Guide · part of the Google Analytics audit

How to audit Consent Mode & cookie consent

A cookie banner makes a promise to visitors. A consent audit checks whether your tags keep it. This is the highest-stakes part of any tracking audit: the difference between compliant and exposed, and where the most setups fail. Eight checks, the failures they find, and how to run them by hand or automatically.

Consent is 30% of a Tracking Auditor score, the highest-weighted dimension. See how yours holds up: your first audit is free.

Run a free audit →

The eight consent checks

  1. Watch a fresh session before touching the banner

    Private window, DevTools → Network, filtered to google-analytics.com, googletagmanager.com, doubleclick.net and your other tag domains. Load the site and do nothing. Any collect or conversion request that fires before you've interacted with the banner is unconsented tracking. This is the most common failure, and the one regulators and enterprise procurement check first.

  2. Verify the consent default is set before anything else

    In the console, inspect window.dataLayer. There must be a consent default entry, denying analytics_storage and ad_storage, that appears above any config or event call. Consent Mode set after tags load protects nothing: the tags have already fired by the time the denial arrives.

  3. Confirm it's Consent Mode v2, not v1

    V2 added ad_user_data and ad_personalization, and Google requires both for EEA ad features. If the consent default only sets ad_storage and analytics_storage, the setup predates March 2024 and Google Ads audience and measurement features are degraded without any warning shown.

  4. Test all three consent paths, not just acceptance

    Accept, reject, and ignore. After rejecting: no analytics cookies (_ga, _gid), no collect requests carrying full identifiers. After ignoring: same as rejecting. Most broken setups pass the accept path and fail the other two, because accept is the only path anyone ever tested.

  5. Check every tag's consent configuration in GTM

    In GTM, each tag has consent settings (Advanced → Consent Settings). Google tags handle Consent Mode natively. Third-party tags (Meta, TikTok, LinkedIn, Hotjar) do not, and need explicit additional consent checks or blocking triggers. A container where only the Google tags respect consent is a container that leaks.

  6. Confirm the CMP tag is live and publishing signals

    A paused CMP tag, or one broken by a template update, means no consent signals reach anything, while the banner itself may still render from cache. The banner showing proves nothing; the dataLayer consent update event is what matters.

  7. Compare actual cookies against the banner's declared list

    DevTools → Application → Cookies, after each consent path. Every cookie set should appear in the banner's declaration, in the right category. Ad cookies classified as 'strictly necessary' and cookies that predate consent contradict the compliance story in writing.

  8. Check the consent state is respected across subdomains and SPAs

    Consent granted on www must carry to shop. and app. if they share tags, and single-page apps must re-check consent on virtual pageviews, not just the first load. Cross-domain setups are where otherwise-correct implementations fall apart.

What consent audits find

The same six failures come up again and again, usually in setups whose owners believed they were compliant because a banner was showing.

Where consent fits in the full audit

Consent is one of five dimensions in a complete tracking audit. The full process is in the Google Analytics audit guide. The container-side review lives in the GTM audit guide, and the revenue side in the conversion tracking audit guide. For the condensed to-do-list version, use the GA4 audit checklist.

Consent audit FAQs

What is a consent mode audit?

A consent mode audit verifies that a website's tags actually respect visitor consent: that Consent Mode v2 defaults are set before any tag fires, that accepting, rejecting and ignoring the banner each produce the correct behaviour, and that the cookies really set match what the consent banner declares.

How do I check if Consent Mode v2 is working?

Open the site in a private window with DevTools. Inspect window.dataLayer for a consent default entry (including ad_user_data and ad_personalization) appearing before any config calls. Then test all three paths (accept, reject, ignore) and confirm network requests and cookies behave differently in each.

Does Consent Mode make my site GDPR compliant?

No. Consent Mode is a signalling mechanism for Google's own tags: it tells them what the visitor chose. Compliance depends on the choice being collected properly, enforced across all tags including non-Google ones, and reflected accurately in your cookie declarations. Many sites with Consent Mode installed still fail a consent audit.

What's the difference between GDPR and US-state consent requirements?

GDPR markets require opt-in: analytics and ad tags must not fire until the visitor consents. Most US state laws (CCPA and successors) allow tracking by default but require a working opt-out. An audit checks the setup against the regimes that actually apply to your traffic.

Can a consent audit be automated?

Yes. Tracking Auditor reads your GTM container and GA4 property and checks consent configuration across every tag (Consent Mode defaults, per-tag consent settings, CMP presence, cookie classification) as the highest-weighted dimension of a full scored audit, worth 30% of the grade.

Audit your consent setup in two minutes

Tracking Auditor checks Consent Mode configuration, per-tag consent settings, CMP presence and cookie classification across your live GTM and GA4: scored, explained, and prioritised. Your first audit is free, no card required.

Run your free audit