Google Consent Mode Fines: Requirements for UK & US
User consent is a huge topic for business right now. With data privacy laws such as GDPR, CCPA, and many others, organisations have been subjected to large fines for non-compliance. Consent Mode is a valuable tool for obtaining user consent and filling the data gap.
But how can businesses in the UK and the US avoid Consent Mode fines, and what are the requirements to ensure your business remains compliant?
What is Consent Mode?
Google Consent Mode is a tool that registers user consent through your cookie banner. It then adjusts tags so they behave in line with a user’s consent settings. It’s Google’s answer to legislation such as GDPR.
Before Google’s Consent Mode, there was no way to track users on Google products without collecting their data. This created a risk that the use of tools like Google Analytics or Google Tag Manager could result in data collection practices that failed to comply with privacy laws.
Thanks to Consent Mode modeling, this is no longer the case. Now, if a user rejects cookies, Consent Mode uses data from consenting users to upscale and fill the data gap.
If you’re unsure whether you have Consent Mode active, or want to to identify compliance gaps, try our Consent Mode Monitor. This will analyse your GTM setup and provide a list of missing or incorrect consents.
Consent Mode V1 vs V2
Google’s latest version is Consent Mode V2. Although, Consent Mode V2 is largely the same as the original Google Consent Mode. It was introduced in response to the Digital Marketing Act, which stipulated that all cookie banners must include two new fields. These were:
- ad_personlization= allow downstream remarketing usage.
- ad_user_data= allows email or mobile numbers in downstream usage.
So, if you’re using Consent Mode, make sure to add these fields to your community templates.
Key requirements for avoiding Google Consent Mode fines
Non-compliance can be costly, whether it’s 4% of your global revenue or €20 million (whichever is higher). That’s why it’s so important to get consent right from the start. Even with Consent Mode, it’s still easy to make costly mistakes.
With that in mind, here are some key requirements to help avoid Google Consent Mode fines.
Familiarise yourself with GDPR, CCPA, and other legislation
The topic of user privacy isn’t going away. New privacy regulations are constantly emerging. Each will impact how you use Consent Mode and the sorts of data you collect.
Remember, it’s not just your own local laws you need to consider. You must also comply with your audience’s local legislation; a task that becomes more complicated when you have a global audience.
To avoid being caught out, make sure to keep up to date with the latest compliance legislation and guidelines. By creating a GDPR compliance checklist, and keeping it updated, you can easily review your compliance status
If you have the budget, you might want to consider taking on a third-party expert who can share knowledge and guidance. There’s also software out there that can alert you to any changes in legislation, helping you keep up-to-date and compliant.
It’s important to remember that Consent Mode alone doesn’t guarantee compliance. You’ll also need a cookie banner to avoid Google Consent Mode fines.
There are two options for creating a cookie banner. You can set up a consent management platform (CMP) or you can create a custom cookie banner. Let’s look at the cookie consent considerations for both options.
Use A Consent Management Platform (CMP)
Using a CMP is one of the simplest ways of applying a cookie banner to your website. There are many options available, but we recommend Cookiebot and even have a 20% discount available for you if you’d like to use it.
When choosing a CMP, look for a platform that has been certified by Google and integrates with the IAB’s Transparency and Consent Framework (TCF). Otherwise, you won’t be able to use Google AdSense, Ad Manager, or AdMob to serve ads to users in the European Economic Area, the UK or Switzerland.
Alongside the above factors, consider the following points when looking for a CMP that guarantees compliance.
- User experience – Consent must be freely given. Choose a solution that enables a user to grant or withhold consent easily.
- Geolocation settings – It’s vital that your CMP caters to your compliance needs. If your audience is based in the European Union or the UK, you’ll need a tool that complies with GDPR. Equally, if you have users based in multiple regions, a tool should be able to accommodate local laws.
- Cross-device support – A user should be able to access consent options regardless of the device they’re using.
A custom banner offers the benefit of being fully tailored to your specific needs. However, this approach is significantly more challenging to implement. Failing to address any of the areas above could have the potential to lead to fines.
