Cookie Consent Explained from a Google Ads Perspective (Episode 470) - The Paid Search Podcast | A Weekly Podcast About Google Ads and Online Marketing

Summary7 min read

Summary of "Cookie Consent Explained from a Google Ads Perspective" (Episode 470)

Podcast Information:

Title: The Paid Search Podcast | A Weekly Podcast About Google Ads and Online Marketing
Host/Author: Chris Schaeffer, Certified Google Ads Specialist
Episode: Cookie Consent Explained from a Google Ads Perspective
Release Date: July 7, 2025

In Episode 470 of The Paid Search Podcast, guest host Joey Buidtner delves into the intricate topic of website tracking consent, commonly known as cookie consent. This comprehensive episode is particularly valuable for businesses advertising across different regions with varying privacy laws. Joey shares personal experiences, discusses legal implications, and provides actionable insights on managing cookie consent effectively from a Google Ads perspective.

Introduction to Cookie Consent

Joey opens the episode by emphasizing the critical nature of cookie consent in digital advertising, especially for businesses operating internationally. He highlights the mandatory requirements in regions like Europe and the complexities faced by companies in Canada and the U.S. that target European audiences or states with strict privacy laws, such as California.

"Cookie consent is an extremely important topic, not only because there are certain parts of the world like Europe that have it mandatory, but there's a lot of misunderstanding in other parts of the world..." [00:00]

Personal Experiences and Legal Implications

Joey shares compelling anecdotes illustrating the repercussions of improper cookie consent management. He recounts instances where poor consent practices led to the complete shutdown of conversion tracking and remarketing efforts. Notably, he discusses a case where a client faced a lawsuit demanding tens of thousands of dollars due to non-compliance with California's privacy laws.

"I have a client that recently got sued for tens of thousands of dollars for improperly or not collecting consent from users in California." [00:04]

Listener Question: New vs. Existing Customers in Google Ads

Before diving into the main topic, Joey addresses a listener question from Alex Sinniewski about how Google distinguishes between new and existing customers. He explains that Google cross-references data with customer lists and automated audiences like the "purchasers" audience.

"Google is not clear on the timeline at which they consider a new customer... maybe it's only two weeks, maybe a month." [00:15]

Joey expresses skepticism about using Google’s bidding options for targeting new or existing customers, citing limitations in Google's definitions and the potential negative impact on campaign strategies. He emphasizes the importance of holistic monitoring through tools like Shopify analytics to gauge the balance between new and returning visitors.

"I just measure it holistically. I will look at the back end of Shopify, the back end of my website analytics..." [00:23]

Main Topic: Website Tracking and Cookie Consent

Joey transitions to the main discussion on website tracking and cookie consent, noting the confusion he initially faced in advising clients on when to deploy consent banners and how to ensure data sharing with Google Ads remains effective.

Understanding Cookie Consent Mechanisms

He explains the basic functionality of cookie consent banners, which prompt users to opt in or opt out of tracking. Joey outlines the differing requirements based on geographic regions:

Europe: Strict laws mandate an opt-in system for tracking.

"Europe has a strict law that says by default everybody is opted out of tracking and we need to ask them to opt in." [00:30]
Canada and USA: Utilize an opt-out system where users are automatically opted in, but with options to opt out. A robust privacy policy is crucial instead of mandatory banners.

"If you don't advertise in Europe, you don't need to show the banner. Instead, ensure your privacy policy is comprehensive." [00:45]

Specifics on Google Analytics and Session Replay Tools

Joey discusses how tools like Google Analytics (GA4) and session replay software like Microsoft Clarity require consent in Europe. He explains the process of acknowledging data collection in GA4 to enable remarketing audiences in Google Ads.

"When you set up GA4, you need to click 'I acknowledge that I have the necessary privacy disclosures...' to enable data sharing with Google Ads." [00:52]

California Privacy Laws (CPRA)

A significant portion of the episode focuses on California's Consumer Privacy Rights Act (CPRA). Joey outlines the three criteria that necessitate cookie consent for businesses advertising in California:

Annual Gross Revenue: Over $25 million.
Data Handling: Buying, selling, or sharing personal information of 100,000+ California residents annually.
Revenue Source: Deriving 50%+ of annual revenue from selling or sharing personal information to California consumers.

