Cookie banner vs Google Consent Mode v2: do you need both?

Cookie banner vs Google Consent Mode v2: do you need both?

TL;DR: Yes, you need both, and they're not the same thing. Your cookie banner asks for consent and blocks tracking until it gets it. Google Consent Mode v2 tells Google's tags what the visitor chose. One handles the user, the other handles Google. Neither replaces the other.

This mix-up comes up a lot, so here's the plain version.

What the cookie banner does

It's the part your visitors actually see. It asks for consent, records the choice, and (when it's set up with prior blocking) stops analytics and marketing scripts from running until they agree. Under the GDPR and the ePrivacy rules, this is the piece that keeps you aligned: asking first, and honoring a no.

What Google Consent Mode v2 does

Consent Mode has no banner and asks the visitor nothing. It's a bridge. It takes the consent choice your banner collected and passes it to Google's tags (Google Analytics, Google Ads) through four signals: ad_storage, analytics_storage, ad_user_data, and ad_personalization. When consent is denied, Google's tags load in a limited, cookieless mode rather than not firing at all, and Google can model some of the conversions you'd otherwise lose.

So why both?

- Consent Mode without a banner: you're not actually asking anyone or blocking anything, so you're not covered. Consent Mode has no interface of its own.

- Banner without Consent Mode: you're fine on the consent side, but your Google tags don't know the visitor's choice, you lose the modeled data, and since March 2024 Google requires Consent Mode v2 for advertisers using personalization or audience features with EEA/UK traffic.

Put simply: the banner gets the consent, Consent Mode delivers it to Google. Together they keep you asking properly and keep your measurement working.

How this looks with iubenda

Our Privacy Controls & Cookie Solution is the banner: it collects and records consent and blocks scripts until then. It also implements Consent Mode v2, so the choice is passed to Google automatically, without custom code.

Setup guide: https://www.iubenda.com/en/help/27137-google-consent-mode-2/

Were you under the impression one replaced the other? Curious how many people were told they only needed Consent Mode.

u/iubenda_team — 4 days ago
▲ 0 r/gdpr

What counts as valid consent under the GDPR (and what doesn't)

Under the GDPR, consent only counts if it's freely given, specific, informed, and unambiguous, given by a clear affirmative action. Pre-ticked boxes, "by using this site you agree," and bundled all-or-nothing consent don't count. You also have to make withdrawing as easy as giving it, and be able to prove you got it.

Consent is one of the most misunderstood parts of the General Data Protection Regulation (GDPR), so here's the plain version. It comes straight from Article 4(11) and Article 7 of the regulation, plus the EDPB Guidelines 05/2020 on consent.

The four things consent has to be

- Freely given. The person needs a real choice, with no penalty for saying no. If access to your service is conditional on consent you don't actually need, it isn't free.

- Specific. One purpose, one consent. You can't collect a single yes and apply it to analytics, advertising, and profiling all at once. Each purpose gets its own option.

- Informed. Before they decide, people need to know who you are, what data you're collecting, why, and that they can withdraw at any time. Plain language, not buried in legalese.

- Unambiguous. It has to be a clear, affirmative action: ticking an unchecked box, flipping a toggle, clicking "accept." Silence or a pre-filled setting isn't agreement.

What doesn't count as consent

- Pre-ticked boxes or default-on toggles. The CJEU settled this in the Planet49 ruling.

- "By continuing to browse, you agree." Scrolling and continued use aren't consent.

- Bundling everything into one accept button with no way to refuse the non-essential stuff.

- Consent hidden inside your terms and conditions.

- Silence, inactivity, or a box the user never interacted with.

Two things people forget

- Withdrawal has to be as easy as giving consent (Article 7(3)). If it took one click to accept, it shouldn't take an email and three business days to undo.

- You have to be able to prove it (Article 7(1)). If a regulator asks, you need a record of who consented, to what, and when. A banner that collects consent but logs nothing leaves you exposed.

This is general information, not legal advice. If you're working through a specific setup, your DPO or legal team is the right call.

