Evidon Template Integration with Google Tag Manager, Google Consent Mode v2 and Google Tag Gateway (GTG)

Updated for the 2026 Google CMP Partner Program. This revision adds Google Tag Gateway (GTG) support, In‑CMP Signaling (ICS), the full set of six Consent Mode v2 signals, and the new Evidon configuration switches (enableGoogleConsentSupport, globalConsentDefaults). See the What's New in 2026 section for a summary of the changes.

Overview

Evidon CMP (Consent Management Platform) helps manage user consent preferences for cookies and data tracking to comply with regulations like GDPR, CCPA, and more. Google Tag Manager (GTM) is a tool for managing and deploying marketing tags on a website without modifying code. Integrating Evidon CMP with GTM ensures user consent preferences control tag behavior across your site.

Google Consent Mode is a framework that adjusts Google tags' behavior based on user consent for cookies, ensuring compliance with privacy regulations like GDPR and CCPA. It supports granular consent for functionalities such as analytics and ads while enabling anonymized data collection for users who deny consent. Google's Consent Mode v2 maintains alignment with privacy regulations while offering enhanced transparency and control to users. With Google Consent Mode v2 there is:

• Enhanced Control which provides more granular handling of tag behavior.
• Improved Privacy which expands data modeling capabilities without relying on cookies.
• Better integration to offer seamless compatibility with advanced consent management platforms (CMPs), such as Evidon.

With Google Consent Mode v2 there are two different modes, Basic and Advanced Consent Mode.

In 2026, Google extended its CMP Partner Program to also require certified CMPs to support Google Tag Gateway (GTG) and to declare all Consent Mode v2 signals before tags fire. Evidon CMP now meets these requirements out of the box — see the next section.

What's New in 2026 (GTG & CMP Partner Program)

To maintain Google CMP Partner certification, Evidon CMP has been updated as follows. Most changes are automatic and require no action from publishers already using the Evidon template; the new configuration switches are optional.

Basic Consent Mode

Purpose: Simplifies consent handling for essential functionalities like Analytics and Ads.

Key Features:

• Default consent state is set before user consent is provided.
• All Google tags are blocked using event triggers until users interact with the banner.
• Requires event trigger setup; refer to Google Tag Manager (GTM) implementation details for configuration.

Advanced Consent Mode

Purpose: Provides more granular control and customization for managing consent.

Key Features:

• Default consent state is set before loading Evidon scripts.
• Google Consent dynamically updates when the user provides consent via the Evidon UCP banner.
• Google tags send cookieless pings (e.g., conversion data) until consent is granted.

If you'd like more information on these two modes, you may visit Google's Consent Mode Overview page.

Google Tag Gateway (GTG)

What is GTG

Google Tag Gateway (GTG) is Google's mechanism for serving Google tags (such as gtm.js and gtag/js) from the publisher's own first‑party domain instead of from googletagmanager.com / google-analytics.com. Because the tags are served first‑party, they are more resilient to ad blockers and browser tracking restrictions, and they can participate in first‑party measurement.

As of the 2026 CMP Partner Program, certified CMPs must support GTG so that consent signals reach first‑party‑served Google tags reliably. Evidon CMP supports GTG automatically when Google consent support is enabled.

How GTG Is Deployed

One-Click CDN Injection (Cloudflare, Akamai, Fastly): The CDN provider injects Google tag scripts directly into the page’s <head> automatically via the CDN. This removes your control over the load order. The CDN decides when and how Google tag URLs are rewritten, and you cannot control the position of these scripts relative to your CMP snippet. Because GTG tags load as first-party scripts from your own domain, basic consent mode blocking that looks for scripts loading from Google’s domain becomes ineffective.

Manual GTG Setup: You add the first-party script path manually in the page source and control where it appears relative to other scripts. This gives full control over load order and is the recommended deployment when consent timing is critical.

For the official documentation, see Google Tag Gateway documentation.

Late Consent and Why GTG Matters

"Late consent" is the window between a Google tag loading on the page and the user actually making a consent decision in the banner. With traditional third‑party tags, the CMP declares a denied default before tags fire and then sends an update once the user decides — this is the standard Consent Mode v2 flow.