"If your annual gross revenue is above $25 million, or if you collect data on 100,000 California residents, you need to have a 'Do Not Share My Personal Information' option." [01:15]

Joey warns about predatory law firms exploiting non-compliance, emphasizing the importance of adhering to these laws to avoid costly settlements.

"Predatory law firms are looking for businesses that are not asking for the right consent..." [01:20]

Implementing Consent Banners Effectively

To ensure compliance and maintain data continuity with Google Ads, Joey stresses the importance of using consent management platforms (CMP) that support Google’s Consent Mode V2. He recommends platforms like Cookiebot for their compliance and integration capabilities.

"Consent Mode V2 allows Google to share non-identifying data even if users reject cookies, enabling continued remarketing and conversion tracking." [01:30]

Integration with Google Tag Manager

Joey explains that integrating CMPs with Google Tag Manager is essential for sending non-identifying data to Google Ads, ensuring that advertising efforts remain effective despite user consent choices.

"Using a compliant CMP like Cookiebot and integrating it through Google Tag Manager allows you to retain valuable data points." [01:35]

Best Practices for Consent Banners

Joey advises on the strategic placement and timing of consent banners to enhance user experience and maintain data integrity:

Avoid Simultaneous Pop-ups: Combining consent banners with promotional offers like a 5% discount can overwhelm users.

"Nothing's worse than a bunch of pop-ups when a visitor lands on your website..." [01:45]
Strategic Timing for Offers: Place promotional pop-ups later in the user journey, such as after adding items to the cart or after spending a few minutes on the site.

"Put that pop-up after they've added something to cart or after a few minutes on the site at least." [01:50]

Handling Legal Challenges

In the event of receiving a CPRA violation letter, Joey recommends contacting a privacy lawyer specialized in these matters rather than a general defense lawyer. He underscores the structured nature of such lawsuits and the potential high costs of litigation versus settlements.

"Contact a privacy lawyer, not necessarily a defense lawyer, because they are familiar with the structure of these lawsuits." [01:55]

Conclusion and Final Recommendations

Joey concludes by reiterating the necessity of proper cookie consent management for businesses advertising in Europe and California. He advocates for the use of verified CMPs like Cookiebot, integration with Google Tag Manager, and maintaining an up-to-date privacy policy. Additionally, he encourages ongoing monitoring and adaptation to any legal changes to ensure continued compliance.

"I implore you to use a verified consent mode platform like Cookiebot and integrate it through Google Tag Manager in consent mode version 2 so you can hang on to those data points." [02:00]

Notable Quotes

Joey Buidtner on Cookie Consent Importance:

"Cookie consent is an extremely important topic, not only because there are certain parts of the world like Europe that have it mandatory, but there's a lot of misunderstanding in other parts of the world..." [00:00]
On Google's Definition of New Customers:

"Google is not clear on the timeline at which they consider a new customer... maybe it's only two weeks, maybe a month." [00:15]
Regarding Predatory Lawsuits:

"Predatory law firms are looking for businesses that are not asking for the right consent..." [01:20]
On Effective Consent Management:

"Consent Mode V2 allows Google to share non-identifying data even if users reject cookies, enabling continued remarketing and conversion tracking." [01:30]

Recommendations for Listeners

Assess Your Advertising Regions: Determine if your business targets regions with strict privacy laws like Europe or California.
Implement a Compliant CMP: Use platforms like Cookiebot that support Consent Mode V2.
Integrate with Google Tag Manager: Ensure seamless data sharing with Google Ads while respecting user consent.
Enhance Your Privacy Policy: Clearly inform users about data collection and usage practices.
Monitor and Adapt: Regularly review your consent management setup to stay compliant with evolving laws.

By following these guidelines, businesses can effectively manage cookie consent, maintain robust tracking and remarketing efforts, and mitigate the risk of legal challenges.

