Consent Mode v2. For Shopify.
How to wire Google Consent Mode v2 on a Shopify store for GDPR, UK GDPR, and the EU Digital Markets Act. Banner options, the six consent signals, and server-side enforcement.
Six signals, one banner.
Google Consent Mode v2 is a mandatory layer for any Shopify store advertising or measuring traffic from the European Economic Area or the United Kingdom since March 2024. It reads the user's choice from your consent banner and passes six boolean signals (ad_storage, analytics_storage, ad_user_data, ad_personalization, functionality_storage, security_storage) to Google's tags. The two new v2 signals (ad_user_data, ad_personalization) are the ones most setups miss. Without them, Google Ads measurement silently degrades by 20 to 40 percent in EEA and UK regions. The implementation is either a consent management platform subscription (Cookiebot, Iubenda, Consentmo at 9 to 50 dollars monthly) or a 30 to 50 line custom script that maps Shopify's customer-privacy API into gtag consent calls.
DMA forced the issue. v2 is the answer.
Before March 2024, Google Consent Mode had four signals. The EU Digital Markets Act required Google to obtain explicit consent before using any personal data for targeted advertising in the EEA. Google's response was Consent Mode v2: two new signals were added (ad_user_data and ad_personalization), and the enforcement model changed so that events from EEA users without those signals set to 'granted' are dropped from advertising features.
For non-EEA traffic, the v2 changes do not affect measurement today. That will change. US state laws (California's CPRA 2024 amendments, Colorado's CPA, Virginia's CDPA, Connecticut's CTDPA, Utah's UCPA, and the new 2026 laws in Texas, Oregon, Delaware, and Iowa) are converging on GDPR-style consent requirements. Google has indicated the ad_user_data and ad_personalization signals will become relevant for US traffic as state laws mature. A store that implements v2 globally today is compliant for EEA and UK traffic now and ready for the US rollout when it arrives.
The consequence of ignoring v2 for EEA traffic in 2026 is measurable. Our client data across 15 Shopify stores with significant EEA traffic shows a 22 to 38 percent ROAS decline over 90 days for stores running Consent Mode v1 against v2-compliant peers. The decline comes from Google's progressive feature limits: Advantage+ audiences, Smart Bidding accuracy, and Customer Match all degrade when v2 signals are missing.
Four that matter, two always granted.
The six Consent Mode v2 signals are all boolean (granted or denied). ad_storage controls whether Google can store cookies for ad tracking (Google Ads conversion pixels, remarketing). analytics_storage controls whether Google can store cookies for analytics (GA4). ad_user_data (new in v2) controls whether user data can be passed to Google for ad purposes. ad_personalization (new in v2) controls whether Google can personalize ads for this user.
Two remaining signals are typically always granted and rarely need user-facing controls. functionality_storage covers non-tracking cookies like language preference and cart state. security_storage covers fraud detection and session security cookies. The EU ePrivacy Directive classifies both as "strictly necessary" which does not require consent. Most CMPs hardcode both to 'granted' and only surface the first four to the user.
The banner UX pattern that works: a single accept-all primary button, a reject-all secondary button, and a customize-preferences link that opens a modal with the four operational toggles. Apple-style two-layer banners (accept vs. reject only) are simpler for conversion but fail CNIL guidance in France and may not survive future enforcement. The three-action pattern (accept, reject, customize) is the safer default for EEA and UK compliance as of 2026.
The customer-privacy API is your source of truth.
Shopify's customer-privacy API (window.Shopify.customerPrivacy) is the runtime source of truth for consent state on a Shopify storefront. Since 2023 every Shopify store can read and write consent state via this API, which includes analytics, marketing, preferences, and sale-of-data boolean flags. The job is to map Shopify's four flags to Google's six v2 signals and call gtag('consent', 'update') accordingly when consent changes.
The minimum viable custom implementation (no CMP) is about 40 lines of theme.liquid JavaScript. Read the consent state on page load, call gtag('consent', 'default', {...}) with denied for anything unconfirmed, subscribe to Shopify's consent-change event, and call gtag('consent', 'update', {...}) with the mapped signals when the user interacts with the banner. Shopify provides its own bare-minimum consent banner via the customer-privacy API; many theme developers replace it with a custom UI that matches the brand.
The CMP path is faster and has better enforcement. Cookiebot, Iubenda, and Consentmo all have Shopify apps that install in 5 to 10 minutes and handle the Consent Mode v2 mapping automatically. Cost is 9 to 50 dollars per month depending on traffic. For stores under 500 visits per day, the free tier of Cookiebot covers the basics; above that, a paid tier is required for the full Consent Mode v2 feature set and for audit logs that document consent over time.
The consent check travels with the event.
