№ 26 Data Privacy

When 'Denied' Still Means Data: The GA4 Consent Mode v2 Loophole

GA4 Consent Mode v2 promises a clean answer to consent—but cookieless pings keep flowing to Google after a visitor clicks reject, and regulators are paying attention.

Tyler Schroeder · · 14 min read · 10 footnotes
Hero image · 16:9

Google Analytics 4 (GA4) Consent Mode v2 looks like a clean answer to a hard regulatory problem—a single switch that tells Google whether the visitor agreed to be tracked, with the comfortable assumption that “denied” means data stops at the browser. It doesn’t. Even when a visitor revokes consent, Google’s tags keep firing—stripped-down “cookieless pings” that still carry the page URL, the referrer, the timestamp, the user agent, and the consent state itself. Google calls these signals “anonymous.” Regulators across the EU—increasingly—do not.

The pitch from Google is that these pings power “conversion modeling” and “behavioral modeling”—features designed to keep marketing dashboards full of traffic that organizations are no longer allowed to measure directly. The pitch most organizations hear is that Consent Mode v2 is the box-check that keeps analytics reports full and General Data Protection Regulation (GDPR) auditors quiet. Both pitches sidestep the same uncomfortable fact—a visitor who clicks “reject” is still being described to a US ad-tech vendor, in real time, every time they load a page. That gap between what consent appears to do and what it actually does—at scale, every day, on every page load—is where this post lives.

What “No” Actually Sends

The cookieless ping is not a bug or a workaround—it’s the product. Consent Mode v2 was designed from day one to keep data flowing to Google in both states, with the denied state quietly relabeled as “anonymous” so it could keep flowing. Understanding why that framing is the loophole—and why it matters even when the data really is stripped of cookies and IDs—starts with what’s actually inside the request a denied visitor’s browser sends, and ends with the legal frameworks that care about the request itself, not just its payload.

When a visitor clicks “reject all,” the consent banner does its job—at least visibly. The Interactive Advertising Bureau (IAB) Transparency and Consent Framework (TCF) string updates, the Consent Management Platform (CMP)’s API reports the new state, and the user moves on. Underneath, Google Tag Manager (GTM) is still listening. Consent Mode v2 doesn’t tell tags to stop firing—it tells them to fire differently. The denied-state request that goes out is what Google calls the cookieless ping: a payload stripped of the analytics cookie and the user ID, but still carrying the page URL, the document referrer, the user agent string, the visitor’s IP address, the timestamp, the screen resolution, the language header, and the consent state itself encoded as a parameter.1

That’s a lot of “anonymous.” A determined adversary doesn’t need much more to fingerprint a session—and Google itself doesn’t bother pretending the data is useless—it’s the training corpus for behavioral modeling, the machine-learning estimate of what a denied-state visitor would have done if they’d consented, and conversion modeling, the same thing applied to ad-click outcomes. If you’re running paid search, the Google Click ID (GCLID) appended to ad-click landing URLs travels with the ping too—which is how Google reconciles a “denied” session back to the campaign that paid for the click.2

The technical claim Google makes—and that most CMP vendors repeat in their compliance copy—is that the cookieless ping is not personal data because no persistent identifier is attached. That claim is doing all the work in the legal argument, and it’s the part regulators are least convinced by. The next two sections are about why.

The Article 5(3) Problem: Storage and Access

The European framework that governs all of this isn’t GDPR. It’s the ePrivacy Directive—directive 2002/58/EC, the same law most people know as “the cookie law.” The crucial provision is Article 5(3), which says any storage of information on, or access to information already stored on, a visitor’s terminal equipment requires informed consent. The phrase “terminal equipment” means the device—browser, phone, tablet—that the visitor is using.3

Here’s why that wording matters: Article 5(3) is not about whether the data leaving the device is personal. It’s about whether the device was touched. Setting a cookie touches it. Reading a stored value touches it. Accessing browser-fingerprinting signals like screen resolution, font lists, or installed plugins touches it—and the European Data Protection Board (EDPB)’s 2024 guidelines on the technical scope of Article 5(3) are explicit on this point—the protection attaches to the act of access, regardless of what’s accessed or whether the accessed value is personal data on its own.

