Bajorat Media
Cookie Banner, Consent Mode v2 and GA4: Setting Up Compliant, Measurable Tracking
How businesses connect cookie banners, Consent Mode v2, Google Tag Manager and GA4 so privacy, measurement and operations work together.
Many websites have a cookie banner, but not a reliable consent setup. The banner looks acceptable, Google Analytics 4 is somehow running, the Google Tag Manager container contains old triggers and nobody can say with confidence which tags fire before or after consent. As soon as Google Ads, GA4, retargeting, server-side tagging or a privacy audit enter the picture, this becomes an operational problem.
Cookie banners, Consent Mode v2 and GA4 have to be planned as one technical system. The goal is not to collect as much data as possible despite rejection. The goal is a setup that respects consent, prepares privacy review and keeps marketing measurement as stable as possible. This article is not legal advice. It is a technical and operational guide for businesses that want to set up tracking in a controlled way.
Why a Cookie Banner Alone Is Not Enough
A cookie banner is only the visible layer. What matters is what happens afterwards: Are services categorized correctly? Are non-essential services blocked before consent? Are consent signals passed to Google? Are logs or at least traceable consent states available? Are new marketing tags added to the same process later?
A Consent Management Platform should therefore do more than display text. It should manage services, categories, scripts, consent states and publications. If the website uses several domains, landing pages or campaigns, central management becomes especially important.
Typical weaknesses in existing setups include:
- Tags already fire before consent while the banner is still visible.
- GA4 is blocked completely, but Consent Mode v2 is not configured correctly.
- Google Ads does not receive suitable signals for
ad_user_dataandad_personalization. - The CMP does not know all third-party services that actually load on the page.
- Changes are made directly in Tag Manager but not documented in the consent inventory.
- Test, staging and live environments differ without anyone noticing.
- Privacy policy, CMP categories and real network requests do not match.
- The banner itself is not accessible, for example because keyboard focus, screen reader labels or contrasts are weak.
This is especially critical in online marketing, because faulty tracking leads to poor decisions. Campaigns are then evaluated based on incomplete conversions, while privacy risks may still remain.
What Consent Mode v2 Does in This Setup
Google Consent Mode is not a cookie banner and does not replace a CMP. Consent Mode is the interface that passes the user’s consent decision to Google tags. Google tags then adapt their behavior to the consent state. For the legal interpretation of consent under GDPR, the European Data Protection Board guidelines on consent remain an important official reference.
Consent Mode v2 works particularly with these signals:
| Signal | Meaning in the setup |
|---|---|
analytics_storage | Controls whether analytics cookies may be set or read. |
ad_storage | Controls whether advertising cookies may be set or read. |
ad_user_data | Signals whether user data may be sent to Google for advertising purposes. |
ad_personalization | Signals whether personalized advertising is allowed. |
For businesses in the EEA context, Consent Mode v2 is especially relevant when Google Ads, remarketing, GA4 conversions or audiences are used. A misconfigured setup can reduce measurement quality or become difficult to explain from a privacy perspective. A correctly configured setup creates a traceable data flow: the CMP records the decision, Consent Mode translates it into Google signals and GA4 or Ads process only what matches the consent state.
Google distinguishes broadly between Basic and Advanced Consent Mode. With Basic, Google tags are blocked before consent. With Advanced, tags may load even without consent and send cookieless signals depending on the status, if that has been assessed as appropriate from a legal and technical perspective. Which option fits depends on privacy evaluation, marketing requirements, CMP, tagging architecture and risk profile.
This distinction is crucial because many setups are technically functional but not operationally explainable. “We use Consent Mode v2” is not enough. What matters is which mode is active, which signals are set when, which tags load before consent and whether marketing, privacy and development would describe the same configuration.
| Variant | Technical logic | When it often fits | What needs special attention |
|---|---|---|---|
| Basic Consent Mode | Google tags load or fire only after suitable consent. | Conservative setups, clear blocking before consent, easy traceability | Consent default must be set early; tags must not fire beforehand. |
| Advanced Consent Mode | Google tags may load before consent and send cookieless signals depending on the state. | More performance- and modeling-oriented setups with reviewed privacy assessment | Data flows must be understood, documented and approved in detail. |
| Hybrid model | Some services are strictly blocked, others run consent-aware. | More complex websites with several tag types, campaigns and third-party providers | Without a clear inventory, the setup quickly becomes hard to audit. |
Many businesses are better served by starting with a traceable Basic setup and then reviewing whether selected areas should be extended. Advanced Consent Mode is not a quality label. It is a technical operating mode that only makes sense when it is deliberately chosen, documented and tested.
Connecting GA4, Google Tag Manager and the CMP
A reliable setup starts with clear responsibilities:
- The CMP manages services, categories, texts and consent states.