Loading summary

Transcript1 lines

[00:00]
Joey Buidtner
Foreign welcome to the paid Search Podcast. My name is Joey Buidtner and today I am your guest host. So so in today's episode we're going to be talking about website tracking consent, also known as cookie consent. Now I think this is a extremely important topic, not only because there are certain parts of the world like Europe that have it mandatory, but there's a lot of misunderstanding in other parts of the world, for example, for businesses that maybe reside in Canada and the U.S. but advertise in Europe and or companies that advertise in states with strict privacy laws like California. So I'm going to be talking about specifically from a Google Ads perspective, what we need to know in terms of advertising locally and abroad when it comes to cookie consent. And I'm going to be sharing some stories about how when not done right, I've had experiences where my conversion tracking and remarketing shut off completely. And more importantly, I have a client that recently got sued for tens of thousands of dollars for improperly or not collecting consent from users in California. So I'm going to be talking about what you should know if you advertise in California. And we're also going to cover a question from a listener. So before we get into the body of the episode, I want to mention our podcast sponsor and that is Opteo. That's opteo.com Now Opteo is a PPC management software and I wanted to share a quick use case of how I use Optio on a day to day basis. So if you manage multiple accounts, Opteo has this really great account dashboard where at a glance you get to see all your accounts and you get to observe your spend and KPI trending performance. So what this means is it could be mid month and you take a look at this dashboard and you get to see, okay, is my spend trending to spend completely or am I underspending? Am I tracking to underspend? Are my KPIs like conversions traffic trending towards coming close to the conversions I got last month or am I trending to complete the month with less conversions than last month? And this allows you to kind of catch problems in your account before the end of the month when you need to report the problem, you get to kind of knit something in the bud and like address the issue when you have some leading indicators to say that yeah, you are trending below your goals or targets. So I typically start each day, or at least at least a couple times a week looking at this dashboard and they make it really easy, you know, if it's trending low, it will be red. If it's on track, these KPIs will be green. So that overall dashboard, it's really worth its weight in gold. So I wanted to call that out. And remember, if you are a listener of the podcast, you get an extended 28 day free trial for Optio. So that's opteo.com PSP and just hop in the chat window, say you're a listener of the podcast and you will get that 28 day extended trial. So moving on to a question from a listener. So if you want to submit your question for us to answer, just email paid searchpodcastmail.com and I know Chris is diligent about reading every question and eventually addressing almost all of them. So feel free to write in your questions anytime. So thank you. Today's question is from Alex Sinniewski and Alex asks new versus existing customers. How does Google know who is who? So I'm assuming Alex is asking this question because of a specific campaign setting that's relatively new to Google Ads. And in your campaign settings, Google has a bidding option for bid higher for new customers or bid for new customers only. And the way Google measures if somebody is a new customer or an existing customer, it's pretty simple. They just cross reference the data to your your customer lists. And a lot of that data is held even in your purchasing actions. When you go to set it up, they will ask, they'll show you, you know, your Google Ads purchasers audience, which is data that's collected from your from your conversion action. So there is a Google like a Google hosted automated audiences called audience called purchasers. And you can also upload customer lists. Now if you've listened to me on this podcast, you know that I am all about tracking and monitoring new versus existing traffic and purchasers. I care less about having a really high roas if it means it's all existing customers, right? I am all about priming that pipeline of new customers to grow a business. So you might think that I love this setting and I will be honest, I do not, I do not use this setting. I have not really seen it work. And that's because Google is not clear on the timeline at which they consider a new customer. So you could have your customer list. But if it's only okay, we're only going to consider somebody an existing customer if they've purchased in the last two weeks. And I'm pretty sure that's what it is. I can't, you know, don't quote me on that, but I'm pretty sure it's only two weeks, maybe a month. And you know, most repurchase rates happen within a year. So I don't like it. I also definitely don't like bid only for new customers. I still believe that a percentage of your spend should be going towards, you know, nurturing your existing customer list. Repurchase rates are a good thing. The problem is when you have a campaign that is all just existing traffic. And that's the difference. There's one thing to be monitoring new customers, existing customers, and another thing to be monitoring new visitors and new traffic. Because often when, you know, one of the problems we get into with scaling accounts is especially if you use smart bidding, is if you set a really high return on ad spend or really low target cpa, the algorithm will basically start looking for easy bets, right? Things that it knows will get that return on ad spend or that cost per acquisition that you want. And