Consent Management Platform Setup and Audit

A cookie banner that looks compliant and one that actually is are two different things.

Most websites have some version of a cookie banner. What most of them don't have is a banner that correctly transmits consent signals to Google, fires tags in the right sequence, passes the four consent parameters GA4 and Google Ads require, and stays compliant as regulations change.

The consequences are real and measurable. Without Consent Mode v2 correctly implemented, GA4 loses data on every EEA and UK user who declines tracking. Google Ads can't model conversions for non-consenting users. Remarketing audiences shrink. Reported ROAS gets worse. And if the legal implementation doesn't hold up, the compliance risk sits with the client.

A banner that pops up and has an accept button is not the same as a compliant CMP implementation. We audit what's actually there, fix what's broken, and build setups that work technically and legally.

Why this matters more than most agencies realize

Since early 2024, Google has required a certified CMP integrated with Consent Mode v2 for websites using GA4 or Google Ads to track users in the EEA and UK. Without it, Google assumes every visitor declined consent. That means no analytics data, no conversion tracking, and no remarketing for a significant portion of most clients' audiences.

Consent Mode v2 introduces four specific consent signals that need to pass between the CMP and Google's tags: ad_storage, analytics_storage, ad_user_data, and ad_personalization. When these signals aren't firing correctly, even a banner with a working accept button may be sending nothing useful to Google. The implementation has to be technically correct, not just visually present.

Beyond Google, GDPR requires that consent is freely given, specific, informed, and unambiguous. Legitimate interest can no longer be used as the legal basis for advertising and content personalization in the EU. These aren't edge cases. There are requirements that apply to the majority of clients running any kind of digital advertising in Europe.

What we do

CMP Audit

Before recommending or implementing anything, we audit what's already in place. We check whether the current banner is connected to a Google-certified CMP, whether Consent Mode v2 signals are firing correctly, whether the tag firing order in GTM is set up to respect consent before loading tracking scripts, whether consent is being stored and honored correctly across sessions, and whether the current setup covers the legal requirements for the regions the client operates in.

Many clients have a banner installed but Consent Mode isn't actually connected. Or it's connected in basic mode when advanced mode is needed. Or the GTM configuration is firing tags before consent is given. The audit surfaces these gaps with specific findings, not general recommendations.

Platform Selection and Setup

We work with the major Google-certified CMPs and recommend based on what fits the client's site, stack, and compliance requirements.

CookieYes is one of the most widely used Google Gold-tier certified CMPs. It's straightforward to set up, integrates cleanly with GTM, supports Consent Mode v2 and IAB TCF v2.2, and works well for small to mid-sized sites that need reliable compliance without enterprise pricing.

Cookiebot by Usercentrics is a Gold-tier certified CMP suited for more complex implementations. It includes automatic cookie scanning, multilingual banner support, and detailed consent logs. Usercentrics as the parent platform is one of the more robust options for clients with operations across multiple regions and regulatory frameworks.

OneTrust is the enterprise choice. It covers GDPR, CCPA, LGPD, and most other global privacy frameworks in a single platform. It's more configuration-heavy and more expensive, but for clients with global audiences and legal teams that need documented compliance controls, it's the right tool.

Didomi is a Gold-tier partner certified for web, mobile apps, and CTV. It's a strong choice for clients running campaigns across connected TV alongside digital, or for organizations that need multilingual banner support across more than 50 languages with region-specific regulation handling.

Termly is a Gold-tier partner that works well for clients who need a clean, straightforward setup with strong documentation and IAB TCF v2.2 support without enterprise overhead.

Concord is a Gold-tier certified CMP built specifically around ease of implementation. It enables advanced Consent Mode v2 by default for new projects and integrates directly with GTM through a managed template.

For clients without complex requirements or large budgets, we also implement CookieHub and CookieScript, both Google-certified and well-suited for smaller sites that need solid compliance without the overhead of enterprise platforms.