GTG changes the timing because tags are served first‑party and may evaluate consent state very early. To handle this correctly, Evidon writes an In‑CMP Signaling (ICS) object that GTG reads to re‑evaluate tags after the user decides, rather than relying solely on data layer ordering.

The CMP detects whether your page is using third‑party Google tags or GTG, and if a late‑consent window exists with third‑party tags and no GTG, it logs a warning recommending you route Google tags through GTG. See Debugging & Verifying GTG.

In-CMP Signaling (ICS)

On every consent update, Evidon populates:

window.google_tag_data.ics.entries

with an entry for each of the six Consent Mode v2 signals (ad_storage, analytics_storage, ad_user_data, ad_personalization, functionality_storage, security_storage). Each entry records the default state and the latest update value. GTG reads this object to re‑evaluate late consent without depending on the data layer alone.

This is handled automatically by the Evidon tag; no configuration is required beyond keeping enableGoogleConsentSupport enabled (the default).

Key Terms

Key Terms in Consent Management (Purposes)

• Strictly Necessary: Essential for basic website functionality (e.g., session cookies).
• Performance/Analytics: Used for website analytics (e.g., Google Analytics).
• Targeting/Advertising: Enables ad personalization and tracking (e.g., Google Ads).
• Functional: Supports additional features like chatbots or enhanced UI.

GTM-Specific Terms

• Tags: Code snippets that send data to third‑party tools (e.g., GA4, Facebook Pixel).
• Triggers: Define when a tag should fire (e.g., page load, click event).
• Variables: Store dynamic data (e.g., user consent status).

Google Consent / GTG-Specific Terms

• Consent Mode v2 signals: The six consent types Google tags read — ad_storage, analytics_storage, ad_user_data, ad_personalization, functionality_storage, security_storage.
• `gtag('consent','default')`: The declaration of the initial (pre‑decision) consent state. Honored only on its first call per page.
• `gtag('consent','update')`: Sent after the user decides, carrying the actual consent values.
• `url_passthrough`: Enables GTG/Consent Mode cross‑domain measurement when cookies are denied.
• `wait_for_update`: Tells Google tags to wait a number of milliseconds for the CMP's update before acting on the default state.
• Google Tag Gateway (GTG): First‑party serving of Google tags from the publisher's own domain.
• In‑CMP Signaling (ICS): The window.google_tag_data.ics.entries object GTG reads to handle late consent.

Evidon CMP-Specific Terms

• Categories: Groupings of user preferences (e.g., analytics, advertising).
• Vendors: Another name for companies who perform advertising and tracking functionality.

Consent Levels Supported by Evidon CMP

Evidon CMP maps user consent preferences to categories that control data processing. The levels typically supported are:

Consent Mode v2 Signals

Evidon CMP now declares and updates all six Consent Mode v2 signals on every consent path. This is required by the 2026 CMP Partner Program.

In addition, Evidon sets ads_data_redaction to false when advertising consent is granted and true when it is denied, and sets url_passthrough to true once per page to support GTG cross‑domain measurement.

Region scoping: For flows where the banner has not yet appeared, the denied default is scoped to EU/EEA/UK/CH regions so that Consent Mode applies denied defaults only in jurisdictions where opt‑in applies. A short wait_for_update is included so the actual consent update is delivered before Google tags act on the default.

Data Layer Call Details

The data layer is a key GTM component that stores and transmits structured data between the website and various Google services. Evidon CMP uses the data layer to send consent information, and additionally writes the GTG ICS object (see In‑CMP Signaling).

Typical Data Layer Format

dataLayer.push('evidonConsentGiven', consentCategories:'', consentVendors:'');

• eventName: evidonConsentGiven
• consentCategories: comma‑separated list of category names
• consentVendors: comma‑separated list of vendor names

The category names in the consentCategories parameter correspond to the names assigned to your category buckets within the privacy application during configuration.

The vendor names in the consentVendors parameter represent the permanent string identifiers assigned to vendors by the Evidon system.

The event pushed to the data layer when user consent is provided is evidonConsentGiven. Your event triggers must monitor for this event and validate the vendors and categories listed in the consentCategories and consentVendors variables.