often the low hanging fruit is existing traffic or existing customers. So usually what I do to keep my new versus returning visitors or customers in check is I just measure it holistically. I will look at the back end of Shopify, the back end of my website analytics and when I make a big change in an account, let's say launch a new campaign or increase my budgets, I will monitor, okay from that date, if my conversions went up or my visitors went up, what percentage of those were new visitors versus existing customers or new visitors versus existing visitors. Or if my conversions went up, what percentage of those were new customers versus existing customers. And often if you see that become imbalanced where you increase your spend and it's all just existing customers or existing traffic, it often comes down. If you're using smart bidding, you've set too much of an aggressive target. If you put a 600% return on ad spend or a really low cost target cpa, the algorithm has nowhere to really move to experiment and try to go after new visitors or new customers. You have to give it that wiggle room. So in all honesty, like I very rarely in my accounts have really aggressive high target ROAS or really low target CPAs. I'll often have them as flexible as possible to encourage the algorithm to go after that new traffic. And often the success, the success doesn't necessarily come from the bidding strategy. The success comes from your keywords, your search term reports, making sure you're not showing up for bogus search terms, you're making sure your ad copy resonates and all the audiences within that you know, if you're on shopping, the Success often comes from your account structure, your strategy and your product feed data, not necessarily what you set your target return on ad spend. So sorry for unpacking that Alex, but you know, being that you're asking about new versus existing customers, I wanted to, yeah, I wanted to kind of just explain where that applies in the strategy of an account. So that said, I think it is good that Google is putting these controls in because it means that that's where they're focus is. And just like when smart bidding first came out it was trash. Now it's a lot better. Maybe this will get better too. So I absolutely will be continuing to test this and I'll let you know one day when you know, I get surprised by it. So it's not to say shut the door on it completely, but I wanted to share my experience with it. So now moving on to the main portion of the show, we're going to talk about website tracking and cookie consent. And I really wanted to focus on this just because over the last year personally I was really confused by it. I found it to be extremely difficult in advising my clients when they should or when they should not run a consent banner as well as what it means to share that data with Google Ads so we can hang on to as much data as possible. And, and this really became real when I had a client that fell into a class action lawsuit. They had to pay tens of thousands of dollars simply because they didn't ask for the right consent in the right place in the world because of their qualifications. And that's what we're going to talk about today. I do want to preface and say though this is not legal advice, everybody should do their own research in this. But I wanted to share my experience and share everything I've, I've learned up until now and at least be a good starting point because again, as soon as I started diving into the topic, the topic got so deep that it was really outside of just a PPC perspective. It was like, you know, website consent can be such a deep nerdy topic. I found it really hard to just get to the brass tacks of if I'm doing this, if I'm doing remarketing, if I'm got analytics tools, what's the basics of what I need to ask? Because one thing I will mention as well is if you ask for too much consent, that's not required. You could be really cutting off one of your feet and missing out on some data points. I think it's important to know when you do and when you don't need to ask for consent. Now if you don't know what I'm talking about in terms of website tracking consent, you've probably come across this before. So if you've been to a website and at the bottom of the screen you get that little pop up that says do you accept or reject cookie consent? And tracking, the language can be different sometimes, but it's immediately when you hop on the account. That's what this is, that is asking you if you opt in or do you opt out of being tracked. Now the rules on when you need to ask this changed depending on different parts in the world. And that's where the first misconception comes because Europe has a strict law that says by default everybody is opted out of tracking and we need to ask them to opt in. Right? And the first misconception that comes up is people in the States or in Canada will say, well I'm not a European company so I don't need to ask that. And, and I will correct you in that and say if you're advertising in Europe, you need to ask for consent, you need to ask for users to opt in to tracking. And I'll I guess first mention in what cases do you need to ask? Because it's not just if you advertise. Advertising is obviously the first one if you do remarketing or conversion tracking. The other though is analytics tools. Google Analytics kind of has it buried in their privacy settings, but they even say it in these words like we sell your data. So if you have GA4, you need to have consent in Europe and also if you do session replay. So session replay is, you might have heard of a pretty popular free software called Microsoft Clarity where you can heat map users, you can see what they click on, you can see where, where user cursors are on the screen. On average. Heat mapping is a really good tool for website conversion rate optimization. So if you do