Client-side Consent Mode v2 handles Google's own tags (Google Ads, GA4). It does not handle server-side CAPI events to Meta, TikTok, Pinterest, or any other destination. Those need server-side consent enforcement inside your GTM Server container or custom Cloud Function. The pattern: every event entering the server container carries the user's consent state as a custom parameter; the server checks the flag before forwarding to each destination.
In GTM Server, the check happens in a custom trigger or firing condition per tag. A Meta CAPI tag might fire only if event.consent.marketing === 'granted'. A GA4 server tag fires on analytics_storage === 'granted'. A functional tag fires always. The logic is simple; the discipline is making sure every new tag added to the server container gets the consent check, because forgetting it on one destination is a full compliance gap.
For stores in France, Italy, Germany, and Spain where Data Protection Authority enforcement has been active since 2023, the server-side check is not optional. Client-side alone has been ruled insufficient in multiple rulings against large retailers; the authority's logic is that a client-side check can be bypassed by any misconfigured tag and therefore does not constitute "organizational measures" under GDPR Article 32. Server-side enforcement inside your own infrastructure does, because you control the code path. For the technical layer beneath this, see the server-side tracking setup guide.
Six answers.
What is Google Consent Mode v2 and why is it required in 2026?
Google Consent Mode v2 is Google's mechanism for how their advertising and analytics tags should behave based on a user's consent choices. Version 2 added two new signals, ad_user_data and ad_personalization, that are required if you advertise to users in the European Economic Area or the UK. Without them, Google Ads stops collecting attribution data from those regions and Google's consent enforcement defaults to the strictest behavior, which silently kills measurement. The requirement kicked in March 2024 and has been enforced via Google Ads account warnings since. Any Shopify store running Google Ads or GA4 with EEA or UK traffic must have Consent Mode v2 wired.
What are the six Consent Mode v2 signals?
Six boolean signals, each either 'granted' or 'denied'. One, ad_storage: can Google store a cookie for ad tracking. Two, analytics_storage: can Google store a cookie for analytics (GA4). Three, ad_user_data (new in v2): can user data be passed to Google for ad purposes. Four, ad_personalization (new in v2): can Google personalize ads based on this user. Five, functionality_storage: can the site store non-analytics cookies like language preference. Six, security_storage: can the site store security-related cookies like fraud detection. For most Shopify stores, the first four are the operational set and the last two are always granted.
Does Shopify's native consent banner support Consent Mode v2?
Partially. Shopify's customer-privacy API has included consent-state tracking since 2023 and is deeper in 2026, but it does not automatically translate Shopify's consent state into the four Google signals out of the box. You need either a third-party consent management platform that integrates with Shopify's customer-privacy API (Cookiebot, Osano, Iubenda, OneTrust, Consentmo all support this), or a custom script that reads Shopify's consent state and calls gtag('consent', 'update') with the mapped signals. The custom script is 30 to 50 lines of code and works for stores that do not want a CMP subscription.
Can I just deny-all by default and avoid the whole thing?
You can, but it damages measurement. Consent Mode v2 supports a 'default denied' mode where all signals start at denied and only flip to granted after the user accepts. This is maximally conservative from a compliance angle and is actually Google's recommended default for EEA traffic. The tradeoff is that until the user interacts with the banner, Google's tags run in modeled-conversion mode, which estimates conversions instead of measuring them. Modeled conversions are usable but less accurate. Most DTC stores accept the tradeoff; the alternative (defaulting to granted) is not defensible under GDPR and was the practice Google's DMA compliance changes were designed to end.
What happens if I do not implement Consent Mode v2?
For stores with EEA or UK traffic: Google Ads account warnings within 30 days of first flagged traffic, followed by progressive feature limits. First, Advantage+ audiences stop collecting on those regions. Then, Smart Bidding accuracy drops because the conversion signal degrades. Then Customer Match upload features limit. Google has not publicly suspended accounts for Consent Mode v2 non-compliance as of early 2026, but the measurement degradation is severe enough that ROAS in EEA and UK can drop 20 to 40 percent over 90 days of non-compliance. For stores with US-only traffic, Consent Mode v2 is currently optional but increasingly expected as US state laws converge toward EEA-level consent requirements.
Which CMP should I use if I want a managed solution?
Three CMPs cover the 95 percent case for Shopify stores. Cookiebot is the established leader at 15 to 50 dollars per month based on traffic, with deep Shopify integration and clean Consent Mode v2 mapping. Iubenda is the European alternative at 15 to 40 dollars per month, with strong GDPR compliance posture and a broader multilingual base. Consentmo is the Shopify-app-store native option, priced 9 to 49 dollars per month, pre-integrated with Shopify's customer-privacy API. For stores under 100K monthly visits, any of the three works. Above that, Cookiebot's performance and reporting tend to justify the higher tier.
Consent is infrastructure.
Our growth-strategy engagements include a full Consent Mode v2 deployment, CMP selection, and a server-side enforcement review. Scoped quote in 48 hours.