- Google Tag Manager orchestrates tags, triggers, variables and consent checks.
- GA4 processes events, parameters and conversions.
- Google Ads uses conversion and consent signals for campaign measurement.
- The privacy policy describes the services and purposes used.
The most common source of errors is not one wrong switch. It is unclear ownership between CMP, Tag Manager and Analytics. If marketing, development and privacy work separately but nobody reviews the whole flow, gaps appear.
A useful process looks like this:
- Inventory all services, such as analytics, ads, maps, videos, chat, A/B testing, CRM, fonts or pixels.
- Review purpose, category, provider, data flow and consent requirement for each service.
- Derive CMP categories and texts from that inventory.
- Set the Consent Mode default before Google tags, usually initially to
denied. - Translate the CMP decision into consent updates.
- Assign suitable consent requirements to GTM tags.
- Review GA4 events and conversions: which events are truly decision-relevant?
- Debug in Tag Assistant, GA4 DebugView and browser DevTools.
- Document the result and repeat the same process when new tags are added.
On existing WordPress or WooCommerce websites, teams also need to check whether plugins load their own scripts. The WordPress GDPR and privacy service is relevant here because many privacy issues do not start in the banner, but in theme, plugin and embed logic.
The Correct Order in Google Tag Manager
In implementation, Consent Mode v2 often fails because of timing. The consent default must be set before Google tags or dependent tags operate. Then the CMP updates the status once the user makes a decision. Tags should not only react to page view events, but also to consent requirements and events.
A robust GTM setup therefore follows this logic:
- Initialize consent default: at the earliest possible point, relevant consent signals are set to
deniedor to the agreed default. - Load CMP and display the interface: the user can make a decision.
- Send consent update: after the selection, the CMP passes the actual states to the data layer or Google Consent API.
- Check tag consent requirements: GA4, Ads and other services fire only when the necessary requirements are met.
- Evaluate events separately: a page view, form submission or purchase must not be measured twice or in the wrong consent state.
- Document debugging: Tag Assistant, browser DevTools and GA4 DebugView show whether the flow really works.
Hard-coded embeds outside Tag Manager are especially critical. If a theme, plugin or template writes a tracking script directly into the source code, the best Tag Manager plan can be bypassed. That is why a technical review must always include network requests, source code, plugin output and embedded third-party providers.
Bajorat Media | Cockpit: Consent Manager, GDPR Scanner and Quick Checks
Bajorat Media | Cockpit connects analysis, consent management and project workflow. For cookie banners and tracking, two areas are especially important.
The Consent Manager helps configure cookie banners, services, consent logs and publishing workflows per domain centrally. This is particularly useful when several websites, landing pages or campaign domains are maintained. Changes to services, texts or categories do not remain isolated manual adjustments in different systems.
The GDPR Scanner checks cookies, third-party requests and suspicious data flows. It does not replace legal assessment, but it provides technical indicators for privacy review, CMP service inventory and launch QA. Before relaunches, campaign launches or analytics changes, this is valuable because teams can see what actually loads.
Together, they create a practical workflow:
- scan the page or landing page
- review third-party requests and cookies
- add missing services to the CMP
- adjust consent categories and tagging rules
- test Google Tag Manager and GA4 with debugging tools
- document findings and turn them into project tasks where needed
Bajorat Media | Cockpit is therefore not only a set of tools, but a working environment for recurring quality assurance. When teams reach their limits, findings can be turned directly into a project inquiry with Bajorat Media.
For ongoing operations, the combination of Consent Manager and GDPR Scanner is valuable because it connects two questions: What is supposed to happen according to the setup, and what technically happens on the website? The Consent Manager describes services, categories, texts and publications. The scanner shows whether cookies, requests and third-party providers match. This counter-check matters because websites change constantly: new campaign landing pages, embedded tools, form providers, video players or plugin updates can change tracking behavior.
A useful monthly control process can look like this:
- Check important page types and landing pages with the GDPR Scanner.
- Evaluate new or unexpected third-party requests.
- Compare the CMP service inventory with the scan.
- Update consent texts and privacy notices where required.
- Review the GTM container for new tags added without approval.
- Compare GA4 and Google Ads conversions against real leads or sales for plausibility.
- Document changes so the reason for each active service remains understandable later.
This turns privacy review from a one-time launch task into part of website operations.
GA4 Measurement Plan: Fewer Events, More Meaning
Many GA4 setups are overloaded. Every scroll depth, button and interaction is collected as an event, but nobody knows which metrics actually support decisions. Consent Mode v2 does not solve this problem. It makes the issue more visible, because data gaps and modeling only make sense when the measurement plan is clear.
