This guide explains the seven Consent Mode v2 categories, the four control parameters, and how to choose values for each. Before reading this, turn on the master toggle as described in Turn on Google Consent Mode v2 defaults.
The seven categories
Each category controls what Google’s tags can do until consent is updated.
| Category | Granted state allows |
|---|---|
ad_storage | Cookies for advertising (Google Ads remarketing IDs, conversion tracking with cookies). |
ad_user_data | Sending user-identifying data to Google’s ad platforms (hashed emails, phone numbers for Enhanced Conversions). |
ad_personalization | Using behavioral data for personalized ads. Required for remarketing audiences. |
analytics_storage | Cookies and identifiers for Google Analytics (the _ga cookie, the GA4 client ID). |
functionality_storage | Non-essential functional cookies (e.g. language preference, video player position). |
security_storage | Security-related cookies (fraud prevention, abuse detection). Most regulators consider these essential and they are often granted by default. |
personalization_storage | Cookies for content personalization not covered by analytics or ad personalization (e.g. recommended articles). |
Default in GTM Kit for new installs: every category is denied. This is the GDPR baseline: assume you do not have consent, then upgrade once consent is given.
The four control parameters
| Parameter | What it does | Recommended value |
|---|---|---|
wait_for_update | How long Google’s tags wait (in ms) for a gtag('consent','update',...) call before assuming the defaults are final. | 500 for fast CMPs, up to 2000 for CMPs that load the consent banner asynchronously. Default in GTM Kit 2.9+ is 500. |
url_passthrough | When analytics_storage is denied, Google adds query params to outbound links so analytics IDs survive cross-domain navigation. Off by default. | Turn on if you have a multi-domain analytics setup. Off otherwise. |
ads_data_redaction | When ad_storage is denied, Google sends ad clicks without identifiers (cookieless conversion modeling instead of full tracking). Off by default. | Turn on for stricter EU markets (Germany, France, Italy) to comply with national DPA guidance. |
region | Restricts the default state to specific countries or subdivisions. Empty means “apply everywhere”. | Empty unless you have international visitors. See Scope Consent Mode to regions. |
Steps
1. Open General settings
Go to GTM Kit, General, scroll to Google Consent Mode.
2. Confirm the master toggle is on
If Default Consent State is off, the per-category options have no effect. See Turn on Google Consent Mode v2 defaults.
3. Pick a default state for each category
For most EU sites, leave all seven categories denied. Your CMP’s consent banner is what flips them to granted after the visitor clicks Accept.
For sites that intentionally launch with everything granted (rare and only legal in non-EU markets where opt-out applies), you can flip categories to granted.
A common middle-ground configuration:
security_storage→ granted. These cookies are essential under most legal frameworks.- All others → denied. Wait for the CMP to update.
4. Set wait_for_update
Pick how long Google should wait before assuming the defaults are final:
- 500 ms if your CMP loads synchronously and shows the banner immediately.
- 1000-2000 ms if your CMP banner is rendered after a delay or after a third-party script loads.
Setting this too low can cause Google’s tags to fire with denied defaults even though the user clicked Accept. Setting it too high delays measurement on every page.
5. Decide on ads_data_redaction and url_passthrough
Most sites should leave both off. Turn ads_data_redaction on if:
- You serve German, French, or Italian visitors and want stricter privacy posture per the local DPA.
- You explicitly want cookieless ad tracking instead of full attribution when consent is denied.
Turn url_passthrough on if you run cross-domain campaigns and want analytics IDs to survive the domain hop.
6. Save
The change takes effect on the next page load.
Verify it worked
View source on your public site. The Consent Mode default block should reflect your settings:
<script>
gtag('consent', 'default', {
'ad_storage': 'denied',
'ad_user_data': 'denied',
'ad_personalization': 'denied',
'analytics_storage': 'denied',
'functionality_storage': 'denied',
'security_storage': 'granted',
'personalization_storage': 'denied',
'wait_for_update': 1000,
'ads_data_redaction': true
});
</script>In GTM Preview mode, the Consent column on each tag’s row shows whether the consent check passed. Tags requiring analytics_storage will show “Not fired” with the consent reason until update.
Filter hooks
For developers who want to override consent state programmatically:
gtmkit_consent_default_state— filter the entire array of category defaults.gtmkit_consent_default_settings_enabled— turn the whole consent default block on or off based on conditions (e.g. only on production).
Example: only emit Consent Mode defaults for EU traffic:
add_filter( 'gtmkit_consent_default_settings_enabled', function ( $enabled ) {
return $enabled && is_visitor_in_eu();
} );