Google Consent Mode v2 for Shopify: what it is, why it matters, and how to set it up

If you run paid traffic to your Shopify store from Google Ads or rely on Google Analytics 4 for attribution, Google Consent Mode v2 is now mandatory for EU/EEA visitors. As of March 2024, Google requires advertisers to send consent signals through GCM v2 — without them, you stop accumulating audience data and your remarketing lists shrink.

This post walks through what GCM v2 actually is, the two flags that matter, and exactly how to wire it up on a Shopify store without writing custom code.

What is Google Consent Mode v2?

Google Consent Mode is a mechanism for telling Google's tags (GA4, Google Ads, Floodlight) whether the visitor has consented to tracking. The tag still loads, but its behavior changes based on the consent signals you send:

• If consent is granted, tags fire normally — full pageviews, conversions, and audience signals.
• If consent is denied, tags fire in a degraded mode that uses cookieless pings to enable Google's machine-learning models to estimate ("model") the conversions you would have seen.

Version 2 added two new required parameters:

These join the four existing v1 parameters: ad_storage, analytics_storage, functionality_storage, personalization_storage, and security_storage.

Why this matters for Shopify merchants

Three things change when you implement GCM v2 properly:

1. Compliance: GCM v2 is the mechanism Google trusts to know whether you've collected consent. Without it, EU traffic is non-compliant from Google's perspective regardless of what your banner says.
2. Revenue: Modeled conversions only work if Google receives the cookieless pings. A banner that blocks GA4 entirely (no Consent Mode) costs you the modeled-conversion fallback. Stores that switch from "block everything" to GCM v2 typically see 15–30% of "lost" conversions return as modeled.
3. Audiences: If you're not sending GCM v2 signals, your Google Ads audiences degrade. Existing remarketing lists shrink as cookies expire and aren't replaced.

The "default deny" pattern

The compliant pattern Google describes — and the one Consentico implements out of the box — is:

1. Before any tag loads, set GCM v2 defaults to denied for every signal except security_storage.
2. Wait for the visitor to interact with your consent banner.
3. Update the GCM signals based on their decision: granted for everything they accepted, denied for what they didn't.

The critical word is before. If GA4 fires before you set the defaults, the first pageview is sent with the implicit-grant assumption — which is exactly the leak GDPR Article 5(3) was written to stop.

This is why script blocking matters: even with GCM v2 set to denied, Google's tags still load. The ad_storage: denied signal stops them from setting cookies, but a misconfigured tag manager could still leak data through unrelated mechanisms. A proper consent banner blocks the script load entirely until consent, and sets GCM v2 signals as a belt-and-suspenders measure.

How Consentico wires it up

Consentico's storefront banner does three things in this exact order, before anything else loads:

// 1. Set GCM v2 defaults — denied for everything trackable.
gtag('consent', 'default', {
  ad_storage: 'denied',
  analytics_storage: 'denied',
  ad_user_data: 'denied',
  ad_personalization: 'denied',
  functionality_storage: 'denied',
  personalization_storage: 'denied',
  security_storage: 'granted',
  wait_for_update: 500,
});

// 2. Block tracking scripts until consent (createElement override + MutationObserver).

// 3. Render the banner; on user choice, call gtag('consent', 'update', { ... }).

The wait_for_update: 500 tells Google to delay sending pings for 500ms while the banner decides. That's enough time for the visitor to either click Accept (in which case GA4 fires normally) or to time out and fall through to the cookieless modeled-conversion path.

Step-by-step setup

If you're using Consentico, this is already wired up — install the app, enable the theme app extension, and you're done. If you're rolling your own, here's the sequence:

1. Add the gtag stub before any script tags.

   <script>
     window.dataLayer = window.dataLayer || [];
     function gtag(){dataLayer.push(arguments);}
   </script>
   

2. Set defaults to denied. Do this in the same inline script, before any GTM or GA4 snippet.

3. Block third-party scripts until consent. The simplest approach is to override document.createElement to intercept <script> tag creation and inspect the src attribute. If it's on your blocklist (Google Tag Manager, Meta Pixel, etc.), don't insert it.

4. Render the banner. When the visitor decides, call gtag('consent', 'update', { ... }) with the granted values, and unblock the previously blocked scripts.

5. Persist the choice so the visitor doesn't see the banner on every page load. Use localStorage (essential category, doesn't require consent itself).

Common mistakes

Setting defaults inside Google Tag Manager. GTM loads after your page, so by the time the GTM container fires the consent defaults, GA4 has already sent the first pageview. Set defaults inline in the page <head> before anything else.

Treating ad_user_data and ad_personalization as the same thing. They're not. ad_user_data is whether you can send data to Google for ads use; ad_personalization is whether Google can use that data for personalized ads. A visitor might consent to one but not the other.

Forgetting security_storage: granted. Setting this to denied breaks reCAPTCHA and other Google security widgets. There's no compliance reason to deny it.

Rebuilding the banner on every navigation. SPAs (Hydrogen, headless setups) sometimes re-mount the banner on route change, which can re-trigger the default-deny ping. Set GCM defaults once at app boot.

Summary

Google Consent Mode v2 is a non-negotiable requirement for any Shopify merchant running paid traffic in the EU/EEA. The pattern is:

1. Default-deny everything trackable, before any tag loads.
2. Block third-party scripts until consent.
3. Update GCM signals when the visitor decides.

If you're using Consentico, this is wired up the moment you enable the app embed. If you're DIY-ing it, the order of operations is what matters — get the defaults in before GTM, and block scripts in addition to GCM signals.

Want a free GCM v2 audit of your store? Install Consentico and run a scan — it'll flag any unblocked tracking scripts and tell you whether your current banner is sending the right signals.