conversion tracking, session replay or use Google Analytics, if you're advertising in Europe or if you have people in Europe clicking on your website, you need to have that banner asking users to opt in in Europe. Now the second confusing part is for Canada and the USA because we don't have an opt in system, we have an opt out system where users are, are automatically opted in and we give, we can give them options to opt out. Now you don't necessarily need to have that banner show up giving everybody the option to opt out. A big part of it is actually just having a robust process privacy policy. You need to more inform users of Cookies inform users of what you're doing. And to give you an example of this, like right now that you may have seen is if you're in GA4 and you use GA4 remarketing lists, when you first set up a GA4 account, you may have noticed the remarketing lists are not automatically set sent to Google Ads even after you do the integration. In order for that connection to be made, you need to go to your Data Collection modifications tab, then go to Data Collection. And then there's this thing called user data collection acknowledgement. And in order to get your GA4 remarketing audiences sent to Google Ads for you to use, you need to click I acknowledge that I have the necessary privacy disclosures, blah, blah, blah, blah, blah, blah, blah. And that's all it is, right? And it's Google Analytics basically putting it on you to say, I have in my privacy policy let my users know that we are tracking them and we use Google Analytics and we use remarketing. And by clicking Acknowledge, it puts the blame on you. So I always advise clients, like before we click that acknowledge button and get our audiences in Google Ads, make sure your privacy policy is ironclad. Now, yes, you know, going to a privacy lawyer is probably the safest, but you can get away with a lot with ChatGPT. So I would say experiment with ChatGPT. Say everything that you're doing, you're doing remarking you're doing Google Ads using GA4, you're doing this and ask for a good privacy policy. And that's a good starting point. Okay, so we've talked a little bit about, you know, Europe opting, giving users the option to opt in. We've talked about Canada and USA about having privacy policy disclosures. Now we need to talk about California. So California is where things get particularly, particularly confusing because they have their own laws called the cpra. I forget what the algorithm stands for, but that is this law about similar to what Europe has for privacy tracking. And they have this explicit law that states based off of these three criteria that I'm going to share. If you advertise in California, you don't have to be from California. Your business can be anywhere, anywhere in America, in Canada, whatever. But if you advertise in California and you follow these three criteria that I'll mention in a second, you need to have a. It can be in the form of a button on your. It can be like a specific page and a link on your footer that is do not share or sell my information. And it is that opt out and you can, again, it can be a pop up like we were talking about in Europe. Or again, it can be a button on the footer that goes to a specific page that gives users the option to opt out. Now, when you need to do this again, this is not like a blanket thing like Europe that everybody needs to. They have three criteria. So if your annual gross revenue is above 25 million, you have to do this. This is the really confusing one. If you buy, sell or share personal information of 100,000 or more California residents, households or devices annually, you need to do this. Now. What does that mean? This is where it gets confusing because you could say, oh, I'm, I just, you know, sell bath soap. I don't buy, sell or share personal information. Buy, sell or share personal information means do you use GA4? So to decipher that, if you use GA4 and you collect data on over 100,000 California residents within a year, so you could measure just traffic from California, if you get more than a hundred thousand unique visitors in California and you use GA4, you need to have this do not share my personal information for California. Then the third criteria is, I'll just read it out. It's derives 50% or more of annual revenue from selling or sharing personal information to California consumers. I kind of struggled to really understand what this one meant, but I think that the first two are the important ones. If your annual GROSS is over 25 million, or if you collect data on 100,000 California residents or not. So if you follow, if those criteria fit your business, again, you need to have this. Do not sell or share my personal information. Opt out. And this is where one of my clients fell victim to. And there are these predatory law firms that are looking for businesses that are not asking for the right consent. This is not, you know, when you say, oh, who would sue me? It's not like, you know, somebody sitting in their basement visiting your website, suing you because you collected information of them. No, no, no. This is a for profit situation by predatory law firms building these class action lawsuits. And you can choose to settle or litigate. Most cases, like in my client situation, they had to settle because these laws are in place. And if you don't comply by them, litigating will probably end up costing you more money. So, yeah, this is a pretty serious cautionary tale. But I want to also mention how to do this effectively. What does it mean to set up a consent banner? Because there are some nuances, right? The important thing when setting up a consent banner is it needs to be done in a way that will allow you to share this data with Google Ads. Because Google has made this new thing called consent mode V2. And you might have remembered, I think about eight months ago