--- title: "Set per-category consent defaults" date: 2026-05-04 author: "GTM Kit" --- # Set per-category consent defaults This guide explains the seven Consent Mode v2 categories, the four control parameters, and how to choose values for each. Before reading this, turn on the master toggle as described in [Turn on Google Consent Mode v2 defaults](https://gtmkit.com/documentation/turn-on-google-consent-mode-v2-defaults/). ## The seven categories Each category controls what Google’s tags can do until consent is updated. CategoryGranted state allows`ad_storage`Cookies for advertising (Google Ads remarketing IDs, conversion tracking with cookies).`ad_user_data`Sending user-identifying data to Google’s ad platforms (hashed emails, phone numbers for Enhanced Conversions).`ad_personalization`Using behavioral data for personalized ads. Required for remarketing audiences.`analytics_storage`Cookies and identifiers for Google Analytics (the `_ga` cookie, the GA4 client ID).`functionality_storage`Non-essential functional cookies (e.g. language preference, video player position).`security_storage`Security-related cookies (fraud prevention, abuse detection). Most regulators consider these essential and they are often granted by default.`personalization_storage`Cookies for content personalization not covered by analytics or ad personalization (e.g. recommended articles).Default in GTM Kit for new installs: every category is **denied**. This is the GDPR baseline: assume you do not have consent, then upgrade once consent is given. ## The four control parameters ParameterWhat it doesRecommended value`wait_for_update`How long Google’s tags wait (in ms) for a `gtag('consent','update',...)` call before assuming the defaults are final.`500` for fast CMPs, up to `2000` for CMPs that load the consent banner asynchronously. Default in GTM Kit 2.9+ is `500`.`url_passthrough`When `analytics_storage` is denied, Google adds query params to outbound links so analytics IDs survive cross-domain navigation. Off by default.Turn on if you have a multi-domain analytics setup. Off otherwise.`ads_data_redaction`When `ad_storage` is denied, Google sends ad clicks without identifiers (cookieless conversion modeling instead of full tracking). Off by default.Turn on for stricter EU markets (Germany, France, Italy) to comply with national DPA guidance.`region`Restricts the default state to specific countries or subdivisions. Empty means “apply everywhere”.Empty unless you have international visitors. See [Scope Consent Mode to regions](https://gtmkit.com/documentation/scope-consent-mode-to-specific-countries-or-regions/).## Steps ### 1. Open General settings Go to **GTM Kit, General**, scroll to **Google Consent Mode**. ### 2. Confirm the master toggle is on If **Default Consent State** is off, the per-category options have no effect. See [Turn on Google Consent Mode v2 defaults](https://gtmkit.com/documentation/turn-on-google-consent-mode-v2-defaults/). ### 3. Pick a default state for each category For most EU sites, leave all seven categories **denied**. Your CMP’s consent banner is what flips them to granted after the visitor clicks Accept. For sites that intentionally launch with everything granted (rare and only legal in non-EU markets where opt-out applies), you can flip categories to granted. A common middle-ground configuration: - `security_storage` → granted. These cookies are essential under most legal frameworks. - All others → denied. Wait for the CMP to update. ### 4. Set wait\_for\_update Pick how long Google should wait before assuming the defaults are final: - **500 ms** if your CMP loads synchronously and shows the banner immediately. - **1000-2000 ms** if your CMP banner is rendered after a delay or after a third-party script loads. Setting this too low can cause Google’s tags to fire with denied defaults even though the user clicked Accept. Setting it too high delays measurement on every page. ### 5. Decide on ads\_data\_redaction and url\_passthrough Most sites should leave both off. Turn `ads_data_redaction` on if: - You serve German, French, or Italian visitors and want stricter privacy posture per the local DPA. - You explicitly want cookieless ad tracking instead of full attribution when consent is denied. Turn `url_passthrough` on if you run cross-domain campaigns and want analytics IDs to survive the domain hop. ### 6. Save The change takes effect on the next page load. ## Verify it worked View source on your public site. The Consent Mode default block should reflect your settings: ``` ``` In GTM Preview mode, the **Consent** column on each tag’s row shows whether the consent check passed. Tags requiring `analytics_storage` will show “Not fired” with the consent reason until update. ## Filter hooks For developers who want to override consent state programmatically: - `gtmkit_consent_default_state` — filter the entire array of category defaults. - `gtmkit_consent_default_settings_enabled` — turn the whole consent default block on or off based on conditions (e.g. only on production). Example: only emit Consent Mode defaults for EU traffic: ``` add_filter( 'gtmkit_consent_default_settings_enabled', function ( $enabled ) { return $enabled && is_visitor_in_eu(); } ); ``` ## Related articles - [Turn on Google Consent Mode v2 defaults](https://gtmkit.com/documentation/turn-on-google-consent-mode-v2-defaults/) - [Scope Consent Mode to specific countries or regions](https://gtmkit.com/documentation/scope-consent-mode-to-specific-countries-or-regions/) - [Push consent updates from custom code](https://gtmkit.com/documentation/push-consent-updates-from-custom-code/)