VakteyeVakteye
VAKTEYE
SolutionsPlansAboutContactInsightsCareers
Sign In
Vakteye audit

Google Consent Mode v2: is it actually wired up?

Consent Mode v2 is a signaling protocol, not an enforcement mechanism. Google's tags read the analytics_storage and ad_storage flags, but if a tag or a third-party script ignores those signals, tracking still happens — the site just believes it's compliant. Vakteye reads the live dataLayer values and cross-checks them against what actually fires on the network.

Who it's for

  • Sites using Google Tag Manager with Consent Mode v2 configured
  • Marketing teams who assume "we enabled Consent Mode" means tracking is compliant
  • Companies running Google Ads or Analytics who need EEA-traffic consent signals verified end to end

What Vakteye tests

  • Whether analytics_storage and ad_storage actually reflect the visitor's consent choice in the dataLayer
  • Whether tags that should be gated by "denied" signals still send network requests
  • Whether default consent state before interaction is set to denied, as required for EEA traffic
  • Whether the gap between declared signal state and observed network behavior constitutes a Consent Mode Bypass

Legal basis

ePrivacy Directive Article 5(3)

A consent signal that is set but not actually honored by the tag does not satisfy the underlying prior-consent requirement.

GDPR Article 6(1)(a)

The signal is meant to represent valid consent — if the underlying tracking ignores it, the legal basis claimed by the configuration does not match what's happening.

GDPR Article 5

Transparency requires that the consent state a visitor sees on screen matches what's actually happening on the network — Consent Mode misconfiguration breaks that link.

Example finding

ad_storage signal denied but ad tag still fires

What we observed

The dataLayer correctly reports ad_storage as 'denied' after a visitor rejects marketing cookies, but a network trace shows the advertising conversion tag firing a request seconds later.

Why it matters

This is the specific signature of a Consent Mode Bypass — the signal infrastructure is correctly configured, but a specific tag was never wired to respect it. It typically requires a tag-configuration fix, not a banner redesign.

FAQ

Enabling the signaling framework is a necessary first step, but each individual tag must also be configured to respect it. Vakteye's scan is the check that confirms the second half actually happened.

The dataLayer signal check is specific to Consent Mode, but Vakteye's broader tracker monitoring covers non-Google trackers on the same page independently of the Consent Mode signals.

Basic mode blocks tags entirely until consent; Advanced mode sends cookieless pings even when consent is denied. Vakteye's scan reports which mode is observed in practice and whether its behavior matches what the site's configuration claims.

Ready to see what your website actually does?

Book a full behavioral audit — the same methodology described above, run against your entire site with a complete evidence package.

Book a full audit
VakteyeVakteye
VAKTEYE

Website compliance checks for consent, policy, tracking and security. Vakteye shows what happened, what needs fixing and the evidence behind it.

Book demo
VakteyeVakteye
Privacy MonitoredContinuously monitored by Vakteye

PRODUCT

  • Plans
  • Trust center
  • Scanner identity
  • Security policy

COMPANY

  • About us
  • Contact
  • Insights
  • FAQ

LEGAL

  • Privacy Policy
  • Terms of Service
  • Cookies Policy
  • Sub-processors
  • Data Rights (GDPR)
  • For visitors

Contact

  • info@vakteye.com
  • LinkedIn

© 2026 Vakteye. All rights reserved.