How to set up Consent Mode v2 in GTM with Cookiebot or a custom cookie banner

Short Answer

You can set up Consent Mode v2 in GTM in two main ways. The first is through a CMP with a ready-made GTM template or native integration. The second is through a custom cookie banner, where you read the user's saved choice yourself and send default and update states through consent tags.

The same minimum applies in both variants: default consent state must run on Consent Initialization - All Pages, update must happen immediately after interaction with the banner, Google tags must have a clearly chosen behavior mode, and non-Google tags must have an additional consent requirement.

Setup does not end with publishing the GTM container. You must test a new user state, accept all, reject all, partial preferences, a saved choice on the next page, first page_view, conversion event, redirects with click IDs, and third-party tags.

Variant A: Consent Mode v2 Through a CMP / Cookiebot

If you use a CMP with a ready-made integration for Google Consent Mode v2, implementation is faster, but you still need to audit it. It is not just inserting one tag. You need to know exactly what the CMP sets as default, when it sends update, whether it enables Google Consent Mode v2, whether it supports regional rules, and how it handles non-Google tags.

In GTM, the CMP tag should run on Consent Initialization - All Pages. This is a special trigger intended for tags that set or update consent state. Do not use ordinary All Pages for it, and do not run regular measurement tags on Consent Initialization.

1. Create or insert the CMP tag in GTM. Use the official or verified GTM template from the CMP if available.
2. Set the trigger to Consent Initialization - All Pages. The CMP must finish before regular tags.
3. Enable Google Consent Mode v2 support. Watch all four main parameters: ad_storage, analytics_storage, ad_user_data, and ad_personalization.
4. Set default states. For European users, do not automatically assume granted for marketing or analytics without legal assessment.
5. Consider URL passthrough. Use it if you need to preserve Google click/session information when storage is denied and the website can handle it technically.
6. Consider ads_data_redaction. Use it according to privacy requirements, especially when ad_storage = denied.
7. Enable Consent Overview. In GTM Admin > Container Settings, activate the consent overview and review all tags.
8. Configure tags. Google tags according to the chosen basic/advanced mode; non-Google tags explicitly through additional consent checks.
9. Test saved consent. Delete cookies/localStorage, accept, reject, go to a second page, and watch the timeline in Tag Assistant.

Variant B: Consent Mode v2 With a Custom Cookie Banner

A custom cookie banner is not a problem if you can state three things technically and precisely: where it stores the decision, what the value looks like for individual categories, and when the value changes after the user clicks.

So you do not start with GTM tags, but with investigation. Open the website, delete existing cookies/localStorage, click accept all, reject all, and custom settings. In DevTools under Application, watch which cookie or localStorage item changes. Write down the exact name and exact values.

1. Find consent storage. In Chrome DevTools > Application, look under Cookies and Local Storage. Names are often cookie_consent, CookieConsent, consent_settings, and similar.
2. Record the values. For example marketing:true, analytics:false, or JSON with categories.
3. Create a GTM variable for reading the value. If it is a cookie, use a 1st Party Cookie variable. If it is localStorage, use a Custom JavaScript variable.
4. Translate the value to granted/denied. Use a RegEx Table or Custom JavaScript. The output must be exactly granted or denied.
5. Create a consent default tag. Trigger: Consent Initialization - All Pages. Default values according to your legal/regional strategy.
6. Create a consent update tag. It reads the variables and sends update. Ideally both during initialization for a saved choice and on a custom event after the user clicks.
7. After a banner click, send a custom dataLayer event. For example cookie_consent_update, so GTM knows to recalculate consent and release other tags.
8. Test on the same page. The update must arrive on the page where the user clicked, not only after a reload or navigation.

Example of Reading localStorage in GTM

function() {
  try {
    return window.localStorage.getItem('cookie_consent') || '';
  } catch (e) {
    return '';
  }
}

Example of Translating a Value Through a RegEx Table

The input variable may return text, for example analytics:true;marketing:false. The RegEx Table then translates the specific part to granted or denied. With regular expressions, check whether full matches only is enabled if you are working with only part of a longer string.

Default Tag vs. Update Tag

In GTM, default and update are often confused. Default is not "the user's consent". Default is the state that applies before a decision or until you read it. Update is the user's real choice or a saved choice from the past.

If you use a custom template or community consent template, stick to GTM Consent APIs. For custom GTM templates, Google recommends using the Tag Manager-specific API to manage consent states. Direct gtag consent commands can be processed in the queue later than you expect.

How to Send a Custom Event After Clicking the Banner

After saving the decision, a custom banner should send a clear event to the dataLayer. GTM can use it for consent update, explicit page_view, and launching other tags that were waiting for the decision.

window.dataLayer = window.dataLayer || [];
window.dataLayer.push({
  event: 'cookie_consent_update',
  consent_analytics: true,
  consent_marketing: false
});

This event must not arrive before the preference is saved. Otherwise, GTM reads the old value. The order should be: user clicks, banner saves the choice, banner sends a dataLayer event, GTM sends consent update, then linked measurement runs.

Testing Protocol After Publication

A Consent Mode implementation without a testing protocol is not finished. It is not enough to open the website and see that the banner appeared. You must simulate several states and see the correct sequence of events in Tag Assistant.

1. New visitor. Delete cookies/localStorage. Check that the first consent default is denied/granted according to the strategy and that it was created before measurement.
2. Accept all. Click accept all. In Tag Assistant, verify update to granted for the relevant types.
3. Reject all. Click reject all. Verify that non-Google marketing tags do not run and Google tags behave according to the chosen mode.
4. Partial preferences. Allow analytics, reject marketing. Verify that GA4 and advertising pixels respect the difference.
5. Second page. Go to the next page and verify that the saved consent state is set immediately, not only after another click.
6. Conversion. Submit a form, purchase, or other event and verify that the event does not run in the wrong consent state.
7. URL parameters. Arrive on a URL with gclid, wbraid, fbclid, li_fat_id, and UTM. Verify that the website or CMP does not delete them before you can work with them correctly.
8. Change decision. Click the footer link, change preferences, and verify a new update.
9. Embeds. Verify that YouTube/Instagram/maps are not loaded before the corresponding consent.
10. Speed. Measure whether the CMP or banner significantly slows LCP/INP and first interaction.

What to Look for in Tag Assistant

• Earliest Consent event. The default consent state must be visible first.
• Four main parameters. ad_storage, analytics_storage, ad_user_data, and ad_personalization must be set.
• Consent tab on tags. Verify that Google tags read the correct state and non-Google tags have required consent.
• Event order. Default before Google tag, update after click, page_view and conversions according to the strategy.
• Behavior after rejection. Meta/TikTok/LinkedIn must not run if you do not have the corresponding consent.
• Behavior after a change. When the user changes preferences, a new update must be created, not just a visual change in the banner.

When to Use a CMP and When to Use a Custom Banner

For one smaller website with a clear tag plan, a custom banner and manual Consent Mode setup can work well. But you need to know who will maintain the cookie policy, who will add new tags to the right category, and who will periodically check that no script is running outside GTM.

A CMP makes more sense when you have multiple languages, multiple domains, several web teams, legal requirements for detailed consent logs, or you frequently add new marketing tools. Even then, a CMP does not remove the need for a technical audit. It only moves part of management into a specialized tool.

FAQ

Frequently Asked Questions

Do I have to use Cookiebot or another CMP?

Can I just insert the CMP script and be done?

Should Google tags require additional consent?

How should I handle Meta, TikTok, or LinkedIn?

How do I know the update came late?