How to Verify Consent Signals Are Being Received Correctly in GA4 for Modeling Eligibility and GDPR Compliance

If your website operates in a region governed by privacy laws such as GDPR, you’re required to ask for consent for tracking, and then track only according to the user’s choice. But even if you’re not legally required to, offering consent options can help build trust with your users.

That said, it’s not enough to just show a cookie banner. You need to ensure that GA4 is correctly understanding and taking action based on those consent signals.

This tutorial will walk you through how to test whether consent signals are being passed to GA4, what those signals look like, and what to do if they aren’t working properly.

Consent banners are becoming increasingly more common, but unfortunately they aren’t always set up to correctly communicate consent choices to GA4 and other marketing analytics and tracking platforms.

If this isn’t set up correctly, you’re opening up your organization to fines or other penalties. And this isn’t just limited to GA4 data—beyond what we cover here, you’ll want to check if your other analytics and ads platforms are respecting consent choices as well.

Let’s start by walking through how to verify that GA4 is actually receiving and understanding consent signals.

To start, install the Consent Mode Inspector Chrome extension from InfoTrust. Once you have it installed, pin it to your Chrome toolbar and on any website you can click on it to see what consent signals are present for that website (if any).

Next, let’s allow this extension to run in an incognito window. This makes it very easy to test consent choices since you simply need to close your incognito window to reset your consent choices for your next test.
To do this:

1. Right-click on the extension in your toolbar.
2. Select Manage Extension.
3. Make sure “Allow in incognito” is turned on.

Cookiebot is our consent management platform of choice and they’re also a great example of how consent signals should be configured and received.

Head to cookiebot.com in an incognito window.

Before interacting with the cookie banner, click the Consent Mode Inspector and check out the values for the Most Recent Payload as well as each Signal.

On the Cookiebot website, the Google Consent Signal (GCS) parameter is G100 and all Signals except for security_storage have a Default State of denied and all Update States are set to Unknown. This is the correct way to tell GA4 that the visitor hasn’t yet made a consent choice. The security_storage Signal needs to be set to granted so that your browser is able to store your consent choice for future visits.

The GCS value is specific to GA4 and it tells that platform if the data that it has received is consented or not. In this example, data with the GCS value of G100 has been sent off to GA4 which means that GA4 will treat this as cookieless data. Cookieless data means that every page view is treated as a brand new, separate visit since there isn’t a cookie to persist the GA4 session across multiple page views. Cookieless data is also what GA4 looks for when qualifying your property for modeled data, if you wish to use that.

There are 4 possible values for the Google Consent State (GCS):

• G100: Both ad storage and analytics storage are denied
• G101: Ad storage is denied, analytics storage is granted
• G110: Ad storage is granted, analytics storage is denied
• G111: Both ad storage and analytics storage are granted

If your GCS is showing anything other than G100 before any consent is given, your consent management platform is not communicating correctly with GA4.

If you don’t see a GCS value at all, like in the example below, your consent management platform is also not communicating correctly with GA4, or it’s possible that this website doesn’t use GA4 or has another method of capturing consent. For example, if you check this extension during a Google search, you’ll see that the GCS is none. That doesn’t mean that Google isn’t respecting consent choices, it simply means that Google is using another method to record consent and isn’t using GA4 to track search engine use.

Deny all

Still on the Cookiebot site, select Deny All in the consent dialog, then navigate to another page. If everything’s working correctly, your GCS value should still show G100. This means that your consent management platform is communicating your consent choice correctly to GA4.

Visit a second page

Let’s close this incognito window and open a new window and go back to Cookiebot as this will reset our consent choice.

Without making a selection, navigate to another page on the site. Check the extension and your GCS value should still show G100. A common mistake is assuming a visitor has granted consent to tracking because they visited a second page on the site—you can’t make that choice for them.

Accept only statistics

Again, we’ll close this incognito window and open a new window and go back to Cookiebot to reset our consent choice.

In the consent dialog, click Customize, then accept only Statistics, then click Allow selection.

The GCS value should now read G101, which means that ad storage was denied but statistics (analytics) storage was granted.

Other options

In addition to these basic checks, we recommend selecting all possible combinations of the tracking options that are available to you and note down what the GCS value is, to make sure that your choice lines up with what the GCS value reports.

In GA4 go to the Admin page and then select Consent settings. This is what this page should look like for a site that is correctly sending consent signals to GA4.

If you aren’t sending any consent signals at all or if your consent signals are not set up correctly, this is what you’ll see instead:

In this example (from Google’s Flood It demo GA4 property), there are no consent signals received, but less than 5% of their traffic is from the EEA (shown in the This Stream area towards the top of the page). In this case they’ve made a choice not to have consent signals, perhaps because they aren’t targeting the EEA directly with this property. However, you should still check with your privacy officer or equivalent before making this decision to not have a consent management platform on your site.

