Advertising marketing

Google Ads — consent fix

Google Ads scripts (pagead2.googlesyndication.com or googletagservices.com) load before consent. _gcl_au (Google Click ID, 90 days) and IDE (DoubleClick tracking, 13 months) are set. This is the highest-risk category for DPA enforcement.

Domains

  • googlesyndication.com
  • pagead2.googlesyndication.com
  • doubleclick.net
  • googleadservices.com
  • adservice.google.com

Cookies

  • IDE
  • _gcl_au
  • NID

Google Ads scripts (such as pagead2.googlesyndication.com or googletagservices.com) are frequently detected loading before user consent is granted. When this happens, Google sets tracking cookies like _gcl_au (Google Click ID, valid for 90 days) and IDE (DoubleClick tracking, valid for 13 months).

This is a critical GDPR violation. The Dutch DPA (Autoriteit Persoonsgegevens) and other European authorities actively enforce against unauthorized marketing tracking.

Why this happens

Most commonly, this issue occurs when a Google Ads conversion tag or remarketing tag is fired in Google Tag Manager (GTM) on the All Pages trigger, without verifying the user's consent state first. Alternatively, the tag might be hardcoded directly into the website's HTML source code.

Step-by-Step Fix Instructions

If the tag is installed via Google Tag Manager (Recommended)

  1. Enable Consent Mode v2 Ensure your website has Google Consent Mode v2 correctly configured. This means the default consent state must be set to denied for both ad_storage and ad_user_data before any tags fire.

  2. Check Built-in Consent Checks Google Ads tags in GTM have built-in consent checks. Open your Google Ads tag in GTM, go to Advanced Settings > Consent Settings. You should see that it requires ad_storage to be granted.

  3. Verify the Trigger If Consent Mode v2 is properly configured, you can leave the trigger as All Pages or Initialization - All Pages. The tag will fire, but it will only send cookieless (ping) data if consent is denied.

    Alternative approach (Hard block): If you don't use Advanced Consent Mode, add an exception to your trigger: "Consent State — ad_storage = denied".

  4. Verify the CMP Update Call Ensure that when a user accepts marketing cookies in your Cookie Banner (CMP), a gtag('consent', 'update', { ad_storage: 'granted', ... }) event is fired to GTM.

If the tag is hardcoded in the HTML

If you have a <script async src="https://www.googletagmanager.com/gtag/js?id=AW-XXXXX"></script> directly in your HTML:

  1. Move to GTM (Best Practice) Remove the hardcoded script from your website's header and implement it via Google Tag Manager using the official Google Ads tag template.

  2. Implement Consent Mode Default Command If you must keep it hardcoded, ensure the following code appears before the Google Ads script:

    <script>
  window.dataLayer = window.dataLayer || [];
  function gtag(){dataLayer.push(arguments);}
  gtag('consent', 'default', {
    'ad_storage': 'denied',
    'ad_user_data': 'denied',
    'ad_personalization': 'denied',
    'analytics_storage': 'denied'
  });
</script>

Verification

Use the Google Tag Assistant or your browser's Network tab.

  1. Clear your cookies.
  2. Load your website without clicking anything on the cookie banner.
  3. Verify that no requests containing ad_storage: granted or gcs parameter indicating full consent are sent to googleadservices.com.

No CMP yet?

A Cookie Management Platform (CMP) handles consent automatically for Google Ads and other trackers — including the correct GTM integration.

Cookiebot → CookieYes → CookieFirst → Complianz → Borlabs Cookie → Enzuzo → ConsentOS →

Check your own site

Scan your website for free to see if Google Ads (or other trackers) loads before consent.

Start free scan →