In addition to the data layer event, Evidon now performs the Consent Mode v2 calls (gtag('consent','default') and gtag('consent','update')) and writes window.google_tag_data.ics.entries so that both standard Consent Mode and GTG receive consent signals.

Evidon Configuration Switches

These optional properties on the global window.evidon object control the new Google / GTG behavior. They can be set before the Evidon tag loads (for example, via a small inline script or a GTM Custom HTML tag that runs first).

Granting Consent When the Banner Does Not Appear

In regions or on pages where the Evidon consent banner does not appear — such as outside EU/EEA/UK/CH jurisdictions, on DTC (direct-to-consumer) properties, or on pages exempt from consent requirements — you must explicitly grant consent so that Google tags can collect data and measurement is maintained. Without this, the global denied default will apply and Google tags will operate in a restricted, cookieless-only mode even though no legal requirement to obtain consent exists.

Use window.evidon.globalConsentDefaults with adConsent: true and analyticsConsent: true to pre-grant all six Consent Mode v2 signals before any Google tag fires. Set waitForUpdate: 0 so tags do not wait unnecessarily for a banner interaction that will never occur. This configuration takes precedence over flow-level defaults because gtag(‘consent’,‘default’) only honours its first call per page load.

Example — pre‑granted defaults for a DTC region:

window.evidon = window.evidon || {};
window.evidon.globalConsentDefaults = {
  adConsent: true,
  analyticsConsent: true,
  waitForUpdate: 0
};

Example — disable all Google signals (e.g., for a property that does not use Google tags):

window.evidon = window.evidon || {};
window.evidon.enableGoogleConsentSupport = false;

Callbacks

The Evidon Consent Management Platform (CMP) provides pre‑defined callbacks that allow developers to customize their websites or applications based on user consent actions. These callbacks offer hooks to dynamically load, block, or manage technologies in alignment with user preferences, helping facilitate compliance with privacy regulations.

While the CMP provides the tools, developers are responsible for ensuring proper integration and adherence to applicable laws.

priorConsentCallback

Description: Executed whenever a consent state is detected. This can happen when:

• A consent cookie is present when the CMP script initializes.
• A user performs a consent action (e.g., accepting, rejecting, or modifying preferences).
• Consent is not required for the current region or domain.

Parameters:

• categories (Object): Consent categories (e.g., "Analytics", "Marketing") and their statuses (true for consented, false for declined).
• vendors (Object): Vendors and their consent statuses.
• cookies (Object): Key‑value pairs indicating cookie states based on user consent.

Use Case:

• Pause the execution of scripts or tags until consent is verified.
• Customize the behavior for specific categories or vendors.

Note: Always validate the consent state before enabling third‑party scripts or technologies.

window.evidon.priorConsentCallback = function (categories, vendors, cookies) {
    if (categories.includes('Marketing')) {
        console.log('Marketing consent provided. Loading marketing tags...');
        loadMarketingTags();
    } else {
        console.log('Marketing consent not provided. Blocking related tags.');
    }
};

closeCallback

Description: Triggered when a user closes the consent interface (e.g., a banner or modal) without explicitly accepting or declining consent.

Use Case:

• Track the interaction for reporting purposes.
• Optionally prompt the user again after a specified interval to complete their consent decision.

window.evidon.closeCallback = function () {
    console.log('Consent UI closed without user action.');
    promptUserForConsentLater();
};

consentWithdrawnCallback

Description: Triggered when a user withdraws or revokes granted consent. Crucial for GDPR compliance, which requires immediate action when consent is revoked.

Use Case:

• Immediately disable all consent-dependent technologies (e.g., advertising trackers, analytics).
• Clear any cookies or local storage associated with the withdrawn consent.

window.evidon.consentWithdrawnCallback = function () {
    console.log('User has withdrawn consent. Disabling all technologies.');
    disableTracking();
    clearConsentCookies();
};

consentDeclinedCallback

Description: Triggered when the user explicitly declines consent by interacting with a "Decline" button on the UI.

