Google Ads Tags May Fire Without Consent

Google Consent Mode v2 added two ad-related consent signals: `ad_storage` (whether you can use cookies for ad measurement) and `ad_user_data` (whether you can send the user's identifiers to Google). Every Google Ads tag should read these signals before firing. If the tag has no Consent Settings in GTM, it ignores them entirely. When a tag ignores those signals, you ship data from users who explicitly said no. That's the regulatory exposure. The compounding problem is that Google's modelling pipeline (the one that backfills attribution for consent-denied users) assumes the consent-denied hits were tagged as such. Hits that fired without consent metadata can't be backfilled, so you also lose the measurement Google offers as the consolation prize for being compliant. And because the same tag behaves differently across geographies and banner timings, debugging is a moving target. The fix is not the consent banner. The banner records the user's choice; the GTM tag has to read it. If the tag isn't wired to check, the banner can be perfect and the leak continues.

Coloured rows show the configuration AdLint flags.

1. In GTM, open Admin → Container Settings → Consent and turn on "Enable consent overview." That adds a Consent column to the Tags list so you can see at a glance which tags have which requirements.
2. Open every Google Ads Conversion Tracking and Google Ads Remarketing tag. Expand Consent Settings. Tick "Require additional consent for tag to fire" and pick `ad_storage`. If the tag uses Enhanced Conversions, add `ad_user_data` too.
3. Confirm your consent banner sets default consent to denied before any tag loads, and updates consent only after the user picks. If you use a CMP (OneTrust, Cookiebot, etc.), that lives in the CMP config, not GTM.
4. In Preview mode, walk three flows: denied, granted, and "user changed their mind." Confirm Ads tags fire on the granted path and only the granted path.
5. Publish.

Green rows show the corrected state after the fix.