Cookie consent in 2026: what changed and what site owners need to do

If you operate a website that shows ads, runs analytics, or serves users in the EEA, the ground shifted in 2024–2025 and a lot of small operators never got the memo. This post is the practical TL;DR: what changed, why it matters, and what to actually deploy.

We just shipped this stack on stax.tools, so the examples are concrete, not theoretical.

What changed (the short version)

Three rules took effect at roughly the same time:

1. Google Consent Mode v2 (mandatory March 2024). Google now requires advertisers and publishers using AdSense, Google Ads, or Google Analytics to send four explicit consent signals — ad_storage, ad_user_data, ad_personalization, analytics_storage — before personalised ads or full analytics fire for users in EEA, the UK, or Switzerland.

2. IAB TCF v2.2 (mandatory May 2024). The IAB's Transparency and Consent Framework moved to v2.2, which removed "legitimate interest" as a basis for advertising for most purposes and tightened the "withdraw consent" UX requirement. If you're using a CMP (Consent Management Platform) that broadcasts a TCF string, it must be v2.2-certified.

3. Google's certified-CMP requirement (mandatory January 16, 2024). Sites running Google Ads/AdSense for EEA traffic must integrate a Google-certified CMP — either Google's own (free, built into AdSense as Funding Choices), or one of the certified third parties (Cookiebot, OneTrust, CookieYes, Iubenda, etc.).

Miss any of these and the consequences range from "AdSense quietly serves only non-personalised ads" (revenue cut by 40–60%) to "AdSense application gets rejected" to "GDPR enforcement action with a fine up to 4% of global revenue."

What you actually need to ship

Six pieces, in priority order:

1. A CMP that fires before any tracking script

Whether you use Google's free CMP or a third-party one, the banner must appear on first visit, before GA, AdSense, Pixel, or anything else gets a chance to set cookies. The classic mistake is loading GA in <head> and the banner in <body> — by the time the user clicks Decline, GA has already set _ga cookies.

The fix is the next item.

2. Consent Mode v2 defaults set BEFORE GA loads

This is the technical kernel of compliance. Before any analytics or ad library loads, you push consent defaults to dataLayer:

<script>
  window.dataLayer = window.dataLayer || [];
  function gtag() { dataLayer.push(arguments); }
  gtag('consent', 'default', {
    'ad_storage': 'denied',
    'ad_user_data': 'denied',
    'ad_personalization': 'denied',
    'analytics_storage': 'denied',
    'functionality_storage': 'granted',
    'personalization_storage': 'granted',
    'security_storage': 'granted',
    'wait_for_update': 500
  });
</script>

wait_for_update: 500 tells GA to hold sending data for 500ms so the user's Accept click can upgrade signals before the first measurement ping. This is the critical detail most tutorials miss.

When the user accepts, your CMP (or your custom code) calls:

gtag('consent', 'update', {
  'ad_storage': 'granted',
  'ad_user_data': 'granted',
  'ad_personalization': 'granted',
  'analytics_storage': 'granted'
});

GA, AdSense, and DV360 all listen for these signals and adjust behaviour. With denied, GA sends a privacy-safe "cookieless ping" (URL, country, time) that lets it model the missing data without setting any cookies — you don't lose all your data, you lose the personally-identifying parts.

3. A Reject-all button at the same level as Accept

The CNIL (France's data authority) fined Google €150 million in 2022 specifically because rejecting cookies took more clicks than accepting them. This pattern — Accept big and visible, Reject buried under "Manage options" — is now treated as a dark pattern under GDPR.

If you're using Google's CMP, choose the 3-button variant (Consent / Do not consent / Manage options), not the 2-button. Most third-party CMPs default to the 3-button layout already.

4. A privacy policy that actually names what you do

AdSense reviewers literally check that your privacy page mentions:

• "Google AdSense" by name
• Third-party vendor cookies for personalised advertising
• A link to Google Ad Settings for opt-out
• A link to aboutads.info (US) or youronlinechoices.com (EU)
• A description of Consent Mode behaviour at each consent state

A vague "we use cookies for analytics" isn't enough anymore.

5. A cookie table (helpful but not strictly required)

GDPR's transparency principle means listing the cookies you set, what they do, and how long they live. Plugins like AIOSEO and Cookiebot generate this automatically. If you write your own privacy page, a small HTML table covering _ga, _clck, __gads, your consent storage cookie, and your locale cookie is enough.

6. A way to withdraw consent

Once consent is given, users have the right to revoke it. Practically, this means either:

• Re-showing the CMP banner if the user clicks a "Manage cookies" link, OR
• Letting them clear browser storage for your site (which makes consent default back to denied next visit).

Option 2 is what most CMP-free sites do; if you've adopted Google's CMP, it provides the manage-link UX automatically.

What this looks like in production

On stax.tools, the wiring is:

1. Consent default script in the HTML head with strategy="beforeInteractive" so Consent Mode v2 signals are denied before any GA library loads.
2. Cookie banner component updates the gtag signals to granted on Accept, and writes the choice to localStorage so returning visitors don't see the banner again.
3. ClarityInit component reads the same localStorage flag and calls clarity.consent(boolean) so Microsoft Clarity also respects the choice.
4. Google's CMP layered on top for EEA visitors, providing the certified TCF v2.2 integration AdSense requires.
5. Privacy page with the full disclosure block (AdSense by name, opt-out links, cookie table, Consent Mode description).

Total code added: roughly 80 lines of JavaScript and a 200-line privacy page. Total third-party SaaS bills: $0 (Google's CMP is free).

Compliance is a moving target

The rules will change again. The EU's Digital Markets Act tightened in 2025; the UK is finalising post-Brexit cookie rules; California passed CPRA enforcement that broadens "sensitive personal information." The good news: Consent Mode v2 + a certified CMP gets you ~90% of the way to whatever the next iteration looks like, because all of these regimes converge on the same primitives: explicit signals, named purposes, easy revocation, no dark patterns.

Ship the six items above and you're in good shape for both the regulator's auditor and Google's reviewer.

— Want a tool to test the cookies on your site? Try our cookie consent inspector (third-party), or check our consent banner code on stax.tools (open source forthcoming).