when it first got announced. We mentioned it on the podcast briefly. I was just learning about it then too. We didn't talk too much about it because I wasn't as deep in the rabbit hole as I am now. But what consent mode version 2 basically is it's pretty great if somebody ops in or ops out of cookie collection when you integrate it with consent mode version 2, even if someone rejects the cookies, Google can still share what they call non identifying data points and it won't shut down your remarketing and or your conversion tracking. It will kind of model conversions and it will allow you to hang on to pieces of data. So it's really important to have that connection point. And what it means to have a connection with consent mode version 2 is you need to use a consent management platform. The platform that actually physically serves that pop up needs to be compliant with consent mode version 2. And Google has a pretty long list of the platforms that are compliant. I personally recommend Cookiebot to my clients. It's by a company called User Centrics and it's, you know, it's a, it's an app for most platforms. They have a good support system. It's, it's pretty straightforward. You can have all kinds of customizations on where you want banners to show or not. So you could have, okay, I want my banners showing up in Europe, I want my banners showing up in California, I don't want them showing up elsewhere. So it gives you that control. But most importantly it will have that connection through Google Tag Manager that will allow you to send that data and those non identifying pieces of data to Google Ads. And where I find this, there's often a hiccup here is advertisers or some of my clients will first go to the free option which is the Shopify Consent banner. And the Shopify Consent manner is not compliant with consent mode version 2. So we're going to share a link in the show notes that has the Consent mode, sorry that has the consent management platforms that are approved by Google for this data sharing. And yeah, recommend using one of those. They aren't free but they're cheap. You know, I think it depends on the size of your site but it's between 30 to $60 a month. And once you have this set up, once you have, you know, consent mode version 2 integrated like then you don't really have to think about it unless some law changes. So keep an eye on it. But once it's set up, it runs itself in the background, so I can't recommend that enough. Pay attention to the platform you use. And I should also mention Consent mode is a thing for Microsoft ads as well. You want to hang on to those data points. So before I get into one more point that I want to make, I want to mention our podcast sponsor once more. That's Opteo Opteo.com PSP like I said at the top of the show, I personally use it on a day to day basis just to observe when my accounts are slipping behind my my KPI goals or soaring past them. It's important to catch those before they become a problem. So that's where where I find Optios really helpful. So get that 28 day free trial by going to opteo.com PSP and asking in the chat window for the trial because you are a listener of the podcast. So a couple things I want to mention with these consent banners. So one of the things that I see after a client launches a consent banner is it will be timed at the same time as those pop ups for 5% off to join our newsletter, which I personally hate by the way. I usually ask clients to offer that 5% off later in the journey in someone's experience on your website. When someone lands on your website, even if it's from an ad click, they've shown intent to purchase something. When you show them a discount right in the first five seconds, it's too early. They don't even know what you offer yet. They don't know if you are if you're in their consideration yet. I say put that pop up after they've added something to cart or after a few minutes on the site at least. But now that we have this consent pop up, I can give more reason for customers to for clients to push that back. Because nothing's worse than a bunch of pop ups, right? When you land on a website, you're giving people too many things to click on before they've even considered your website as a viable option for their purchase or sign up. You know you're asking them for consent and a 5% off offer. No, no, too much, right? Take that 5% discount and put it later in their journey. Because your consent banner needs to show up at the beginning, right? So I want to mention that. And then lastly, what do you do if you get one of these lawsuits? It basically comes in the form of a letter you get this, like, letter that says, I think it's called a C CPPA letter. It's basically that you violated this law. That's part of the cpra, blah, blah. And from what I understand, the best thing to do is to contact a privacy lawyer, not just a typical defense lawyer, because these lawsuits are pretty cut and dry these days because they're becoming so. They're becoming so, so much more common. So contact a privacy lawyer, not necessarily a defense lawyer, because the privacy lawyer will know exactly what to do because they are familiar with the structure of these lawsuits. So, again, I hope I didn't just scare all of you. Keep in mind, you know, especially for California, you only need to have, have that. Do not share my personal info. Opt out if you qualify for those three criteria. But I will say if you advertise in Europe, you must set this up. And I implore you to use a verified consent mode platform like Cookiebot and integrate it through Google Tag Manager in consent mode version 2 so you can hang on to those data points. So I hope this is helpful and feel free to send in questions if you. If you have more of them. I'd be happy to follow up on this topic as I know it's a confusing one. So, yeah, I'll talk to you guys later. See you next time.