What trips you up most with consent on your own sites? Happy to dig into specifics in the comments.

reddit.com
u/iubenda_team — 7 days ago

What counts as valid consent under the GDPR (and what doesn't)

Under the GDPR, consent only counts if it's freely given, specific, informed, and unambiguous, given by a clear affirmative action. Pre-ticked boxes, "by using this site you agree," and bundled all-or-nothing consent don't count. You also have to make withdrawing as easy as giving it, and be able to prove you got it.

Consent is one of the most misunderstood parts of the General Data Protection Regulation (GDPR), so here's the plain version. It comes straight from Article 4(11) and Article 7 of the regulation, plus the EDPB Guidelines 05/2020 on consent.

The four things consent has to be

- Freely given. The person needs a real choice, with no penalty for saying no. If access to your service is conditional on consent you don't actually need, it isn't free.

- Specific. One purpose, one consent. You can't collect a single yes and apply it to analytics, advertising, and profiling all at once. Each purpose gets its own option.

- Informed. Before they decide, people need to know who you are, what data you're collecting, why, and that they can withdraw at any time. Plain language, not buried in legalese.

- Unambiguous. It has to be a clear, affirmative action: ticking an unchecked box, flipping a toggle, clicking "accept." Silence or a pre-filled setting isn't agreement.

What doesn't count as consent

- Pre-ticked boxes or default-on toggles. The CJEU settled this in the Planet49 ruling.

- "By continuing to browse, you agree." Scrolling and continued use aren't consent.

- Bundling everything into one accept button with no way to refuse the non-essential stuff.

- Consent hidden inside your terms and conditions.

- Silence, inactivity, or a box the user never interacted with.

Two things people forget

- Withdrawal has to be as easy as giving consent (Article 7(3)). If it took one click to accept, it shouldn't take an email and three business days to undo.

- You have to be able to prove it (Article 7(1)). If a regulator asks, you need a record of who consented, to what, and when. A banner that collects consent but logs nothing leaves you exposed.

That last point is where a lot of otherwise-careful setups fall down. On the iubenda side, our Privacy Controls & Cookie Solution collects consent through the banner and keeps the timestamped record, so you can actually show what was agreed to. If you want to go deeper on what the cookie law and the GDPR actually require, this breaks it down: Cookies and the GDPR: what's really required. The principles above hold no matter what you use to implement them.

This is general information, not legal advice. If you're working through a specific setup, your DPO or legal team is the right call.

What trips you up most with consent on your own sites? Happy to dig into specifics in the comments.

reddit.com
u/iubenda_team — 8 days ago

Email open tracking feels like the next privacy fight

Most people know websites use cookies and trackers, but email tracking still feels less visible.

A lot of marketing emails include a tiny hidden image that loads when the email is opened. Depending on the setup, that can send back things like the open event, timestamp, IP address, device/client info, and a unique identifier tied to the recipient.

That makes “open rate” less harmless than it sounds.

The Italian Garante has now taken the position that if this kind of email tracking can be tied back to an individual recipient, it should be treated much more like cookie-style tracking and require prior consent.

From a privacy point of view, this raises a pretty basic question:

Should opening an email count as a trackable action unless the person has clearly agreed to it?

A more privacy-respecting setup would make email tracking clear and optional, with a way to receive the email without individualized open tracking.

reddit.com
u/iubenda_team — 12 days ago

Email open tracking feels like the next privacy fight

Most people know websites use cookies and trackers, but email tracking still feels less visible.

A lot of marketing emails include a tiny hidden image that loads when the email is opened. Depending on the setup, that can send back things like the open event, timestamp, IP address, device/client info, and a unique identifier tied to the recipient.

That makes “open rate” less harmless than it sounds.

The Italian Garante has now taken the position that if this kind of email tracking can be tied back to an individual recipient, it should be treated much more like cookie-style tracking and require prior consent.

From a privacy point of view, this raises a pretty basic question:

Should opening an email count as a trackable action unless the person has clearly agreed to it?

A more privacy-respecting setup would make email tracking clear and optional, with a way to receive the email without individualized open tracking.

reddit.com
u/iubenda_team — 12 days ago

WooCommerce stores: the EU online withdrawal function is now something to check

If you run a WooCommerce store selling to EU consumers, the online withdrawal function under EU Directive 2023/2673 is now something to check.

