In recent years, we have witnessed a remarkable evolution in policies related to third-party cookies. From the implementation of the General Data Protection Regulation (GDPR) to the European Economic Area Cookie Law, there has been increasing scrutiny on the use of third-party cookies, especially in the digital advertising arena, which has affected giants such as Google and Facebook.

Against this ever-changing regulatory backdrop, Google launched its Google Consent Mode tool in 2020 in response to legal demands and the need to adapt to new restrictions on the use of third-party cookies. This tool, integrated with cookie banners, allows users to indicate their consent and adjusts the behaviour of Google tags, such as Google Tag Manager, Google Analytics, Google Marketing Platform and Google Ads, according to the user’s consent preferences.

With the entry into force of the Digital Markets Act (DMA) in March 2024, large companies such as Google face new responsibilities, being considered ‘gatekeepers’ of user consent under the legislation.

Now, Google has announced a new version of Consent Mode, known as Google Consent Mode V2, in anticipation of crucial changes that will affect data collection in the near future.

What is Google Consent Mode?

Google Consent Mode was launched in 2020 as a direct response to European regulations on the use of third-party cookies. This tool enables the connection to Google through cookie banners, facilitating the indication of consent by the user and adjusting the behaviour of Google tags accordingly.

What’s new in Google Consent Mode V2

With the new version of Consent Mode, Google is adapting to anticipated legislative and technological changes, including the projected phasing out of mobile device identifiers and third-party cookies by 2024. The main new feature of Consent Mode V2 is the introduction of two new consent states: ad_user_data and ad_personalization, which expand the options for how user data is used and shared.

How will it affect analytics?

The projected removal of third-party cookies and other regulatory changes are impacting the ability to obtain accurate data through analytics tools such as Google Analytics. With increasing obstacles to accurate data collection, the metrics provided by these tools are expected to be more estimates than accurate representations of reality.

In summary, Google Consent Mode V2 represents Google’s response to an ever-changing regulatory environment and emerging technology challenges. As we prepare for a future without third-party cookies, proper implementation of Consent Mode becomes crucial to ensure legal compliance and maintain the effectiveness of digital marketing strategies.

Plugin CookieYes: What does it do?

Privacy regulations such as GDPR in the EU and CCPA in the US require companies to obtain user consent before placing cookies on their browser. CookieYes will handle cookie consent management solution so you don’t have to worry about compliance and can mitigate any potential legal risk.

In addition to having the consent banner in different languages, CookieYes allows you to generate cookie and privacy policies, as well as scanning cookies to generate information on the different categorised cookies.

What information should the cookie consent banner contain?

Cookie consent banner is mandatory only if you use non-necessary (technical) cookies. In the case of not using non-technical cookies, it is not necessary to use an informative cookie consent banner, only to inform in our privacy policy which cookies we use.

According to the Spanish Data Protection Agency (AEPD), information on cookies, with respect to the consent banner, must follow the following requirements:

Information or communication should be concise, transparent and intelligible.
Clear and simple language should be used, avoiding the use of phrases that lead to confusion or detract from the clarity of the message.
The information must be easily accessible.

To comply with this, in a simple way, it is worth indicating in a paragraph that different types of cookies are being used, the possibility of a link to the cookies policy (in the second layer) and similar buttons (they do not need to be the same) to accept and reject non-technical cookies. In addition, having a button or link to be able to configure the consent of the different categories of cookies. All this is allowed by CookieYes. Here are some examples of possible cookie consent banners:

This first layer of user information must provide the information required by the AEPD:

Identification of the publisher responsible for the website. The company name is not necessary, provided that its full identifying details appear in other sections of the website and its identity can be clearly identified from the website itself.
Identification of the purposes of the cookies to be used.
Information on whether the cookies are own or third party cookies.
Generic information on the type of data to be collected and used in case of user profiling.
How the user can accept, configure and reject the use of cookies.
A clearly visible link to a second layer of information containing more detailed information.

In a second layer of information (on the cookie policy page), extended information about cookies should be provided:

Definition and generic function of cookies
Information on the type of cookies used and their purpose.
Identification of who uses the cookies.
Information on how to accept, refuse or revoke consent to the use of cookies.
Where applicable, information on transfers of data to third countries made by the publisher.
Other aspects required by Article 13 of the General Data Protection Regulation.

How to install CookieYes on WordPress?

CookieYes is a cookie consent plugin for WordPress websites. Installation can be done in several ways:

Installing the WordPress plugin, activating and configuring it in the website application.
Inserting the CookieYes configuration script on the website, without the need to install the plugin in WordPress.
Through a Google Tag Manager template.

It is important to choose only one of the three methods to avoid code redundancy errors.

Once you have chosen the installation method, you can proceed to enable the Google V2 consent mode in CookieYes.

How to enable Google Consent Mode in CookieYes?