Consent Mode v2’s denied state still accesses the user agent, the screen dimensions, the language preferences, and the referrer header from the device. The cookieless ping still fires JavaScript that reads from the window object. Google’s argument is that the ping doesn’t store anything when consent is denied—but Article 5(3) is a two-part rule, and “access”—not storage—is the part the cookieless ping fails. The Court of Justice of the European Union (CJEU)’s reasoning in Breyer (2016) is the reinforcement—even a dynamic IP address can be personal data when combined with the means a controller has to identify the visitor.4 Once the IP is in the request, the ping is processing personal data—full stop.

The practical effect: if the EDPB guidelines are read at face value, Consent Mode v2 in its denied state is performing an Article 5(3) operation on every visitor who clicks “reject”—without the consent the directive requires.

The Cross-Border Problem: Schrems II Hasn’t Disappeared

Layer two of the legal exposure—and the one that’s already produced binding decisions—is data transfer. The cookieless ping doesn’t stay in Europe. It goes to Google’s servers, which have a US legal nexus. Even after the EU-US Data Privacy Framework (DPF) adequacy decision was finalized in July 2023, Google’s transfer mechanism still sits inside GDPR Chapter V—and Chapter V applies to any transfer of personal data to a third country, including the data inside a “denied” ping.5

Between January 2022 and July 2022—well before the DPF, but the precedent is what matters—four data protection authorities (DPAs) ruled that the standard GA4 deployment violated Chapter V. Austria’s DSB went first in January.6 France’s CNIL followed in February. Italy’s Garante ruled the same way in June. Norway’s Datatilsynet—which isn’t an EU regulator but applies the same framework through the European Economic Area agreement—issued a parallel finding shortly after.7 The reasoning was the same in each case: the Standard Contractual Clauses (SCCs) Google relied on did not, in the regulators’ view, neutralize the surveillance risk that Schrems II identified in 2020 when the CJEU invalidated Privacy Shield.

The DPF was supposed to settle that. It hasn’t, exactly. The DPF restored a transfer mechanism between the EU and US-certified organizations, but it did not retroactively cure the underlying complaint, and it has not stopped noyb from filing fresh challenges.8 More importantly for the Consent Mode v2 question: the DPF authorizes the transfer—it does not authorize the collection. If Article 5(3) is being violated upstream of the transfer, the DPF doesn’t help—you can have a perfectly valid transfer mechanism for data you weren’t allowed to collect in the first place.

“Anonymous” Is Doing a Lot of Work

The remaining argument Google makes is the most interesting one—and the one regulators have not yet ruled on directly. Google calls behavioral and conversion modeling outputs “aggregate, anonymous estimates” because the dashboard a marketer sees is bucketed at the segment level, not the user level. The implicit claim is that what flows out of the model is no longer personal data—even if the inputs were.9

The problem is that the inputs are not separable from the model’s predictions about a specific session. Behavioral modeling does not just describe denied-state traffic in aggregate—it imputes session-level conversion probability for the specific visitor whose ping arrived a moment ago. That visitor’s IP address, referrer, and timestamp are inputs to a machine-learning system that produces an output describing them, even if the output is rolled into a segment for reporting. Calling the rolled-up dashboard “anonymous” is a category error—the processing that produced it was not.

There’s a parallel here to Google’s broader Privacy Sandbox framing, where “Topics” and “interest cohorts” get described as group-level signals while still being computed from individual browsing histories. noyb has been blunt about this pattern—the “anonymous” label is a marketing claim, not a legal conclusion.10 Whether the Article 29 Working Party’s older anonymization standard or the EDPB’s newer guidance applies, the same test holds—if a single individual’s data went into the system and a description of that individual came out, the operation was processing personal data.

The aggregate output does not launder the individual input.

What I Tell Clients to Do Instead

The honest version of the recommendation list is short, because the technical fixes are not the hard part. The hard part is the strategy decision behind them—do you want analytics, or do you want adtech-flavored analytics? Once that’s settled, the implementation is mostly arithmetic.

