Google Consent Mode v2 for WooCommerce: A Practical Setup Guide (GDPR-Ready)
Since Google made Consent Mode v2 mandatory for EEA traffic, WooCommerce stores face a double bind: respect consent choices and keep enough measurement to run a business. Done right, Consent Mode does both — done wrong, it either leaks personal data (legal risk) or silently kills your conversion tracking (business risk). This guide is the practical middle path.
What Consent Mode v2 actually is
Consent Mode is a signalling layer between your cookie banner and Google’s tags. Instead of crudely blocking scripts, you tell Google’s tags the consent state of four signals, and the tags adapt their behavior:
analytics_storage— GA4 cookies and identifiersad_storage— advertising cookiesad_user_data— sending user data to Google for advertising (new in v2)ad_personalization— personalised ads / remarketing (new in v2)
The two v2 signals are the ones Google now requires for EEA users; without them, Google Ads remarketing audiences stop populating.
Default-denied is the only defensible default
Under GDPR, consent must precede processing. Your consent defaults for EEA visitors should be denied across all four signals, sent before any Google tag loads, then updated when the visitor makes a choice. In practice that means the consent default must be printed inline in the page head — not queued behind the very scripts it is supposed to govern. This ordering is where most hand-rolled setups fail.
Basic vs. advanced mode — an honest trade-off
In basic mode, Google tags do not load at all until consent; you lose all data from decliners. In advanced mode, tags load but send cookieless pings when consent is denied, letting GA4 model the missing conversions. Advanced mode preserves more measurement, but several EU data-protection authorities read the cookieless pings critically — many EU stores deliberately choose basic mode for that reason. Pick deliberately; both are legitimate choices with different risk profiles.
Step-by-step WooCommerce setup
- Install a CMP that speaks Consent Mode v2. Complianz, Cookiebot, CookieYes, Borlabs, iubenda and Real Cookie Banner all do. Verify the CMP publishes to the WP Consent API too — the WordPress-native consent layer other plugins can read.
- Print consent defaults first. Whatever loads your GA4/GTM (plugin or hand-rolled), the
gtag('consent','default',{...denied})call must render before the container snippet in the page source. View source and check the order. - Scope by region if you choose to. Consent Mode accepts region codes, so you can default-deny in the EEA and default-grant elsewhere. Just be aware of UK GDPR and other regimes before granting broadly.
- Wire the update call to your banner. Your CMP should emit
gtag('consent','update',{...})on choice. Test with GTM Preview: default → user accepts → update. If the update never appears, check the CMP’s “Google Consent Mode” toggle. - Turn on
ads_data_redactionandurl_passthrough. Redaction strips ad-click identifiers while consent is denied; URL passthrough preserves campaign attribution through page navigation without cookies. Together they recover attribution legally. - Test the full funnel with consent denied AND granted. A correct setup shows no GA4 cookies before consent, then normal ecommerce events after. An incorrect one either sets cookies immediately (violation) or stays silent after acceptance (lost data).
The purchase event needs special care
Consent state also gates what you may attach to conversions. Hashed customer data for Google Ads Enhanced Conversions, for example, is still personal data under GDPR — it may only ride along when marketing consent is granted, and your privacy policy must disclose it. Any plugin or snippet that sends customer data unconditionally is a liability.
Checklist
- Defaults denied (EEA at minimum), printed before any Google tag
- All four v2 signals declared, update wired to the banner
- Redaction + URL passthrough on
- Conversion user-data strictly consent-gated
- Verified in GTM Preview with both consent outcomes
TrackPilot handles everything in this guide automatically — a spec-compliant GA4 dataLayer for WooCommerce with Consent Mode v2, purchase deduplication and a built-in debugger. See TrackPilot →