ga4audits

TC-019: Consent Mode V2 ad_user_data Parameter Missing

Consent & Privacy8 min readIntermediate

What does missing ad_user_data mean?

A missing ad_user_data parameter in GA4 hits means Consent Mode V1 is implemented but not V2. Since March 2024, V2 has been required for EU/UK Google Ads measurement and remarketing. Without it, those features partially or fully break, EU/UK Google Ads conversion attribution is reduced and remarketing list eligibility is silently disabled for affected users.

Measured impact varies by EU/UK traffic share and consent rejection rate. The fix: add ad_user_data and ad_personalization to both your consent_default and consent_update commands. Verify in DevTools, requests to /collect should include &gcs= AND &gcd= with all four signals encoded.

This page documents the TC-019 audit check, what it means in business terms, and the step-by-step remediation.

What this check does

The TC-019 check runs against every page on your site and inspects the GA4 collect requests for the gcd parameter, the V2-specific consent encoding. It flags as Critical if:

  • Any GA4 collect request lacks the gcd parameter entirely
  • The gcd parameter is present but doesn't include all four consent signals
  • The consent_default command on the page only sets ad_storage and analytics_storage (V1 signals only)

The check runs both on the page-load state and after a simulated banner interaction, to catch implementations where defaults include the V2 signals but updates don't (or vice versa).

Why this happens

Three patterns produce this failure across the properties we audit:

1. Pre-March-2024 implementation never upgraded

Many sites implemented Consent Mode V1 in 2020–2023 and never upgraded when V2 became mandatory in March 2024. The original consent_default command only included ad_storage and analytics_storage:

The implementation continues to function, gcs is set correctly, hits fire, GA4 reports look normal. But Google Ads silently loses access to the V2 consent signals, and EU/UK conversion measurement degrades.

2. CMP supports V2 but isn't configured to send V2 signals

Most major CMPs (Cookiebot, OneTrust, Iubenda, Usercentrics, Termly) now support Consent Mode V2, but the V2 signals often need to be explicitly enabled in the CMP's Google integration settings. We see properties with V2-capable CMPs that ship with V2 toggled off because nobody enabled it during setup.

3. Custom CMP implementation forgot the new signals

Sites using a custom-built consent banner often implement only the original two signals because they followed older documentation. The fix is straightforward but needs deliberate developer time.

How we detect it

The detection method runs in the audit engine's tag layer (Module 02):

  1. Browser-based crawl of representative pages using Playwright with consent default state set to denied
  2. Network interception captures every request to *.google-analytics.com/g/collect and googleads.g.doubleclick.net
  3. Parameter check inspects each request for the presence and content of gcs and gcd
  4. Update simulation triggers the CMP's Accept All event programmatically and re-checks the parameters
  5. Severity classification, gcd missing or incomplete in either state → Critical; gcd present but with wrong signal values → Warning

The check completes in 30 to 90 seconds per page depending on tag-load speed.

How to fix it

The fix is in two places: the consent_default command and the consent_update command. Both must include all four signals.

For gtag.js implementations

For GTM implementations

Open your Consent Initialization tag (the one with priority 100) and update the Custom HTML or Consent Mode template fields to include all four signals in the default state. Then open your Consent Update tag and ensure the same four signals are set from your CMP's dataLayer values.

Need to validate whether consent timing is distorting your GA4 data?

Audit consent setup

If you're using a CMP-provided template (Cookiebot, OneTrust, etc.), the four signals are typically configured via the CMP's tag-template UI rather than custom HTML. Check your CMP's "Consent Mode V2" or "Google Consent Mode integration" settings, there's usually an explicit toggle for V2 signals.

For mobile apps (Firebase)

Android: Firebase Analytics SDK 21.5.0+. iOS: Firebase Apple SDK 10.17.0+. Use setConsent() with all four signals before the first event:

iOS additionally requires App Tracking Transparency (ATT) permission for ad_storage.

How to verify the fix

After deploying:

  1. Open Chrome DevTools on a fresh incognito session
  2. Network tab → filter for `collect`
  3. Inspect the first GA4 collect request
  4. Confirm both `gcs` AND `gcd` are present as URL parameters
  5. Inspect the gcd value, should be in format 11<x>1<y>1<z>1<w>5 where <x><y><z><w> are single characters representing each signal's state
  6. Click Accept All on the banner
  7. Inspect the next collect request, both gcs and gcd should now show granted states (G111 for gcs; gcd characters all changed to granted indicators)

Then verify in the GA4 admin:

  • GA4 Admin → Data Streams → your stream → Configure tag settings → Consent settings
  • Both indicators should show green: "Ads measurement consent signals active" and "Ads personalization consent signals active"

If the GA4 admin still shows red after 24 hours, the signals aren't reaching Google despite what DevTools shows, usually a server-side or sGTM transformation issue stripping them. Check sGTM client transformations.