Audit what your tags actually send in the denied state. Open the network tab, click “reject all,” reload the page, and read every outbound request that fires. Most teams have never done this—and the first time they do, the conversation about Consent Mode v2 changes immediately—because the gap between “we are compliant” and “we are sending the page URL, the referrer, and the IP to a US ad-tech vendor on every denied page view”—the literal contents of the request—is impossible to unsee once you’ve seen it.

Treat the cookieless ping as in-scope. If your privacy notice does not disclose the existence of denied-state pings—the URL parameters they carry, and the modeling Google performs on them—your notice is incomplete. The same applies to your records of processing under GDPR Article 30. “Denied” is not the same as “no processing”—and disclosure—of all places—is the cheapest part of compliance.

Consider a server-side, EU-region-only analytics path. If you need attribution but want to lower the cross-border exposure, server-side GTM hosted in the EU—or a non-Google analytics product like Plausible, Fathom, or Matomo on EU infrastructure—takes the third-country transfer question off the table entirely. This is what most of the regulators in the GA4 cases pointed to as the path forward.

Don’t treat Consent Mode v2 as a defense in depth. It’s a reporting-continuity feature for organizations that have already accepted the underlying processing. It is not a compliance control—and several DPAs—not just commentators—have already said so explicitly. Treating it as one is the same category mistake as treating GTM as a privacy strategy—a confusion I wrote about in detail in Google Tag Manager Is Not a Privacy Strategy.

Pair the technical work with a real strategic review. The deeper question—whether the value your organization gets from modeled denied-state traffic justifies the regulatory exposure of collecting it in the first place—is one most teams have never sat with. That’s a board-level question—not a tagging question—and it’s the kind of question I argued for treating as a priority in Why Data Privacy Must Be a Strategic Priority.

The Gap Stays Open

A consent banner that says “reject” while the site keeps sending the user’s URL, referrer, IP, and consent state to a US ad-tech vendor is not a mechanism failure—it’s the design. Consent Mode v2 was built to keep the data flowing, with a relabeling layer that the legal frameworks are still working through. The regulators are catching up. The DPF will keep getting challenged. And “we use Consent Mode v2” is going to age the same way “we use GTM” is already aging—as evidence that the team confused a tool with a strategy, and that the audit will be uncomfortable.

The strategic position I keep finding myself recommending across compliance regimes is the same one—accept that the regulatory floor is rising, build for the strictest applicable standard, and treat any tool that promises to make the floor go away as the warning sign it almost always is. The teams that have done that—with the MCDPA, with the European Accessibility Act, and with the broader privacy posture I covered in Why Data Privacy Must Be a Strategic Priority—are not the ones scrambling when each new ruling lands. They’re the ones who anticipated it—and that anticipation, not the tooling, is the actual moat.

The gap between what consent appears to do and what Consent Mode v2 actually does is not closing on its own. The work is figuring out which side of that gap your organization wants to live on—and being honest about what it costs to live on each side.

This post draws on the EDPB’s published guidelines on Article 5(3), CJEU rulings in Breyer and Schrems II, public decisions from the Austrian DSB, CNIL, Garante, and Datatilsynet, and Simo Ahava’s technical write-ups of Consent Mode v2.

Appendix · A

Glossary

Acronyms and terms-of-art used above, with the working definitions I rely on in 2026. Where the field disagrees, I have noted it.

