In 2026, complying with consent rules is no longer just about ticking a GDPR box. For website publishers and marketers alike, it has become a strategic priority that impacts legal compliance, marketing performance, and the quality of the user experience.
With new obligations under the Digital Markets Act, the widespread rollout of Google Consent Mode v2, and the rise of certified CMPs, the consent-management landscape has changed dramatically. What still worked in 2023 is no longer enough. Preference granularity, consent processing times, and data shared with marketing tools—everything is under close scrutiny, including by browsers and regulators.
This article summarises the key changes to know and the best practices to adopt in 2026, to:
- Understand how Google’s Consent Mode v2 works and its concrete benefits;
- Choose a certified CMP compatible with TCF 2.3 (and soon GPC);
- Efficiently manage user preferences, consent duration, and the tools to connect in your stack (GTM, CRM, Analytics…);
- Anticipate risk areas (such as the GTM case in Germany) and optimise compliance without sacrificing performance.
Whether you’re in acquisition, a CRM project lead, a media publisher or an e-commerce merchant, this guide will help you get your stack in order so you can keep measuring, activating, and personalising within a 100% compliant framework.
The European regulatory framework is evolving fast, pushing publishers and marketers to review their consent-collection tools. The Digital Markets Act (DMA), which came into force in March 2024, requires “gatekeepers” (Google, Facebook, etc.) to be more transparent about user data collection. In response, Google announced in late 2023 that all advertisers must comply with its EU user consent policy to continue using ad personalisation.
Practically speaking, since 16 January 2024, any site serving personalised ads in the EEA or the UK must use a Google-certified CMP integrated with the IAB’s TCF. In Switzerland, this requirement has applied since 31 July 2024. In practice, only sites where a certified CMP (OneTrust, Usercentrics, Cookiebot, Quantcast, Didomi, Axeptio…—Google keeps the official list updated) manages consent can serve personalised ads; the others can only offer “limited” or non-personalised ads.
Google Consent Mode v2: how it works and what’s required
To align with these requirements, Google launched Consent Mode version 2 in late November 2023. This version requires sites using Google Analytics or Google Ads to inform Google of the user’s consent status when pages load. Google requires all sites that serve ads to users in the EU/EEA to implement Consent Mode v2. Without it, GA4 and Google Ads will collect almost no conversion data for European users, which severely impacts marketing campaigns.
Technically, Consent Mode v2 adds two new signals to Google’s API (gtag('consent', ...)) alongside ad_storage and analytics_storage (already in v1). The new parameters are: ad_personalization (consent for personalised advertising) and ad_user_data (consent for advertising user data). A site must send all four consent states on load (via gtag or configured Google Tag Manager). There are two implementation modes: the basic mode, where Google tags are blocked until the user interacts with the cookie banner and their choice (opt-in/opt-out) is applied; and the advanced mode, where tags load before the banner is seen and send “cookieless pings” if consent is refused. This advanced mode captures aggregated signals to model lost conversions when consent is absent (see below).
Concretely: two campaigns A and B with 100 clicks each and 10 recorded conversions (10%) without consent signals (“Unknown consent”). With Consent Mode v2, Google can model the missing data and estimate non-consented conversions—potentially up to 65% of otherwise lost conversions dogdigital.com.
Indeed, Google highlights the value of conversion modelling built into Consent Mode v2. Without Consent Mode, conversions occurring without consent remain invisible in reporting (as above, both campaigns look identical at 10%). With Consent Mode v2, Google models those missing conversions based on behaviour observed among consenting users. According to Google, this modelling can recover around 65% of conversions lost due to missing direct consent. In other words, correctly implementing Consent Mode v2 (with a CMP that notifies Google quickly) helps limit performance loss while respecting privacy.
