How to set Google Consent Mode v2 defaults to denied (KVKK/GDPR)
Google Consent Mode v2 tells every Google tag — Analytics, Ads, DoubleClick — whether it may use storage. If you never set the defaults to "denied", Google tags behave as if consent were granted the moment the page loads.
Why it matters
Consent Mode is the mechanism that makes Google’s tags respect the visitor’s choice. Getting the defaults wrong is the same risk as having no consent at all: analytics and ad storage are used before opt-in (KVKK Art. 5 / GDPR Art. 6 / ePrivacy Art. 5(3)). The defaults must be denied and must run before any Google tag initialises, then be updated only when the visitor accepts.
How to fix it
Push a "default" consent state with everything non-essential set to denied, as the very first thing on the page — before gtag.js, GTM or any Google tag loads. Then, from your consent banner’s accept callback, push an "update" that grants exactly the categories the visitor chose. Re-scan to confirm nothing Google-related uses storage before the update fires.
<!-- FIRST script on the page, before gtag.js / GTM -->
<script>
window.dataLayer = window.dataLayer || [];
function gtag(){dataLayer.push(arguments);}
gtag('consent', 'default', {
ad_storage: 'denied',
ad_user_data: 'denied',
ad_personalization: 'denied',
analytics_storage: 'denied',
wait_for_update: 500
});
</script>
<!-- In the banner's Accept handler, grant what the visitor chose -->
gtag('consent', 'update', {
ad_storage: 'granted',
ad_user_data: 'granted',
ad_personalization: 'granted',
analytics_storage: 'granted'
});
Official sources
- KVKK — Law No. 6698 (official full text, mevzuat.gov.tr)
- KVKK — Kişisel Verileri Koruma Kurumu (Turkish DPA)
- GDPR — full regulation, article by article
- ePrivacy Directive 2002/58/EC — cookies, Art. 5(3)
- EDPB — guidelines on consent & cookies
Links to primary legislation for reference. PrivaScan is not affiliated with these bodies; this is information, not legal advice.
Related guides
- Stop Google Analytics from loading before consent (KVKK/GDPR) KVKK m.5 · GDPR Art. 6 · ePrivacy Art. 5(3)
- Gate Google Tag Manager behind consent KVKK m.5 · GDPR Art. 6 · ePrivacy Art. 5(3)
- Load the Meta (Facebook) Pixel only after consent KVKK m.5 · GDPR Art. 6 · Art. 26 (joint controller)
- Session recording (Hotjar, Clarity, Yandex) needs explicit consent KVKK m.5 · GDPR Art. 6 · Art. 9 risk
These guides cover automated checks for trackers, cookies and data flows. A full privacy review also needs legal input.