People sometimes call it the “EU withdrawal button,” but it’s not only about adding a button. Where the right of withdrawal applies, customers need a clear online way to submit a withdrawal request.

For WooCommerce, the practical checks are:

can customers find the withdrawal option easily?
does the request reach the right support/refund/order workflow?
does the customer receive confirmation, usually by email?
do your Terms and Conditions explain the process correctly?
are exceptions handled clearly for custom goods, digital products, subscriptions, or services?

So the check is pretty simple: can a customer submit the withdrawal request online, get confirmation, and have that request handled properly by the store?

reddit.com
u/iubenda_team — 13 days ago

Online withdrawal function: what EU Directive 2023/2673 means for e-commerce, SaaS, and online B2C contracts

As of 19 June 2026, EU Directive 2023/2673 introduces a new requirement for many businesses selling to consumers online in the EU: an easy-to-find online withdrawal function.

In practice, this is often called the EU withdrawal button.

The idea is simple: if a consumer can enter into a contract online, they should also have a clear digital way to withdraw from it during the withdrawal period.

This can matter for:

e-commerce stores
SaaS products
hosting and domain services
website builders
digital products or services
mixed B2B/B2C platforms
online subscriptions

A few things businesses should check:

  • Does the right of withdrawal apply to the contract?

Some products or services may be exempt, but many B2C distance contracts are in scope.

  • Is the withdrawal function clearly accessible?

It should not be hidden in a PDF, buried in support pages, or dependent on the user keeping an old email.

  • Does the flow include confirmation?

The user should be able to submit the withdrawal request and receive an acknowledgment on a durable medium, such as email.

  • Are the Terms and Conditions updated?

Your T&Cs should explain that the online withdrawal function exists and how users can access it.

  • Is the process connected to operations?

The withdrawal flow should connect with your order, subscription, refund, or customer support process.

At iubenda, we’ve updated our Terms and Conditions Generator with wording for the new online withdrawal function requirement, including the right of withdrawal, the model withdrawal form, electronic submission, and the dedicated online withdrawal function.

Full guide here:
https://www.iubenda.com/en/blog/online-withdrawal-function-eu-directive-2023-2673/

Are you adding a dedicated withdrawal button, adapting an existing cancellation flow, or waiting for your e-commerce/SaaS platform to provide a built-in solution?

u/iubenda_team — 13 days ago

How to check if your cookie banner is actually blocking scripts before consent

A cookie banner can look fine on the surface and still fail at the technical level.

This is one of the biggest gaps with many cookie consent popup examples: the banner appears, the buttons work, the design looks compliant, but analytics, pixels, or third-party scripts are already firing before the user makes a choice.

The quick test:

1. Open the site in a fresh incognito/private window

Don’t click the cookie banner yet.

2. Open DevTools

Check both:

  • Application / Storage / Cookies
  • Network tab

3. Look for non-essential cookies or requests before consent

Common things to check:

  • Google Analytics / GA4
  • Meta Pixel
  • TikTok Pixel
  • LinkedIn Insight Tag
  • Hotjar
  • embedded videos or maps
  • chat widgets
  • ad scripts
  • GTM-triggered tags

4. Click “Reject” and test again

Rejecting should not trigger marketing or analytics scripts.

5. Click “Accept” and confirm behavior changes

Only after consent should non-essential scripts start loading.

The important point: a cookie consent popup is not enough by itself. The real test is whether scripts are blocked before consent and released only after the right choice.

Useful reference on prior blocking / automatic blocking: Prior Blocking of Cookies: Automatic Blocking (auto-blocking)

Curious how others test this. Do you usually check cookies only, or do you also inspect network requests and tag behavior?

u/iubenda_team — 21 days ago
▲ 9 r/MarketingAutomation+1 crossposts

Italian Garante guidance on email tracking pixels: what should email teams review now?

The Italian Garante has published guidance on the use of tracking pixels in emails, and it’s worth paying attention to if you rely on open tracking or behavioral email data.

The key practical point: when a tracking pixel can be linked to an individual recipient, it should not be treated as simple anonymous analytics.

