datascale

Consent Mode, four weeks in: three findings from DACH audits

Four weeks after the June 15, 2026 change: Google Signals is gone as a fallback, silent consent gaps are emptying remarketing lists, and Swiss traffic gets its own CMP rules.

Four weeks after the Consent Mode change of June 15, 2026, DACH audits show a clear pattern: the Google Signals toggle has disappeared as a second line of defence, and ad_storage alone controls Google Ads data collection. Setups wired in the 2024 compliance sprint have been leaking data silently ever since. And Swiss traffic deserves its own CMP rules, because the revFADP works differently from the GDPR.

Finding 1: the safety net is gone

For years, many German and Austrian setups carried a quiet insurance policy. Teams that did not trust their own Consent Mode wiring switched off Google Signals in GA4. That cut the data flow to Google Ads regardless of what the CMP let through. Legal teams liked it, marketing teams accepted it. A toggle as a firewall.

That insurance no longer exists. Since June 15, 2026, Google Signals only governs GA4 behavioural reporting, not Google Ads data collection. The sole gatekeeper is now the Consent Mode signal ad_storage. Full stop.

In practice this means the entire legal and technical burden sits with the CMP and the GTM configuration. A setup that relied on the disabled Signals toggle has, since mid-June, either been sending data it should not send, or blocking data it is allowed to send. Neither shows up without an audit. The seven audit layers live in the June article; the audit checklist turns them into a test plan.

Finding 2: silent gaps instead of error messages

When Consent Mode V2 became mandatory in early 2024, many teams shipped the implementation in a sprint and never touched it again. Set and forget. For two years that went fine, because mistakes were cushioned by the old dual control.

Not anymore. The most common pattern in our audits: the default state correctly sits on denied, but the gtag('consent', 'update') call after the "Accept" click does not fire reliably. A race condition, a wrong trigger, or the CMP version got updated and the event mapping broke. At consent rates that typically sit between 30 and 40% in Germany and Austria, the difference between "update fires" and "update doesn't" is the difference between a working remarketing pool and an empty one.

The treacherous part: Google raises no loud errors. If ad_user_data or ad_personalization is missing, the system degrades quietly. Remarketing lists shrink, Smart Bidding runs on fewer signals, campaign performance sags over weeks. No alert, no red banner. Teams notice it in the media results, not in the tag manager.

Two quick self-tests before commissioning an audit: the Consent Mode check against your own URL, and the consent mapping worksheet that assigns every data flow to a signal.

Finding 3: Switzerland is not the EEA, and your setup should know it

Switzerland's revised Federal Act on Data Protection (revFADP) has no general prior opt-in requirement for standard analytics and functional cookies. It is built around transparency and objection, so opt-out. Google's consent requirements still apply to Swiss traffic the moment Google Ads is involved.

Many sites have solved this pragmatically so far: one EU banner for everyone, strict prior-consent logic from Lisbon to Zurich. That is legally comfortable, and it throws away Swiss data without need. For a shop with 15% CH share, that is not a rounding error.

What has been piling up since June: geo-targeted CMP rules. Swiss visitors get an opt-out configuration that follows FDPIC guidance, EEA visitors get the strict prior-consent variant with full Consent Mode V2. Usercentrics, Cookiebot and OneTrust can model this through geo rules; the wiring behind it has to hand both states cleanly to GTM and the server container. What that looks like with Usercentrics is in the server-side GTM guide.

What to do now

Three steps, in this order:

  1. Check your Signals dependency. Was Google Signals ever used as a compliance filter? Then audit the ad_storage chain immediately, it now carries sole responsibility.
  2. Verify the update call. Default denied is half the job. The consent update after the banner click has to arrive in every browser, on every CMP version, before the first tag. The QA template tests all four signals systematically.
  3. Segment CH traffic. Check what share of your traffic comes from Switzerland and decide whether a geo-targeted banner configuration justifies ending the data loss.

Prefer to price the gap before closing it? The consent loss calculator converts consent rate into lost conversions in euros.


Disclaimer: this article is technical and operational orientation only, not legal advice. The findings come from consent audits in DACH projects in June and July 2026; product behaviour can change and should be verified against Google's official documentation.

Need help with your setup?

Audit Sprint in two weeks, prioritised report, concrete action steps.

Request an audit →

Read next