If you’re considering a custom cookie banner, it’s important to make sure you have a skilled team that are able to ensure it’s fit for purpose.
Other basics of compliance
Compliance legislation can be a minefield. That’s why, to avoid Google Consent Mode fines, you should understand the basics of consent.
Ultimately, you must always request user permission before collecting their data. To be considered valid, consent must also meet the following criteria:
Users must be properly informed
Your users must know what they’re consenting to. That means providing a list of all the cookies used on your site. You will need to explain how you collect and process user data. You’ll also need to clarify if you share data with any third parties, and if so, list them. Be sure to link to privacy and cookie policies.
Consent must be freely given
Website users shouldn’t be coerced into providing consent. That means providing a clear ‘reject cookies’ option. Buttons should be the same and accessible to all devices.
You must receive explicit user consent
Consent cannot be gathered from user inaction. If a user hasn’t selected ‘reject’ or ‘accept’, the default is that they haven’t provided consent. The only way to confirm consent is when a user accepts cookies.
Users must be free to revoke consent
The consent state should be clear and the user’s consent preferences should be considered an ongoing issue. A user should be free to revoke (or allow) consent at any time. Provide easy access to consent options so a user can alter their choice.
Consent should be specific
Cookies should be listed by type: functional, analytical, or marketing. You must include an explanation of what each cookie does, and allow users to reject them individually.
Compliance should be demonstrated
It’s important to demonstrate how your organization is ensuring compliance. Keep a database of obtained consent status, listing dates, and the form of consent that was granted.
The cost of non-compliance
The potential penalties for Consent Mode mistakes can be extremely costly for businesses. If you’re not on the right side of the law, it’s not just the financial cost you’ll need to consider. Non-compliance can also be extremely costly for your business’ reputation. Furthermore, you won’t be able to serve ads or collect marketing data properly.
It’s not just large corporations that are impacted by Google Consent Mode fines, smaller fines can also be issued to SMEs for non-compliance. Check the ICO’s recent enforcement actions to see some examples.
While there have been no widely reported cases of direct fines specifically for not using Google Consent Mode correctly (yet), there have been fines issued related to cookie consent and data collection. The use of Consent Mode is very likely considered a factor when assessing overall compliance with privacy laws.
Here are a few examples of companies that have received fines in recent years.
TikTok
Were fined $5.4 million in January 2023 by CNIL for making it hard to reject cookies. Ultimately, it should be just as easy to reject cookies as it is to accept them. However, TikTok required several clicks to reject.
TikTok was also not clear about the purpose of the cookies they were collecting.
Google was fined for breaking GDPR rules back in 2019. The French data protection agency, CNIL, issued a fine of 50 million Euros, citing Google’s lack of transparency, inadequate information for users, and failure to obtain valid consent for personalised ads.
CNIL stated that Google lacked transparency, making it difficult for users to find information such as the data processing purposes, storage periods, and personal data used for Google Ads.
Facebook also received a large fine after breaching the French Data Protection Act, receiving a $65 million fine in 2021 from CNIL. The fine was imposed due to the challenges French users faced in rejecting cookies on Facebook.
CNIL noted that users were forced to ‘select cookies’ to reject them, resulting in confusion. Facebook was given a three-month deadline to fix the issue.
Make Consent Mode compliance a priority
Consent Mode is a very useful tool if used correctly. It takes you a step closer to compliance and helps fill the data gap from users who don’t consent. However, the tool is only useful if implemented correctly. To avoid Google Consent Mode fines, make sure you always follow the steps listed in this article.
Remember, Consent Mode isn’t a ‘one-stop shop’ for compliance. Businesses should either seek a custom-made consent banner or a consent management platform. Always keep up with relevant data privacy and employ external help if needed.
Managing user consent can be tricky, but with the right approach to Consent Mode, the process can be made easier.
As people become more aware of data privacy and their rights, you could be the company to take this into your own stride. Consider reading our article on making data privacy a unique selling point of your business.