The first and most important step in implementation is to enable the Google Consent Mode feature in the CookieYes platform. To enable this, follow the steps below:

1. ILog in to your CookieYes web application account.

2. Navigate to the CookieYes Control Panel > ‘Advanced Settings’.

In ‘Google consent mode (GCM)’, activate the button (to the right) labelled ‘Support GCM’.

CookieYes Consent Mode Integration

If you use the Consent Mode with CookieYes, each time website users grant their choice of consent, CookieYes will signal Google to modify the behaviour of the tags based on the user’s choice. Therefore, the website will no longer collect or use any personally identifiable information and will use aggregate information for its services.

There are two methods to integrate Consent Mode with CookieYes: with and without the use of the Google Tag Manager Template.

Method 1: Using Google Tag Manager

Google Tag Manager (GTM) is a free tool that allows you to install, store and manage tags without modifying the code of your website. GTM tags are small snippets of code that track user actions and collect data.

The first thing is to have a Google Tag Manager account and enable it through its scripts on the web. To do this, follow these steps:

In Tag Manager, click the Accounts tab > Create Account.

Assign a name to the account and select a country.

Enter a descriptive container name and select the container type.

To create the container, click Create and accept the Terms of Service.

The container must then be installed on the website:

At the top of the window, find your Container ID, which is in the format ‘GTM-XXXXXXXX’. Click on your Container ID to open the Tag Manager installation dialog box.

Copy the code snippets and paste them into your website as indicated in the Tag Manager installation dialog box.

Place the <script> code snippet in the <head> header of your web page’s HTML, preferably as close as possible to the opening <head> tag, but below any dataLayer declarations.

Place the <noscript> code snippet immediately after the <body> tag in the HTML of your website.

Once the Tag Manager is available on our website, we can create tags, specifically the CookieYes tag, which will also include the consent mode.

Follow these steps:

Step 1. In your Google Tag Manager account, create a new tag. Click Tags in the left sidebar, then click New.

Step 2. Click on Tag Settings > Discover more tag types in the community template gallery and search for CookieYes CMP.

Step 3. Choose the CookieYes CMP template and click on Choose template.

Step 4. Insert the CookieYes website key, set other fields to the appropriate values, and save the tag after naming it.

Tag configuration:

Log in to your CookieYes account and go to ‘Advanced settings’, then go to ‘Advanced settings’.
Get Installation Code > Copy Code.
Copy the website key from the src attribute (e.g. src=‘https://cdn-cookieyes.com/client_data/TU_CLAVE_DE_SITIO_WEB/script.js’) to ‘Website Key’ in the tag settings.

To add Default Consent Configuration:

Click on ‘Default Consent Setting’.
Select Enabled/Disabled from the drop-down menu for each category of cookies according to your needs.
Set the region by entering the standardized codes.
Click on Add (‘Add Setting’).
Select Trigger: Choose the ‘Consent Initialization – All Pages’ as the trigger for the label.
Enter the name of the tag and click Save to complete the integration of CookieYes with Google Consent Mode.

Method 2: Implementation using custom script

To integrate CookieYes with the Consent Mode without using the CookieYes GTM template we must follow the following steps:

Step1. Copy the custom script:

<script>

    window.dataLayer = window.dataLayer || [];

    function gtag() {

        dataLayer.push(arguments);

    }

    gtag("consent", "default", {
        ad_storage: "denied",
        ad_user_data: "denied", 
        ad_personalization: "denied",
        analytics_storage: "denied",
        functionality_storage: "denied",
        personalization_storage: "denied",
        security_storage: "granted",
        wait_for_update: 2000,
    });

    gtag("set", "ads_data_redaction", true);
    gtag("set", "url_passthrough", true);

</script>

The values in the code are modifiable according to your needs. For example:

gtag("set", "ads_data_redaction",false);
gtag("set", "url_passthrough",false);

Step 2. Paste the custom script above the CookieYes script and the Google Analytics or GTM script.

Make sure the order of the scripts is as follows:

Script de Consentimiento Personalizado
Script de gtag / GTM
Script de CookieYes

The script must load in this order for it to work.

If you have the CookieYes plugin active, the CookieYes script is inserted by the plugin itself, so you will have to check that the scripts are loaded in the order indicated if you use method 2.

In the latter case, if the scripts are entered via the ‘wp_head’ hook, the Consent and Google scripts should be prioritised so that they are loaded before the CookieYes script.

Considerations and risks when using cookies on unsecured HTTP pages

On an unsecured HTTP website, cookies are transmitted unencrypted between the user’s browser and the site’s server. This means that any information contained in cookies, including sensitive data such as usernames and passwords, could be intercepted by malicious third parties.

In the case of cookies with the ‘secure’ attribute, these will be rejected by the website or application if a secure HTTPS connection is not being used. In this case, migration to HTTPS should be considered to adequately protect data transmission and cookie setting. This is the case of the cookie called ‘cookieyes-consent’, which is rejected by the browser on a non-secure HTTP site, and makes it impossible for the site to remember the consent rules.