Consent is one of the most misunderstood and incorrectly implemented aspects of modern web tracking. Cookie banners, CMPs, Consent Mode v2, GDPR, and the ePrivacy Directive are often discussed, but rarely explained in a way that connects legal requirements with real-world implementation.
In this webinar, we focus on consent in practice. You’ll learn how consent works in principle, why it matters for analytics and advertising, and how to implement it correctly across both web and server-side environments. We’ll break down common misconceptions, explain what is actually required, and demonstrate a setup you can replicate in your own projects.
Speaker: Dan Murov, Data Tracking Lead @ Stape
1. Consent fundamentals
a. How consent works in principle
b. Why consent is critical for analytics, advertising, and business decisions
2. Consent regulations overview
a. GDPR vs. ePrivacy Directive: key differences and why they matter
b. Cookie banners vs. CMPs: understanding the distinction
3. Consent in modern tracking
a. Consent Mode v2 explained. Impact on GA4 and Google Ads modeling
b. When deeper, per-platform consent is required
c. Why server-side tracking does not bypass consent requirements
d. How to apply consent correctly in Google Tag Manager
4. Live demo
a. Installing consent on a website
b. Applying consent to web and server-side tags
5. Bonus
a. The Hannover court case about GTM and consent: what went wrong and how to avoid similar violations
6. Q&A session
Click on the button below to get the presentation from the webinar and discover a script that prevents GTM loading without consent.
1. Are there any CMPs you recommend for Shopify? (We’ve worked with Pandectes, PieEye.)
We often use Pandectes or Consentmo, but any CMP that meets your legal and functional requirements can work.
2. Can Shopify’s native consent feature be used with server-side tracking?
In our experience, Shopify’s native consent management is limited for advanced setups —especially server-side — so we typically recommend a dedicated CMP if you need robust control and auditing.
3. How reliable are out-of-the-box consent banners supplied by platforms like Shopify?
There are many options. Some work without issues, while others don’t. Overall, the choice is broad — test and choose the one that best matches your requirements.
4. For small businesses without dedicated legal teams, what’s the minimum “correct” setup you recommend starting with?
It depends on how risk-averse you are. If you can support the subscription cost, start with a reputable CMP (for example, Iubenda). That’s a solid baseline.
5. With privacy regulations evolving, how can we implement consent today in a way that won’t require a full rebuild in a year or two?
Use Google Consent Mode as the unifying layer. It’s broadly supported by CMPs and is the most future-proof way to manage tag behavior without rebuilding everything.
6. If we need to deploy the consent banner script on the website (not via GTM), why do we still need a CMP?
If you follow strict interpretations, the banner/CMP must load on the page before GTM, because GTM shouldn’t load until a consent decision exists. A CMP is still needed to manage consent logic, store user choices, handle vendor frameworks (e.g., TCF for publishers), and enforce which technologies can run under each consent state.
7. How will Consent Mode be impacted by Google Tag Gateway?
If you use Google Consent Mode, gtag will automatically respect the consent state and adjust how Google tags behave.
8. If GA4 config loads first and the consent update comes after that — if the user later consents, how late is data sent to Google?
GA4 can handle late consent. If a page view is sent without consent and the user later grants consent, GA4 can attribute subsequent events appropriately. In practice though, we recommend configuring GTM so tags fire only after a consent state exists, to avoid double-firing and ambiguity.
9. For Shopify checkouts, how can we confirm that the consent signals from the banner are still present and aligned with Shopify Customer Privacy in the checkout?
You can use Server Preview (with published changes in the web container) to inspect requests in the sGTM preview and verify the consent status being passed through checkout flows.
10. If we use webhooks via a Stape app, how do we trigger them based on consent?
With the app-based webhook approach, you generally can’t conditionally trigger webhooks based on consent. But you can stitch the webhook with previously stored consent (Stape Store, Firestore, maybe Google Sheets) so long as your webhook contains something identifiable like email.
11. If we use webhooks via a Stape app, does that mean sending offline events wouldn’t be possible?
Stape's Shopify app will send purchase/refunds related to “Online Store” channel. If you find those lacking, you can always (and in parallel) send native webhooks from your Shopify to sGTM.
12. How can we prove to regulators that server-side events were not processed before consent when using Stape?
In a consentless environment, you shouldn’t process server-side events for non-consented purposes. The only exception is Google’s Consent Mode behavior on Google’s side. If “cookieless/consentless” events reach your server container, they should not trigger downstream vendor calls (other than Google’s consent-mode handling), otherwise you risk a compliance violation.
13. Can you explain (without referencing a specific CMP) how to respect consent when you use GTM and also have some scripts implemented directly on the site?
Most CMPs work by assigning IDs/attributes to scripts and mapping those scripts to consent categories. You ensure each script is gated by the correct consent state so it only loads/runs when allowed. The key is consistent script tagging and an agreed consent taxonomy (analytics, marketing, etc.).
14. When using server-side tracking, how does Stape handle consent across subdomains and cross-domain tracking without accidentally re-identifying users?
Stape doesn’t do this automatically — it depends on your implementation. For subdomains, consent usually carries if it’s the same site/organization. For true cross-domain tracking (different top-level domains), you typically need separate consent on each domain; otherwise it can be non-compliant.
