Modern headless commerce sites have the freedom to design bespoke shopping experiences, but that freedom comes with a challenge: there is no native cookie banner or consent framework. When you decouple the front end from Shopify or WordPress and render pages with frameworks such as Hydrogen, Next.js or Nuxt, you also break the built‑in integrations that collect marketing consent and send it to Google’s tags. Meanwhile, new regulations in the European Union/EEA and updated policies from Google mean you must start sending consent signals by March 2024 to keep using Google Ads. Failing to implement the Google Consent Mode v2 specification on your headless store will cause conversion tracking and remarketing to stop working.
This guide explains why standard cookie banner apps fail on headless builds, how Google Consent Mode v2 works, and how to push consent signals from a front‑end Consent Management Platform (CMP) through server‑side Google Tag Manager (GTM). By implementing Consent Mode v2 and server‑side tracking, you can recover lost ad data, stay GDPR compliant and ensure that Google’s modelling features continue working.
Why headless stores need a consent strategy
On a traditional Shopify or WordPress site the platform includes a built‑in cookie banner that collects marketing and analytics consent, writes the status into a cookie, and automatically passes it to the Google tag or Facebook Pixel. In headless architectures the front end is rendered by JavaScript frameworks, and the only connection to Shopify/WooCommerce is via APIs. Without a built‑in cookie banner, merchants often drop in a generic overlay or rely on third‑party scripts. However, these banners typically set cookies only in the client and do not propagate consent signals to Google’s tag or server‑side GTM container. Consequently, Google interprets the absence of a consent signal as a denial and stops storing advertising cookies.
Shopify’s headless framework Hydrogen acknowledges this problem and instructs developers to remove the built‑in Shopify cookie banner and load the Customer Privacy API manually. The documentation recommends wrapping the Hydrogen app in an <Analytics.Provider> component and using hooks such as useCustomerPrivacy to update marketing, analytics and preference consent when the third‑party CMP status changes. Only after you call customerPrivacy.setTrackingConsent() does Shopify send consent states down to its backend. Without this integration, signals from your CMP never reach Shopify or Google and your store remains out of compliance.
What’s new in Google Consent Mode v2?
Google introduced Consent Mode in 2020 as a way to adjust tags based on the user’s consent choices. Version 1 used two signals – ad_storage and analytics_storage – to control whether advertising and analytics cookies could be stored. Consent Mode v2 adds two additional parameters: ad_user_data and ad_personalization. The ad_user_data flag controls whether Google can use user data for remarketing and conversion reporting; the ad_personalization flag controls whether ads can be personalised. Advertisers in the EU and EEA must implement v2 by March 2024 to continue using Google Ads tracking.
Consent Mode operates in two modes:
Basic mode: If the user declines a consent category, tags for that category will not fire at all. This mode provides the highest level of privacy and is required in strictly regulated jurisdictions.
Advanced mode: Tags fire regardless of consent status but adjust their behaviour. When consent is denied they send cookieless pings, which include non‑identifiable data such as timestamp, device type and country. Google uses this aggregated data to model conversions and fill in the measurement gap. Advanced mode is allowed only if local laws permit the collection of anonymised signals, and you must still display a compliant cookie banner.
Merchants need to decide which mode to use based on their markets and risk appetite. Basic mode eliminates data when users decline consent, while advanced mode preserves some measurement at the cost of sending limited data.
How consent mode works with server‑side GTM
When you use server‑side tagging the measurement logic runs inside a GTM server container rather than in the browser. According to Google’s server‑side tagging guide, the flow works as follows: the web container loads a cookie banner and collects consent from the user. The Google tag in the web container forwards the consent parameters (gcs=…) along with event data to the server container. The server container reads the consent parameters and adjusts tag behaviour before sending data to Google products or other endpoints. You only need to set up consent mode in the web container; server‑side tags automatically respect the consent state. This means that when consent is denied in advanced mode, the server container can still send cookieless pings but will not set or read advertising cookies.
Implementing Consent Mode v2 in a headless architecture therefore involves two components:
Client‑side (web container) – A CMP collects the user’s consent and calls
gtag('consent', 'update', { ad_storage: ..., analytics_storage: ..., ad_user_data: ..., ad_personalization: ... }). In Hydrogen you accomplish this via the Customer Privacy API; in headless WordPress you might hook into a plugin like CookieYes to dispatch the consent update on the front end.Server‑side (server container) – The server container receives the event data along with the
gcsstring that encodes consent status. Google tags automatically adapt, but custom tags must read the consent state and decide whether to fire.
This two‑layer setup ensures compliance while preserving as much data as possible. When consent changes in the browser, the updated gcs value is included in subsequent hits and the server container updates its behaviour accordingly.
Why combine consent mode with server‑side tracking?
Running Consent Mode through a server container provides several advantages:
First‑party cookies – Server‑side GTM uses your own domain to set cookies, making them first‑party and more resilient against browser restrictions.
Improved measurement – By sending cookieless pings in advanced mode, you retain aggregated signals that feed Google’s conversion modelling. Taggrs notes that Google’s machine learning models use non‑personal signals such as device type, conversion type and country to estimate conversions when consent is denied. However, Google requires at least 700 ad clicks per week per region to build reliable models.