For email teams, I’d be reviewing things like:

  1. which newsletters or automations include tracking pixels
  2. whether open tracking is connected to individual profiles or segmentation
  3. whether users are clearly informed about email tracking
  4. whether consent is collected in a specific enough way
  5. whether users can refuse tracking without unsubscribing completely
  6. whether consent records are stored and easy to prove later
  7. whether there’s a no-tracking version for users who don’t consent

There are narrower cases where pixels may be used for technical or service-related purposes, but marketing, profiling, and behavioral tracking deserve a closer look.

Curious how email teams are preparing for this.

Are you changing consent flows, disabling open tracking, waiting for ESP updates, or treating this as an Italy-specific issue for now?

reddit.com
u/iubenda_team — 27 days ago
▲ 3 r/iubenda+1 crossposts

Does your website need a cookie banner? The answer depends on these 3 things

A question that comes up a lot around cookie banner requirements: does every website need a cookie banner?

Not always. If your site only uses cookies that are strictly necessary for the service to work, you usually don’t need consent just for those.

But the answer depends on 3 things:

1. What cookies or scripts are actually running

Login/session cookies, security cookies, or cart cookies are different from analytics, ads, pixels, embedded videos, maps, chat widgets, or other third-party tools.

2. Whether anything non-essential loads before consent

A banner is not very useful if analytics or marketing scripts are already firing before the user makes a choice.

3. Whether users are clearly informed

Even when consent is not required for strictly necessary cookies, it’s still good practice to explain what is used in your Cookie Policy or Privacy/Cookie Policy.

The practical first step is simple: check what your site actually loads before deciding what banner or consent setup you need.

🎥 Here’s a quick video on how to check cookies on your site: How to identify the Cookies installed on your website (Video Guide)

Useful reference: Which data can be safely stored in cookies without having to request consent?

Do you add a banner anyway for transparency, or only when non-essential cookies/scripts are involved?

u/iubenda_team — 27 days ago

How do you test if a cookie banner is actually blocking scripts before consent?

A cookie banner can look fine on the surface, but that doesn't always mean consent is working properly underneath.

One quick check we usually recommend:

  1. Open the site in an incognito/private window
  2. Don't click the cookie banner
  3. Open DevTools and check the Network tab
  4. Look for analytics, ads, pixels, embeds, or third-party scripts firing before consent
  5. Then accept or reject and check whether tag behavior actually changes

The important part isn't just whether the banner appears. It's whether non-essential scripts are blocked before consent, and whether consent choices are reflected in tools like GTM or Google Consent Mode.

Curious how others are testing this in practice.

Are you using DevTools, GTM Preview, GA4 DebugView, a scanner, or something else?

reddit.com
u/iubenda_team — 1 month ago

Welcome to r/iubenda: privacy, consent, and compliance in practice

Hey everyone! We’re u/iubenda_team, the team behind r/iubenda and one of the founding moderators here.

Welcome to r/iubenda, a community for practical conversations around data privacy, cookie consent, consent management, and compliance implementation.

This is a place to discuss topics like:

  • GDPR, CCPA/CPRA, LGPD and other privacy laws
  • cookie banners and consent management platforms
  • Google Consent Mode v2
  • GTM, WordPress, Shopify, Webflow and app integrations
  • privacy policies, cookie policies and Terms & Conditions
  • Complianz by iubenda
  • real-world privacy and consent challenges

What to post

Share questions, experiences, ideas, implementation tips, interesting privacy news, or things you’re seeing in the market.

A few examples of topics that fit well here:

Google Consent Mode v2 setups, cookie banner implementation, WordPress/GTM consent workflows, privacy policy questions, and real-world GDPR or CCPA compliance challenges.

A quick note on support

This community is not meant to replace official iubenda support.

If you have an account-specific issue, billing question, private configuration problem, or urgent product support request, the fastest and safest path is still to contact iubenda support directly.

That said, general questions, implementation discussions, and shared learnings are very welcome here.

Community vibe

Helpful, practical, constructive.

We want this to be a useful space for developers, marketers, founders, agencies, privacy teams, and anyone working on consent and privacy compliance.

Introduce yourself, share what you’re working on, or post a question. Even a small implementation detail can start a useful discussion.

Thanks for being here, and welcome to r/iubenda.

reddit.com
u/iubenda_team — 2 months ago