❗️

Important Note: This document is for informational purposes only and should not be considered legal advice.

Overview

Follow this guide to learn more about consent settings, the importance of proper configuration, and the key differences between GDPR and US opt-out consent settings.

Importance of Consent Settings

First of all, ensuring that your business follows the correct legal practices regarding user consent is very important to maintaining compliance with data privacy laws. Different regions have unique requirements, and configuring the wrong consent settings can lead to legal risks and potential fines.

Beyond legal compliance, incorrect consent settings can also have a direct impact on your marketing and analytics performance. If your website is configured with overly strict consent settings you may inadvertently block essential data from being sent to platforms like Google Analytics 4, leading to inaccurate tracking and incomplete reports.

By understanding and properly configuring your consent settings, you can ensure both legal compliance and accurate data collection.

Elevar and Google Consent Mode Integration:

Elevar works with consent providers that integrate with Google Consent Mode (GCM) to make Google Tag Manager and server-side tracking consent-aware. When a user provides or denies consent, GCM adjusts data collection accordingly, ensuring compliance with privacy laws while preserving as much tracking data as allowed.

Elevar ensures that GTM and server-side tracking process data only when consent is granted. If a user denies consent, GCM dynamically adjusts tracking behavior, allowing data to be collected in an anonymized or modeled format when possible. Elevar’s direct integration with Shopify helps send order data to marketing platforms, but only when allowed by the user’s settings. Read this article to learn more about Consent Mode and how to enable it.

Best Practices for Consent Configuration:

• Determine Compliance Requirements: Identify whether your business is subject to GDPR, US state laws like CCPA, or industry-specific regulations.
• Verify Current Consent Configuration: Check your consent management platform (e.g., OneTrust) to confirm whether you are using an opt-in (GDPR) or opt-out (US CCPA-style) model. Using the wrong setting can block valuable data from being collected.
• Adjust Settings for Accurate Tracking: If your business is primarily US-based, switching to the US Opt-Out model can prevent excessive data restrictions and improve marketing analytics while maintaining compliance.
• Regularly Monitor Consent Settings: Privacy regulations are evolving, so it’s important to periodically review and update your settings to align with the latest legal requirements.

Google Consent Mode (GCM)

Google Consent Mode supports different consent types to determine how data is collected and used across various marketing channels. Businesses must align these categories with their data collection policies to ensure compliance and optimize data collection.

Google Tag Manager Consent Types:

• ad_storage: Enables storage (such as cookies) related to advertising.
• ad_user_data: Sets consent for sending user data related to advertising to Google. The ad_user_data consent type is required for measurement use cases, such as enhanced conversions and tag-based conversion tracking.
• ad_personalization: Sets consent for personalized advertising.
• analytics_storage: Enables storage (such as cookies) related to analytics e.g. visit duration.
• functionality_storage: Enables storage that supports the functionality of the website or app e.g. language settings.
• personalization_storage: Enables storage related to personalization e.g. video recommendations.
• security_storage: Enables storage related to security such as authentication functionality, fraud prevention, and other user protection.

📘

Learn More: GTM Consent Types

Read this article to learn more about Google Tag Manager Consent Types.

Europe (GDPR)

Understanding GDPR Consent Opt-In:

General Data Protection Regulation (GDPR) applies to any business handling data from European citizens, regardless of where the business is located. It mandates that businesses must obtain explicit "opt-in" consent from users before collecting and processing personal data.

Key GDPR Requirements:

• Explicit opt-in required where users must actively agree to data collection. Pre-checked boxes or implied consent are not valid.
• Consent must be freely given, specific, informed, and unambiguous.
• Users must have the right to withdraw consent easily at any time.

GCM Default State for GDPR:

Since GDPR follows an opt-in model, GCM expects the initial state of consent to be denied until the user explicitly grants it. This approach ensures compliance with EU privacy laws but may limit the scope of data collection.

📘

Learn More: GDPR Data Protection Law

Read this article to learn more about General Data Protection Regulation (GDPR).

United States

Understanding US Consent Opt-Out (Common Standard):

The United States does not have a federal privacy law like GDPR but instead follows state-specific regulations such as the California Consumer Privacy Act (CCPA). Many US privacy laws operate under an opt-out model, meaning businesses can collect data by default unless a user actively opts out.

Key US Privacy Requirements:

• Opt-out is the default where data collection is permitted unless the user opts out.
• Some sensitive data (e.g., financial or healthcare data) may require opt-in under sector-specific laws (e.g., HIPAA, GLBA).
• State privacy laws are evolving to have stricter regulations that are similar to GDPR.

GCM Default State for the US:

Since the US follows an opt-out model, GCM expects the initial consent state to be granted by default to minimize the impact on data collection unless the user actively opts out. This approach helps to retain more data for marketing and analytics purposes.

State-Specific Privacy Laws in the US:

While there is no unified federal privacy law in the US, several states have enacted their own privacy regulations such as:

• California (CCPA/CPRA): Grants consumers the right to opt out of data collection, request data deletion, and know what data is being collected.
• Virginia (VCDPA): Requires businesses to obtain opt-in consent for sensitive data and provides consumers with rights to access, correct, and delete their personal information.
• Colorado (CPA): Includes opt-out rights, data protection assessments for businesses, and transparency requirements regarding data usage.
• Connecticut (CTDPA): Provides consumer rights similar to CCPA, including opt-out options for targeted advertising and data sales.
• Utah (UCPA): Has less stringent requirements but still mandates opt-out rights for targeted advertising and data sales.

📘

Learn More: State Specific Privacy Laws in the US

Read this article to learn more about state-specific privacy laws in the US.