Certified CMPs and the evolution of the TCF
Beyond Consent Mode, the IAB TCF remains the market standard for synchronising consent between CMPs and the ad ecosystem. Google requires that CMPs used are not only integrated with the TCF but also “Google-certified” (this programme only verifies technical compatibility with the TCF and Google’s Additional Consent spec). Only transmitting the TC string via a certified CMP guarantees eligibility for personalised ads. In addition, TCF v2.3—adopted by the IAB Tech Lab—will replace v2.2. Publishers and CMP vendors have until 28 February 2026 to migrate to TCF v2.3. After that date, any new TC string must comply with v2.3 (older v2.2 strings generated before 28/02/26 will continue to be accepted). Google has already announced it accepts v2.3 since October 2025 and encourages publishers to start migrating ahead of the deadline. The new version will, among other things, clarify vendor declarations and introduce a “Disclosed Vendors” segment to strengthen transparency and user control.
Examples of CMP tools (non-exhaustive): Didomi, OneTrust, Usercentrics, Cookiebot, Quantcast, Sourcepoint, Priduct, and the French provider Axeptio, among others. These solutions offer multilingual cookie banners and, in most cases, a preference centre where users can adjust choices at any time (cookie categories, email campaigns, etc.). Any CMP used for personalised ads must be listed as “certified” by Google (for France, you’ll find Didomi, Axeptio, Cookiebot, Commanders Act, etc.).
User preferences and best practices
Regulation also requires responsible consent management beyond a simple “Accept” click. For example, the GDPR states that consent is valid only as long as it is “freely given, specific, informed and unambiguous.” The CNIL also recommends a short validity period for meaningful consents: “in general, storing choices for 6 months constitutes good practice.” After this period, it’s advisable to ask for consent again—especially if data uses change or new third-party cookies are added. Users must also be able to withdraw consent easily. That’s why modern CMPs usually include a dashboard (“preferences”) allowing users to modify their choices at any time, not just on their first visit.
From a technical perspective, make sure these preferences are properly synchronised across the entire marketing stack: Google Analytics, CRM tools, and ad platforms. For example, if a user refuses advertising cookies, your site’s code must update the relevant tags (ad_storage='denied', etc.) across all tools. To make this robust, it’s often recommended to load the CMP first, wait for its signal, then initialise (or block) tags via Google Tag Manager or by conditionally loading scripts. Note also that Europe is working on initiatives like Global Privacy Control (GPC), a browser-level opt-out signal; while not mandatory in France for now, some CMPs (Didomi, OneTrust…) support it in anticipation.
Special case: Google Tag Manager and German compliance
A final key point to “get your stack in order”: a recent German court decision (March 2025) held that Google Tag Manager requires prior explicit consent. The Administrative Court of Hanover ruled that merely loading GTM (gtm.js) sends technical data (IP address, etc.) to Google before any user consent, which violates German law (TTDSG) and the GDPR. In other words, deploying GTM without prior opt-in is risky in Germany (and potentially across the EU). The solution is to “gate” GTM: only load GTM after the user has given marketing consent via the CMP. Concretely, load the CMP first, and upon the user’s click inject the GTM container dynamically. This ensures gtm.js does not run (and send data) if the user refuses. Note that this approach will block all GTM-managed tags when consent is refused—hence the need to test thoroughly. Some advanced solutions (such as Didomi’s “Addingwell” container) offer server-side architectures to avoid client-side data leakage, but the core takeaway is that GTM + Consent Mode is not enough: you must prevent any ping to Google before explicit consent.
In short, by early 2026 a publisher should have:
- Implemented a Google-certified CMP compliant with TCF 2.3 (and GPC where relevant);
- Configured Google Consent Mode v2 (basic or advanced as needed) via that CMP;
- Checked the technical integration in GTM and other tags to ensure no third-party service is activated without consent;
- Ensured user preferences (duration, access/modification) follow recommendations (e.g., CNIL).
This will ensure compliance with GDPR/ePrivacy and help you get the most from Google tools (Analytics, Ads, etc.) while limiting the loss of marketing data.