15. Have you seen data on what percentage of users block GTM from loading (ad blockers/extensions), especially for standard client-side GTM?
It varies a lot by region, demographics, and industry. We’ve seen examples as high as ~70% on some audiences, but a rough “typical” figure we hear is around ~20% (not a universal benchmark).
16. Do we need to implement both Google Tag Gateway and server-side tagging? If yes, should we use the GTG feature or the web container setting from the server-side GTM container?
Google Tag Gateway mainly helps with script delivery (serving GTM/gtag from your own domain). It doesn’t extend cookies by itself. If you already use server-side GTM, Tag Gateway is often redundant because server-side GTM can cover similar routing/delivery patterns — but not the other way around.
17. How would this work in the US with implied consent? Could you load GTM first?
Yes. In implied/opt-out consent models, you can typically load GTM first. The strict “load GTM only after consent” approach discussed is more relevant to certain EU interpretations (e.g., Germany).
18. Should we implement both client-side and server-side tracking, or choose one?
It depends on the platform. Some platforms benefit from (or require) both (for example, Meta/Facebook often needs client-side plus server-side). For Google Analytics 4 and Google Ads, you normally choose one or the other.
19. If default consent states aren’t received and the GA4 config tag fires before consent is configured — can that cause “(not set)” traffic in GA4 acquisition reports?
Yes, it can. If default consent states aren’t set or aren’t received in time, GA4 may not populate certain dimensions correctly, which can contribute to “(not set)” reporting.
20. Why is it better to fire page_view on cookie_consent_update rather than relying on GA4 config initialization?
We prefer firing page_view explicitly when you intend it, instead of relying on config auto-dispatch. Historically, there have also been edge cases/bugs with auto page_view behavior, so an explicit event tends to be more predictable, moreover this way we attempt it only after consent decision is done, avoid sequencing issues.
21. With a consent banner in place, do we have to use server-side tagging, or can we can continue using client-side tracking?
You can absolutely stick to client-side tracking. Server-side was shown as an example; consent requirements apply either way. You can start using server-side tracking if you're interested in its benefits.
22. Is there a way to have a click database that records consent for each user?
Yes. Store it in a system you control (for example, a database). The exact storage depends on your architecture.
23. When we send data from the web container to the server container using a Data Tag, we can pass consent settings as a feature. But if we send data from the web container to the server using GA4, how can we use the Stape tag’s cookie feature? Does the GA4 tag send the consent object from the web container to the server container? If yes, how can we send the consent object from web to server?
Stape’s tag execution settings will parse both Data Tags’s object structure and native GA4 parameters (that don’t need to be sent explicitly) in order to infer consent states in any given request.
24. In most CMP implementations we’ve seen, traffic drops suddenly after launch. Is there any way to prevent that drop once a CMP is integrated into the website?
The traffic drop you’re experiencing is likely an "organic" drop, as introducing the consent management platform causes users to opt out, which in turn reduces your baseline traffic. While it is possible to optimize the consent banner for better user engagement (while remaining compliant with regulations), it’s important to understand that limited data may be an inevitable consequence of respecting user privacy preferences.
25. What is the point of Advanced Consent Mode if GTM is blocked until analytics/marketing consent? If consent is given before GTM loads, Google tags will always send non-anonymous pings — right?
Yes, that’s correct. However, it’s important to note that consent for analytics and marketing can be managed separately, which impacts the behavior of GA4 and Google Ads differently. Additionally, some non-Google tags do not have built-in consent checks, which means they might not adhere to the same consent-based restrictions.
26. Can a Stape server-side container serve multiple websites with different CMP implementations?
Yes. The key is that the server-side setup must respect the consent provided on each website. As long as the consent mechanisms are properly configured and compliant, the server container will process consented and non-consented hits accordingly from each site, without issue.
27. If I visit a US subdomain (opt-out / consent granted) and then go to an EU subdomain, does that consent still apply on the EU subdomain?
Consent behavior is typically determined by the visitor’s location rather than the location of the subdomain. However, if the subdomains share the same top-level domain (TLD), a single consent decision is usually applied across both. It’s important to ensure that you’re handling consent in compliance with relevant regulations, so consulting a legal or data protection professional is highly recommended to confirm your specific setup.
28. Stape, consent, and iframe functionality — how do you set it up correctly?
This is a broad question, but generally, iframes require their own consent, especially if they involve third-party content. If you're referring to the complexity of handling consent between the parent window and the iframe, you can often manage this by reading the associated cookies on the client side. However, the specific setup will depend on the functionality of the iframe and the type of data it handles. It's essential to ensure that both the parent window and the iframe comply with consent regulations.
29. We had a situation where cookie_consent_update didn’t fire on every page view (confirmed in Stape logs). Do you test cookie_consent_update reliability before using it?
It’s always best practice to thoroughly test all aspects of your setup, including the reliability of cookie_consent_update. In general, most well-designed consent banners will trigger the update on every page view, regardless of the event name. If you encounter a situation where the update isn’t firing consistently, you can simulate the push on every page yourself to ensure reliable behavior.
Comments