AcronymGoogle Analytics 4 (GA4)
Google’s current web analytics product, launched in 2020 and made the default in July 2023. Return
Google’s tag-side framework for adjusting which signals its tags send based on visitor consent state. Required for European Economic Area traffic since March 2024. Return
TermCookieless ping
A request fired by a Google tag in the consent-denied state. Omits analytics cookies but still carries URL, referrer, IP, user agent, and consent state. Return
TermBehavioral modeling
Google’s machine-learning estimate of denied-state session behavior, trained on consented sessions and applied to denied ones. Return
TermConversion modeling
Google’s machine-learning estimate of conversions Google can no longer measure directly because consent was denied. Return
TermePrivacy Directive
EU directive 2002/58/EC, often called “the cookie law.” Article 5(3) gates storage and access on a visitor’s terminal equipment behind consent. Return
TermTerminal equipment
The device a visitor uses to access a site—browser, phone, tablet. The term comes from EU telecommunications law; ePrivacy Directive Article 5(3) gates any storage on or access to it behind consent. Return
AcronymEuropean Data Protection Board (EDPB)
The EU body that coordinates national data protection authorities and publishes binding interpretive guidelines. Return
AcronymCourt of Justice of the European Union (CJEU)
The EU’s highest court. Ruled in Breyer (2016) that dynamic IPs can be personal data, and in Schrems II (2020) that Privacy Shield was invalid. Return
TermSchrems II
The CJEU’s 2020 ruling (Case C-311/18) that invalidated the EU-US Privacy Shield framework. The court held that US surveillance law did not provide essentially equivalent data protection to EU law—and the gap stayed open until the DPF restored a transfer mechanism in July 2023. Return
AcronymEU-US Data Privacy Framework (DPF)
The post-Schrems II adequacy decision (July 2023) that restored a transfer mechanism between the EU and US-certified organizations. Return
AcronymData Protection Authority (DPA)
A national regulator empowered to enforce GDPR. The four cited here: Austria’s DSB, France’s CNIL, Italy’s Garante, and Norway’s Datatilsynet. Return
AcronymGoogle Click ID (GCLID)
The URL parameter Google appends to ad-click destinations. Travels with the request even when analytics cookies are blocked. Return
Acronymnoyb
“None Of Your Business,” the privacy nonprofit founded by Max Schrems. Files complaints across EU DPAs. Return
  1. Simo Ahava, “Consent Mode V2 For Google Tags,” https://www.simoahava.com/analytics/consent-mode-v2-google-tags/Return

  2. Google Tag Manager Help, “Updates to consent mode for traffic in European Economic Area (EEA),” https://support.google.com/tagmanager/answer/13695607Return

  3. EDPB, Guidelines 2/2023 on the Technical Scope of Art. 5(3) of the ePrivacy Directive (final version, October 2024), https://www.edpb.europa.eu/system/files/2024-10/edpb_guidelines_202302_technical_scope_art_53_eprivacydirective_v2_en_0.pdfReturn

  4. CJEU, Breyer v Bundesrepublik Deutschland, C-582/14 (October 19, 2016), https://curia.europa.eu/juris/document/document.jsf?docid=184668&doclang=EN; IAPP analysis at https://iapp.org/news/a/in-breyer-decision-today-europes-highest-court-rules-on-definition-of-personal-dataReturn

  5. European Commission, EU-US Data Privacy Framework adequacy decision (July 10, 2023), program overview at https://www.dataprivacyframework.gov/Program-OverviewReturn

  6. DLA Piper Privacy Matters, “ITALY: the Garante aligns with CNIL and DSB,” https://privacymatters.dlapiper.com/2022/06/italy-the-garante-aligns-with-cnil-and-dsb-holding-that-the-use-of-google-analytics-leads-to-unlawful-transfer-of-personal-data/Return

  7. noyb, “UPDATE: Further EU DPA orders stop of Google Analytics,” https://noyb.eu/en/update-further-eu-dpa-orders-stop-google-analyticsReturn

  8. Usercentrics, country-by-country summary of GA4 GDPR rulings, https://usercentrics.com/knowledge-hub/google-analytics-and-gdpr-compliance-rulings/Return

  9. Simo Ahava, “Basic Consent Mode: The Guide,” https://www.simoahava.com/analytics/basic-consent-mode-the-guide/Return

  10. noyb, “Google Sandbox: Online tracking instead of privacy,” https://noyb.eu/en/google-sandbox-online-tracking-instead-privacyReturn

Tyler Schroeder

Written by

Tyler Schroeder

Senior Principal Strategist with 15+ years in the industry, focused on data privacy, accessibility, AI governance, and transformation planning for organizations building durable digital programs.

All opinions are my own and do not necessarily reflect those of my employer.