Centralised consent logic – The server container ensures all tags receive the same consent state. For example, your Google Ads, Google Analytics 4 and Google Tag Manager conversions API all respond consistently, reducing errors and misconfiguration.
Legal compliance – Consent Mode automatically blocks advertising cookies when consent is denied and records the consent denial, which helps demonstrate compliance under GDPR and the Digital Markets Act.
Implementation guide
Below is a high‑level workflow for implementing Google Consent Mode v2 on a custom headless Shopify or WordPress store using server‑side GTM.
1. Choose a consent management platform
Select a CMP that supports Google Consent Mode v2 and can export consent status programmatically. Examples include Cookiebot, Usercentrics and OneTrust. The CMP must run on the client (browser) and expose the user’s choices via JavaScript variables or a callback. In headless Shopify (Hydrogen), remove the built‑in cookie banner and keep consent regions active. Then load the Customer Privacy API with <Analytics.Provider> and call customerPrivacy.setTrackingConsent() whenever the CMP status changes. In headless WordPress you can dispatch gtag('consent', 'update', ...) directly when the CMP resolves.
2. Configure Consent Mode in your web container
In your web GTM container (client side), set up default consent settings. For example:
When the user grants consent via the CMP, call gtag('consent', 'update', ...) with appropriate values (granted or denied) for each parameter. In Hydrogen, use customerPrivacy.setTrackingConsent({ marketing: true, analytics: true, preferences: true }) to update the Shopify privacy API and propagate consent states. The Google tag will automatically include these values in the gcs parameter when sending events to the server container.
3. Send consent state to the server container
To make custom tags aware of consent, create a Consent State variable in your server GTM container that reads the gcs parameter from the incoming request. According to Taggrs, you should configure each server container tag to include the consent state as a parameter and to respect it before firing. For example, if the ad_user_data flag is denied, your server‑side Google Ads tag should avoid sending user identifiers such as gclid or IP address. For non‑Google tags (e.g., Facebook CAPI), you will need to set conditions manually, as they do not automatically integrate with Google Consent Mode.
4. Configure Google tags for basic or advanced mode
In the server container, update your Google Analytics and Ads tags to adopt either basic or advanced consent mode. In basic mode the tag should not fire at all if ad_storage or analytics_storage is denied. In advanced mode it should send cookieless pings by leaving certain fields empty but still recording the event. Stape.io’s guide explains that advanced mode is recommended when local laws allow anonymised signals and when you want to maintain measurement continuity. However, for strictly regulated markets you must use basic mode.
5. Validate and monitor
After implementing, test your setup thoroughly:
Use the Consent Mode debugger (via Chrome DevTools) to verify that the
gcsparameter is included in network requests and reflects the user’s choices.Check the server container logs to ensure tags fire only when appropriate. In advanced mode confirm that events still send non‑identifiable data when consent is denied.
Monitor conversion tracking in Google Ads and GA4. Taggrs notes that Google’s modelling requires a threshold of around 700 ad clicks per seven days, so small stores may not see benefits from advanced mode.
Ensure your cookie banner displays correctly and explains what each consent category covers. Even with server‑side tracking, you must present a compliant banner to the user.
Additional considerations
CMP integration and legal compliance: Consent Mode does not eliminate the need for a proper CMP. You must still display a banner that meets local legal requirements, and you must ensure that user preferences are respected across all tags. MeasureMinds Group warns that collecting data without user consent is illegal in the EU; advanced mode may be used only in non‑regulated markets.
Server‑side data enrichment: While server‑side GTM improves data quality, you should avoid sending personally identifiable information when consent is denied. Only non‑personal signals (device type, time, country, conversion type) should be used for modelling Ensure your implementation does not inadvertently forward user IDs when ad_user_data is denied.
Headless WordPress specifics: For WordPress headless setups, consider using a plugin like WP Consent API to standardise consent states. Use WPGraphQL (if your front end relies on GraphQL) to query the server for marketing consent and trigger gtag updates. When running WPGraphQL behind a caching layer, ensure that consent decisions are not cached across users.
Shopify headless specifics: Shopify’s Customer Privacy API is essential; hook your CMP into useCustomerPrivacy and call setTrackingConsent() accordingly. The API will handle writing ShopifyConsent cookies and passing states to Shopify’s servers, which will then forward them to the Google tag in the web container.
Conclusion
Google’s Consent Mode v2 introduces stricter consent requirements and new parameters (ad_user_data and ad_personalization) that must be implemented by March 2024. For headless Shopify and WordPress stores, off‑the‑shelf cookie banners and client‑side scripts are insufficient; you need to integrate your CMP with the Customer Privacy API or custom gtag calls and implement a server‑side GTM container. By collecting consent in the browser, sending it via the Google tag to the server container, and configuring tags to adapt to the consent state, you protect your marketing data and stay compliant. Combining Consent Mode with server‑side tracking lets you continue measuring conversions through anonymised signals even when users deny consent, provided you respect local laws and implement a compliant cookie banner.
If you’re unsure whether your headless setup meets these requirements, consider auditing your tag implementation. Our team specialises in custom integrations for Shopify and WordPress and can help you implement Consent Mode v2 and server‑side tracking without losing data or breaching regulations.