For a business website, a small number of clearly defined events is often enough:
| Event group | Examples | Purpose |
|---|---|---|
| Lead | Form submitted, callback requested, appointment booked | Campaign and channel evaluation |
| Engagement | Download, video interaction, important clicks | Content and offer evaluation |
| Commerce | Add to cart, checkout, purchase, inquiry | Revenue and funnel analysis |
| Quality | Errors, form abandonment, 404, consent rejection | Technical and operational optimization |
If you want to measure more deeply, first separate conversion tracking, Google Tag Manager and server-side tagging conceptually. Server-side tagging can improve control and data quality, but it is not permission for tracking without consent.
A good GA4 measurement plan does not only describe which events are sent. It also defines which events count as conversions, which parameters are required and which reports are reviewed regularly. Without these decisions, companies collect data but do not gain a basis for decision-making.
For many business websites, these questions matter more than the number of events:
- Which three to five actions represent real business value?
- Which events are only engagement signals and should not count as conversions?
- Which parameters does the team need to distinguish campaigns, services or forms?
- Which forms or funnels run across several domains or subdomains?
- How are internal visits, test conversions and spam inquiries excluded?
- Which reports are reviewed monthly, and which data remains unused?
For lead websites, a lean setup with generate_lead, form_submit, contact_click, file_download and a few qualifying parameters may be sufficient. Shops need cart, checkout and purchase events. For complex B2B offers, downloads, appointment bookings and qualified project inquiries are often more important than superficial clicks.
UTM parameters also belong in the measurement plan. If campaigns are tagged inconsistently, GA4 cannot provide reliable attribution even when the consent setup is technically correct. Businesses should therefore define naming conventions for source, medium, campaign, content and term. This sounds small, but it determines whether future reporting is readable.
Test Plan Before Going Live
A consent and tracking setup should not be tested for the first time during an active campaign. Before launch, teams need several clear scenarios. Each scenario checks a different combination of user decision, tags, cookies and events.
| Test scenario | What is checked | Typical error |
|---|---|---|
| First visit without selection | Consent default, blocked tags, no non-essential cookies | Tags fire before a decision. |
| Rejection of all non-essential services | Consent update, no analytics or ads cookies, no disallowed events | GA4 still sends full events. |
| Consent to analytics | GA4 tag, analytics cookies, DebugView, events | Consent signal arrives too late or twice. |
| Consent to marketing | Ads signals, conversion linker, remarketing state | ad_user_data or ad_personalization is missing. |
| Withdrawal or change | CMP state, cookie deletion, tag behavior after change | Old cookies remain or tags keep running. |
| Form conversion | Event, parameters, conversion marking, consent state | Event fires twice or without consent. |
The review should be repeated in a fresh browser profile or incognito window. Browser DevTools, Google Tag Assistant, GA4 DebugView and cookie inspection are helpful. For important campaigns, the tests should be recorded as short QA documentation: date, tested URL, consent state, expected behavior, actual behavior and result.
Checklist for a Controllable Tracking Setup
Before launch, relaunch or campaign start, the setup should be reviewed systematically. This checklist is deliberately technical and organizational:
- Is there a complete service inventory for all cookies, scripts and third-party requests?
- Do CMP categories, privacy notices and actual services match?
- Are non-essential tracking services inactive before consent when Basic Mode is intended?
- Are Consent Mode v2 signals mapped completely?
- Is the consent default set before Google tags?
- Does the CMP send a correct consent update after selection?
- Do GTM tags have suitable consent requirements?
- Are GA4 conversions meaningful and not counted twice?
- Do UTM parameters, referral exclusions and cross-domain measurement work?
- Have rejection, partial consent and full consent been tested?
- Are consent logs or operational evidence available in the system?
- Is there a process for new marketing tags?
- Have staging and live websites been tested comparably?
- Is it documented who approves changes?
This review should not happen only once. New plugins, embedded videos, chat tools, campaign pixels or form solutions can change the setup at any time.
After major changes, it should also be checked whether privacy policy, CMP configuration and real technology still match. This applies particularly after relaunches, theme changes, new consent texts, GA4 container changes, Google Ads updates or the introduction of new CRM and form systems.
Conclusion: Measurement Needs Consent Architecture
A modern cookie banner is not cosmetic. It is part of a consent architecture that connects website, marketing, privacy and analytics. Consent Mode v2 ensures that Google tags understand the consent state. GA4 turns this into measurable events. The CMP keeps services, categories and decisions together.
For businesses, the most important step is to stop treating tracking as a one-time technical setup. It needs an inventory, responsibilities, tests and ongoing control. With Consent Manager and GDPR Scanner in Bajorat Media | Cockpit and a clear GA4 measurement plan, companies can build a workflow that does not play privacy and marketing measurement against each other, but makes both manageable.