If you’re using a consent management platform or some other consent dialog system, and you thought it was set up correctly but you’re not seeing what you should be seeing based on our tests above, here are some places to start troubleshooting.

GCS values do not change when consent is granted

If your GCS values exist but don’t change when consent is granted, you’ll need to check that there is an update state set by the consent dialog. If you view your site in Google Tag Manager preview mode, look for an event named cookie_consent_update. If you don’t have that, something is wrong with your consent dialog and it isn’t communicating choices.

Unfortunately since there are so many different consent platforms out there, it’s hard to say exactly what the issue is for each but we help out folks in our community regularly!

If you do see a cookie_consent_update event but nothing still changes, check your GA4 code. You may be using an old version of the code that predates the consent mode changes made in the past few years.

GCS values are not shown

If you have a consent dialog window but you don’t see any GCS values on your site no matter what you select, your consent dialog isn’t set up properly. We most often see this with the “free” consent dialog plugins that you can get for WordPress and other CMSs. You really do need to get a proper consent management platform. Yes, there is a cost but getting fined because your consent management is non-existent will be a much larger cost!

Page reloads after consent choice is made

When consent mode first came out, many developers chose to reload the page when consent was granted to make sure that they were capturing the session with consented data. This isn’t needed any longer as GA4 will backstitch the unconsented page view with the consented page view. Note that if a visitor goes to several pages before making a consent choice, the attribution will be lost as all the page views up until the consented page view are divorced from the page view where the consent choice occurred. This is why we typically recommend a large, obtrusive consent dialog—the visitor might say no to tracking but they at least made a choice.

GCS values are correct but the GA4 property doesn’t qualify for modeled data

Modeled data is an option in the Blended reporting identity in GA4 and if active, it will use machine learning to work cookieless data into your consented (“cookied”) GA4 data. Honestly, we aren’t fans and you’ll likely see far more Direct traffic than you should when you look at modeled data. We usually recommend the Observed identity and not the Blended one.

However, if you are sending properly consented data to GA4 and you’re not seeing modeled data as an option, you should check if you satisfy the requirements for modeled data:

1. At least 1,000 visitors a day who consent to tracking,
2. At least 1,000 visitors a day who do not consent to tracking,
3. In at least 7 out of the last 28 days.

If you do meet these requirements and still don’t see modeled data as an option after a few weeks, you should double-check that your consent signals are being sent off correctly to GA4.

Adding tracking tools into the functionality_storage or security_storage options

No, Google Tag Manager is neither functionality, nor security, nor required. You can use the consent mode options in Google Tag Manager to assign individual tags to fire based on consent settings, but GTM as a whole is never a functional, security, or required item.

Missing the ability to change your consent choices

Your site needs to offer a method for users to update their consent decisions after they’ve been made, for visitors located in regions where they are required to make a consent selection. For example, Cookiebot provides a floating widget, or you can link to a dedicated page in your footer.

Adding a consent dialog but not blocking cookies before a choice is made the associated cookies

Remember that consent mode isn’t just for GA4. You need to be sure that your consent management platform is able to control what cookies are delivered on your site based on what choices are made. Cookies should not be delivered to the visitor prior to a consent choice, unless consent was received by this visitor during a previous visit.

Adding a consent dialog but not categorizing the associated cookies

Just adding a consent dialog to your website isn’t enough. You need to also ensure that the cookies on your website are categorized so that the consent dialog knows what cookies can be delivered based on the consent choices made. This is something that’s typically done in the consent management platform software.

Setting up a consent management platform and then never looking at it again

While you may have done all the work to set up your platform and categorize the cookies, this work is never really done. You need to check your various platforms regularly to ensure there aren’t new cookies to be categorized, or if someone has implemented new tracking in a way that (usually accidentally) circumvents the consent management platform. Put time aside at least once a month to do a quick scan for any issues. Some platforms like Cookiebot also send automated emails as a useful reminder.

Getting consent signals set up correctly is usually more work then you think it’ll be but it’s worth it—not just to avoid any potential financial penalties but in respecting your visitors’ choices to be tracked or not tracked when they visit your site.

Remember to review this regularly:

1. Use the Consent Mode Inspector extension
2. Check that GCS values change based on consent choices
3. Check that the Consent Settings in the GA4 admin are showing that consent signals were received properly
4. Check that you see modeled data available to you in the GA4 Reporting Identity (assuming you meet the traffic requirements)
5. Review any new tags added and ensure they’re properly integrated with your consent management platform
6. Review for any new tags that might have been added outside of your consent management platform’s control and correct if needed
7. Make sure that users who are shown a consent dialog still have a way to change their consent choice

If you’re running into issues, post your questions in a comment on YouTube or get direct help in our private community when you enroll in our GA4 Audit course.