The right platform depends on where the client operates, what their tech stack looks like, what level of compliance documentation they need, and what their budget is. We advise on this before any implementation work starts.

Consent Mode v2 Implementation

Consent Mode v2 has two modes, and choosing between them matters.

Basic mode blocks all Google tags until the user makes a consent choice. No data is collected until consent is granted. This is the more conservative approach and appropriate for clients who want to minimize data collection risk, but it means losing all behavioral data from users who close the banner without deciding.

Advanced mode loads Google tags immediately but sends cookieless pings to Google for users who decline. Google uses these pings to model behavior for non-consenting users, which recovers a meaningful portion of the conversion and audience data that basic mode loses entirely. For most advertising clients, advanced mode is the right choice because it preserves modeling capability while still respecting consent.

We implement the appropriate mode through GTM, configure the consent signals correctly, and verify that all four parameters are transmitting as expected using Google's Tag Assistant.

GTM Integration and Tag Sequencing

The CMP needs to fire before any tracking tags load. This is where a lot of implementations go wrong. We configure GTM so the consent initialization happens at the right point in the tag firing sequence, tracking tags are blocked for users who decline the relevant consent categories, and tags fire immediately for users who accept without adding unnecessary page load delays.

We also set up consent-based triggers for every tag in the container so each tool only receives data for users who consented to the relevant category. Analytics tags fire for analytics consent. Advertising tags fire for ad storage consent. Tags that require both only fire when both are granted.

Cookie Scanning and Categorization

We run a full cookie scan across the client's site to identify every cookie being set, which scripts are setting them, and which consent category each one belongs to. This scan becomes the basis for the CMP's cookie declaration, which is a legal requirement under GDPR.

Cookies get categorized correctly: strictly necessary, functional, analytics, and marketing. Strictly necessary cookies fire without consent. Everything else requires the appropriate consent signal before loading. If a cookie is being set without a corresponding category or disclosure, we flag it and resolve it.

Consent Records and Audit Logs

GDPR requires that consent is documented and can be demonstrated. We configure the CMP to store consent records so the client can show when a user consented, what they consented to, and which version of the banner was shown at the time. For clients who need to respond to data subject access requests or regulatory inquiries, these records are what makes that possible.

Multi-Region Compliance

Different regulations apply in different regions. GDPR covers the EEA and UK. CCPA covers California. LGPD covers Brazil. Canada, Australia, and other jurisdictions have their own requirements. We configure the CMP to display the appropriate banner and apply the appropriate legal basis based on the visitor's location, so clients with international audiences aren't applying EEA-level consent requirements globally where they aren't needed, or missing requirements where they are.

Ongoing Monitoring and Updates

Privacy regulations change, Google updates its requirements, and CMP platforms release new versions. A setup that's compliant today may need adjustment in six months. We document everything we implement and can provide ongoing review to make sure the client's setup stays current as requirements evolve.

What a correct CMP setup actually protects

Done correctly, a CMP setup does three things at once. It keeps the client legally compliant with GDPR and similar regulations. It keeps GA4 and Google Ads data as complete as possible for the users who do consent. And it enables Google's conversion modeling for users who don't, which is the difference between losing that data entirely and having a reasonable statistical approximation of it.

Most clients don't realize how much their analytics and ad performance data is affected by a broken CMP implementation until someone checks. The audit usually finds something.

SmartMetrics handles CMP selection, implementation, GTM integration, and cookie scanning as part of broader analytics setups or as a standalone engagement. If you're already running GA4, server-side tracking, or Google Ads conversion tracking through us, CMP setup integrates directly into that work.

Ready to get started?

Hire an Expert to Grow Your Leads & Sales

Ongoing analytics, marketing, and conversion optimization - for less than one full-time salary.

  • Client/server-side tracking
  • Google Ads audit & builds
  • Premium Looker Studio dashboards
  • Weekly performance reviews
  • Ongoing CRO optimization
ClientClientClientClientClient

Trusted by AI, SaaS, e-commerce & B2B teams

https://