What is Google Consent Mode (CoMo)?
Google Consent Mode (CoMo) is a new way for Google to collect consent for its services.
The Digital Markets Act, a EU regulation that wants to make the digital economy fairer. Has come into play. As a response, Google has created a new set of tools to ensure customers' choices are honoured.
Google Consent Mode applies only to four of Google's services
- Google Analytics (includes Google Analytics for Firebase SDK)
- Google Ads (includes Google Ads Conversion Tracking and Remarketing)
- Floodlight
- Conversion Linker
Note that support for Google Ads support for Phone Call conversions is pending. You can find more in-depth information about the consent mode here.
Google Consent Mode has added two new settings:
- Is personal data sent to Google Services?
- Can Google Services use personal data sent to them for personalising ads (e.g. remarketing)?
Do I need to enable Google Consent Mode?
If you have traffic from the European Economic Area (EEA) and use the Google Services above you do need to enable Google Consent Mode. Those who don’t adopt it by March 2024 may face their services' data (including conversion modelling) data drop in quality.
How can I comply with Google Consent Mode?
Google consent mode can be implemented manually or through a Consent Management Platform (CMP) such as Privasee’s Consent Management Platform (CMP).
Privasee’s Consent Management Platform is very easy to use and Google Consent Mode can be turned on by toggling a checkbox. However, if you want to manually implement Google Consent Mode, you can follow this guide.
What are the Basic and Advanced modes?
Google has created two ways to implement Google Consent Mode. In short:
- The Basic mode won’t send any information to the Services if a user hasn’t given consent.
- The Advanced mode won’t send any information to the Services if a user hasn’t given consent, except for cookieless pings.
The main question to ask ourselves if these options are compliant with cookie laws (such as the ePrivacy Directive and PECR) and Data Protection Laws such as the GDPR.
Is Basic Consent Mode compliant?
Yes, as information is not sent to Google without the consent of the user.
Is Advanced Consent Mode compliant?
Google is sending cookieless pings. This is deliberate as the cookie laws state that except for non-strictly necessary cookies, consent is always required for cookies. Google Services don’t fall under the definition of non-strictly necessary cookies.
Following this rule, if pings weren’t cookieless we would need consent and therefore Advanced Mode would make no sense. However, the question that remains is, is the information sent in those cookieless pings personal data or not?
Note that Google says that cookieless pings are sent to the Services and when we go to the definition of pings we see:
In all cases, pings may include:
- Functional information (such as headers added passively by the browser):
- Timestamp
- User agent (web only)
- Referrer
- Aggregate/non-identifying information:
- An indication of whether or not the current page or a prior page in the user's navigation on the site included ad-click information in the URL (e.g. GCLID / DCLID)
- Boolean information about the consent state
- Random number generated on each page load
- Information about the consent platform used by the site owner (e.g. Developer ID)
There’s currently a debate as to whether the attributes above are personal data or not (especially GCLID, DCLID). While Google may be making advances to ensure anonymised cookieless analytics are possible (as some other vendors do), it’s still unclear if such attributes identify an individual.
Our stance is that Advanced Consent Mode is not compliant because:
- Information about a user is being sent without their consent for non-strictly necessary purposes.
- Google acts as a black box regarding what it does with the information sent to them.
- It’s not clear that the attributes above aren’t personal data.
However, we will continue to monitor the changes in regulation, guidance by the regulators, court decisions and fines to inform our decision.
Is URL Passthrough compliant?
URL Passthrough will send Google Click Identifier (GLICD) which is a unique identifier for a Google Ads Campaign. Similar to the section above on Advanced Mode being compliant or not.
Our stance is that URL Passthrough is not compliant as it’s collecting information when the user has not yet given consent and you intend to offer the choice.
How can I comply with Google Consent Mode?
At Privasee we've partnered with the industry-leading cookie banner provider Usercentrics to offer our customers a complete Cookie Banner solution that can help you enable Google Consent Mode to ensure you're following Google's guidance. Feel free to start with a Free GDPR Audit here to learn more.
Frequently asked questions
We never have access to any of your data, our platform is able to scan each tool and provide recommendations without needing to access any of the data within those tools. There's no need for your dev' team to do anything, there are no security risks, just tell us the tools you use and we will do the rest.
Our policies are not just about my website or service. Once set up, our platform will help you map-out internal and external processes, such as HR, finance, and more!
We recommend replacing your current policy with our policy, this way you’ll remain compliant as your business changes and as the laws update.
Setting up is easy, just follow the on-screen commands and go through a few short steps to add your tools. You don't need any technical ability, anything you don't know the answer to you can ask us via our live chat or add later.
A template will not be applicable to your particular business as there are many things to consider for each tool you use. Also the template will not automatically update when changes happen in your business and when changes to GDPR laws are released. This can leave you vulnerable to breaking GDPR laws.
We have a huge selection of tools pre-loaded and anything you don't see you can add directly from the platform as well as mapping data for any custom software you may use.
Our Essential Plan is perfect for people just getting started, small businesses, self-employed people and early stage companies. It allows you to get set up and start making your site GDPR compliant. You can move to our pro plan when you grow and your needs become more complex.
Our Pro Plan is aimed at SMEs and is our most popular plan as it includes everything you'll need such as a cookie banner, multiple languages as well as dedicated support.
Our Agency Plan is aimed at businesses that operate with clients needing GDPR solutions. The plan allows you to onboard clients as well as benefit from the Pro Plan for your own site.
Our Enterprise Plan is our most customisable and inclusive plan aimed at large, corporate businesses. We will essentially build you a bespoke plan with full maintenance support, onboarding classes and full company-wide access.
Feel free to get in touch to discuss our GDPR Compliance Software solution.
Signing up is super easy. The platform will ask you a few basic questions and then you can add your tools - don't worry if you don't know them all, you can come back and add tools at any point. The platform will then generate you the correct privacy policy based on your information, you can there share it directly on your site. That's it!
Privasee has a plan for smaller companies as well as larger enterprise companies. For companies small to medium you can signup directly. For bigger enterprise companies get in touch with your requirements and our team will build you a bespoke plan.
You have a legal responsibility to keep your policy up to date with every change in legal requirements for every tool you have. With Privasee you are always covered.