstream signals act on the browser to control tag behavior and restrict what gets collected. Downstream signals travel alongside the collected hit and tell Google's backend how it may process that data. The signals answer two different questions: can the browser store or send this, and can Google use what it already has.
How a Google Tag Reads the Signals: default vs update
Every page needs a starting consent state before the visitor makes a choice, and a way to change that state afterward. Consent Mode splits this into two gtag commands: default sets the starting state, and update changes it once the visitor responds.
The default Command (Before the Visitor Chooses)
A Google tag needs a default value for every consent type it uses, set before any command that sends measurement data. A page with no default command runs with an effectively unset state.
Google's own setup guide is explicit: "By default, no consent mode values are set."
The default command looks like this:
`` gtag('consent', 'default', { 'ad_storage': 'denied', 'ad_user_data': 'denied', 'ad_personalization': 'denied', 'analytics_storage': 'denied' }); ``
Defaults can also be scoped to a region using an ISO 3166-2 code. A site can deny by default in the EEA while granting elsewhere.
When two default commands cover overlapping regions, the most specific region wins. A default of granted for the US combined with a default of denied for US-CA means a California visitor gets denied.
The update Command (After the Visitor Chooses)
The update command changes the consent state as soon as a visitor interacts with the banner. Sites should then persist that choice and call update again on later pages.
Google's guide instructs sites to "update the consent status as soon as a user interacts with your consent management solution."
`` gtag('consent', 'update', { 'ad_user_data': 'granted', 'ad_personalization': 'granted', 'ad_storage': 'granted', 'analytics_storage': 'granted' }); ``
The update command is the only command that flips a signal from denied to granted. It also flips a signal back if a visitor later withdraws consent through a preferences panel.
wait_for_update and the 500ms Window
An asynchronous CMP banner does not always finish loading before a Google tag fires. The wait_for_update parameter tells the tag to pause for a set number of milliseconds so the CMP has time to call the update command first.
`` gtag('consent', 'default', { 'ad_storage': 'denied', 'wait_for_update': 500 }); ``
Google's documentation uses 500 milliseconds as its working example. The tag waits up to that window for an update call before it proceeds on the default state. Without this parameter, a slow-loading CMP can let a tag fire on a stale default it never gets to correct.
What Changes Between Granted and Denied: A Real Example
Consider an e-commerce store running GA4 for analytics and a Google Ads tag for remarketing. The store serves EU customers alongside US ones. Its CMP fires a default command on page load that sets all four signals to denied for every visitor.
A visitor from Germany lands on a product page and clicks "Reject" in the banner. No update command fires, so all four signals stay denied. The GA4 tag still loads and sends a cookieless ping, so the store keeps an aggregate, modeled view of that session without a session cookie. The Google Ads tag sets no advertising cookie, and since ad_user_data and ad_personalization stay denied, the visitor's activity never enters a remarketing audience.
A second visitor from Texas lands on the same page and clicks "Accept all." The banner calls the update command, flipping all four signals to granted. GA4 now sets its standard first-party cookies and measures the session directly. The Google Ads tag writes an advertising cookie, sends the visitor's hashed email for enhanced conversions through ad_user_data, and the visitor becomes eligible for remarketing through ad_personalization.
| Visitor | Signals | GA4 behavior | Google Ads behavior |
|---|---|---|---|
| Rejected | All four denied | Cookieless ping, no cookie | No ad cookie, no remarketing eligibility |
| Accepted | All four granted | Standard cookie-based session | Ad cookie set, enhanced conversions sent, remarketing eligible |
How Basic and Advanced Consent Mode Change What the Signals Do
In basic Consent Mode, a denied signal blocks the Google tag from loading at all until the visitor grants consent. In advanced Consent Mode, the tag loads and fires regardless of the signal state. The signals then govern what the tag stores and sends, rather than whether it runs.
That difference is why the same denied ad_storage value produces silence in basic mode but a cookieless ping in advanced mode. Choosing between the two modes affects measurement completeness and conversion modeling well beyond signal behavior alone. The basic versus advanced Consent Mode comparison covers that full decision.
The Other Storage Types (functionality, personalization, security)
Three more storage types exist in the Consent Mode API but sit outside the v2 advertising and analytics requirement: functionality_storage, personalization_storage, and security_storage. Most CMPs leave all three granted by default because they support the site's own operation rather than third-party advertising.
functionality_storage: storage that supports the functionality of the website or app, such as language settingspersonalization_storage: storage related to personalization, such as video recommendationssecurity_storage: storage related to security, such as authentication, fraud prevention, and other user protection
None of the three appears in Google's Consent Mode v2 advertising requirement. A CMP that only maps the four advertising and analytics signals has still met the v2 requirement in full.
FAQs
Is ad_storage the same as analytics_storage?
No. ad_storage gates advertising cookies and analytics_storage gates analytics cookies. A CMP sets them independently, so a visitor can grant one and deny the other.
What does ad_storage denied actually block?
It blocks new advertising cookies from being written and stops existing first-party advertising cookies from being read. Prior google.com and doubleclick.net cookies stay on disk but are used only for spam and fraud prevention.
Do I have to set all four signals?
Consent Mode v2 requires all four signals for any site running Google advertising measurement. An analytics-only site without Google Ads still needs analytics_storage, but can omit the two advertising-only signals if it truly runs no ad tags.
What are the default values if I never set a signal?
Nothing is granted by default. Google's own guide states plainly that no consent mode values are set until a default command runs. An unset signal behaves as the most restrictive state a tag recognizes.
Why is ad_storage still denied after the visitor accepted?
The update command either never fired or ran after the tag already loaded on the default state. The step-by-step Consent Mode v2 setup guide covers the exact command order that avoids this failure.
Which signal does a Google Ads tag need versus a GA4 tag?
A Google Ads tag needs ad_storage for ad cookies, plus ad_user_data and ad_personalization for conversion measurement and remarketing. A GA4 tag needs analytics_storage for session cookies.
What is the GCD parameter in Google Consent Mode?
The GCD parameter is a status code Google tags append to a ping to report the consent state of all four signals at once. Common values are G100 (no consent granted), G110 (Google Ads only), G101 (Google Analytics only), and G111 (both advertising and analytics granted).
When did ad_user_data and ad_personalization become required?
Google added both parameters as part of Consent Mode v2 in 2023. Enforcement for EEA and UK traffic used in Google advertising audiences and remarketing began in March 2024.
Do these signals replace a cookie banner?
No. A CMP or banner still has to collect the visitor's actual choice. The signals are only the mechanism a Google tag reads to act on that choice. See what Google Consent Mode is for how the signals fit into the wider framework.
A certified CMP maps all four signals for you and fires the update command the moment a visitor responds. No team has to hand-write gtag('consent', ...) calls or debug command ordering. Consently's Google Consent Mode v2 support sets these defaults automatically on every plan. A 14-day free trial lets you see the mapped signals live on your own site.