What this fixes in practice

The business impact of fixing TC-019 is measurable in Google Ads, not GA4:

  • Restored Google Ads conversion attribution for EU/UK traffic. Recovery varies materially by EU/UK traffic share and consent rejection rate, measure your own pre/post-fix delta in Google Ads rather than assuming a fixed range. Holding click volume constant, the fix typically becomes visible within 7 to 14 days.
  • Restored remarketing list eligibility. Users with ad_personalization=granted become eligible for remarketing audiences. Audience growth depends on EU/UK traffic share and CMP design and should be measured directly in Audience Manager.
  • Restored eligibility for conversion modelling. Combined with the other thresholds (1,000 daily ad clicks, Advanced mode, Blended identity, 7-day denied data window), V2 unlocks the modelled-conversion data that fills the consent-denied population gap.
  • Compliance posture. Demonstrates active compliance with Google's V2 requirement, which matters for EU/UK regulator-facing audit trails.

The Google Ads recovery is the easiest to demonstrate to stakeholders. Pull the conversion delta in Google Ads from the 30 days before the fix vs the 30 days after, holding click volume roughly constant. The lift is your TC-019 ROI.

Related checks

These checks frequently fail together, fixing TC-019 often surfaces or fixes them too:

  • TC-018: ad_personalization parameter missing (the other V2 signal, usually missing in the same implementations)
  • TC-005: Uninitialised dataLayer (a precondition that breaks all consent commands)
  • TC-044: GA4 cookies firing before consent (often co-occurs with V1-only implementations)
  • PC-019: Smart Bidding insufficient conversions (downstream effect of broken EU/UK Google Ads measurement)
  • TC-061: PII patterns detected in GA4 requests (often surfaces during V2 audits)

How to use this in a GA4 audit

Use this topic to support a consent audit and privacy-aware measurement review. This article focuses on how consent choices affect measurement, reporting quality, and downstream activation. Treat implementation guidance as measurement support, not legal advice. Where possible, separate API-verified findings, browser-verified findings, and findings that depend on access to linked platforms.

What to verify

  • Verify the default consent state is set before analytics and advertising tags evaluate storage permissions.
  • Verify browser behavior with real banner interactions rather than assuming the CMP template is wired correctly.
  • Separate browser-verified findings from access-dependent checks in GA4, GTM, or ad platform settings.
  • Document where modeled or cookieless behavior may create expected reporting differences.

Known limitations

  • Consent behavior can vary by region, tag setup, and product configuration.
  • Google product behavior and regional requirements can change; confirm the current vendor documentation before rollout.

Before acting on the result

Use the visible evidence behind the finding before changing reporting, bidding, privacy controls, or executive dashboards. GA4 Audits findings should be reviewed by a qualified analyst before major business decisions are made.

Audit findings should be reviewed by a qualified analyst before they are used for major reporting, media, or implementation decisions. Review your findings

GA4 Audits Team

GA4 Audits Team

Analytics Engineering

Specialising in GA4 architecture, consent mode implementation, and multi-layer audit frameworks.

Share

Keep reading

More guides in Consent & Privacy

Internal links should help the reader move deeper into the topic, not just pad the page. These are the next three most relevant reads from the library.

Consent & PrivacyHow to Test Consent Mode V2 in 5 Minutes: A DevTools WalkthroughOpen Chrome DevTools → Network tab → filter for collect → reject all on the cookie banner → confirm GA4 hits still fire with gcs=G100 (denied) and ad_user_data=denied. Then accept all → confirm gcs=G111 (granted). If hits don't fire at all in either state, Consent Mode is misconfigured. If gcs is missing entirely.9 min readConsent & PrivacyGCS Parameter Decoded: What G100, G110, G111 Mean in GA4 HitsThe gcs parameter in GA4 network requests encodes the user's consent state for two of the four Consent Mode signals. Format: G1xy where G1 is constant, x is ad_storage (0=denied, 1=granted), y is analytics_storage (0=denied, 1=granted).7 min readConsent & Privacy'consent_default' vs 'consent_update': Which Comes First in GTMThe consent_default command must fire before any tag, typically as the first script in <head> or as a Consent Initialization tag in GTM with priority 100. The consent_update command fires after the user interacts with the cookie banner.10 min read