Use Case:

• Stop any consent-dependent services immediately.
• Log the user's choice for auditing purposes.

window.evidon.consentDeclinedCallback = function () {
    console.log('User declined consent. Blocking all non-essential tags.');
    disableTracking();
};

consentRejectCallback

Description: Triggered when a user opts out of all consent categories by selecting an "Opt‑Out All" or "Reject All" option. Typically applicable under opt‑out regulations like CCPA.

Use Case:

• Stop any consent-dependent services immediately.
• Log the user's choice for auditing purposes.

window.evidon.consentRejectCallback = function () {
    console.log('User opted out of all consent categories.');
    disableAllTags();
    clearCookiesAndData();
};

Key differences between callbacks

Note: The Google Consent Mode update calls and GTG ICS writes are handled by the Evidon tag automatically on each of these paths (when enableGoogleConsentSupport is enabled). The callbacks above remain available for your own custom logic (e.g., clearing first‑party cookies).

Enabling Evidon Category/Vendor Consent Support

While this document does not cover the complete setup of the Universal Consent Platform (UCP), the steps below enable support for Category and Vendor consent at the Theme level in UCP.

Steps to Enable Granular Consent

1. Log in to the Evidon Privacy Application — navigate to the Evidon Privacy Application in your browser.
2. Access the Manage Section — open the Manage section to view the list of notices.
3. Find the Relevant Theme — filter notices by your domain, identify the assigned theme, and open it.
4. Enable Options Dialog v2 — in the theme editor, switch to the Options Dialog section, check Enable Options Dialog v2, and save.

Key Considerations

• Theme‑Wide Changes: Enabling Options Dialog v2 affects all notices using this theme. To limit changes, copy the theme, modify it, and assign it to the desired properties.
• Updated Layout: Granular consent adds toggle controls for category‑ and vendor‑specific selections. Test for style integration.
• Style Verification: Review the updated dialog's appearance and behavior before deploying.

Notice Configuration

Follow these steps to create a notice in UCP and configure it with the required vendors to support consent updates for analytics_storage, ad_storage, ad_personalization, and ad_user_data.

Steps to Create and Configure a Notice

1. Create a Notice — log in to the Evidon Privacy Application, go to Notices, and create a new notice for your web property.
2. Add Google Analytics — ensure the Google Analytics vendor is added to the notice disclosure. Required to enable consent updates for analytics_storage.
3. Add Advertising Vendors — to enable consent updates for ad_storage, ad_personalization, and ad_user_data, include one or more of the following vendors in the notice disclosure:
4. Google AdSense
5. DoubleClick
6. DoubleClick Bid Manager (formerly Invite Media)
7. Channel Intelligence (Google)
8. AdMeld (Google)
9. Google AdWords
10. Google Display Network
11. AdMob (Google)
12. Google Attribution 360 (formerly Adometry)
13. Google Tag Manager
14. Google Ad Services
15. Google Mobile Ads
16. Google IMA
17. Google Ads
18. Google Analytics

Refer to the official Universal Consent Platform Getting Started Guide for more details on creating notices and managing vendor disclosures. Adding these vendors enables the granular consent updates required for compliance and advanced advertising configurations.

GTM Implementation

The guide is split into two sections: Template Implementation and GTM Recipe Implementation. Both methods are described, but we strongly recommend the template approach for simplicity and efficiency.

Section 1: Template Implementation

Overview

The Template Implementation method leverages GTM's custom templates to simplify the integration process. It allows users to configure Evidon CMP settings within a predefined framework, minimizing the need for manual coding.

Step 1: Import the Template

1. Open the Templates Menu — in the GTM dashboard, navigate to the Templates menu.
2. Access the Community Template Gallery — in the Tag Templates section, click Search Gallery.

3. Search for the Template — type "Evidon Universal Consent CMP" and locate the template.

   

4. Install the Template — select it and click Add to Workspace.

   

5. Confirm Installation — click Add in the confirmation modal. The template is now available in your workspace.

Step 2: Create a tag using the Evidon Template

1. Add the Evidon Universal Consent Platform Tag — go to Tags, click New, select the Evidon Universal Consent CMP template, and save after configuration.

2. Set the Company ID — enter the Company ID assigned to your account.

   

3. (Optional) Enable URL Passthrough — enable if you need to pass consent data via URLs. *(Note: Evidon also sets url_passthrough automatically to support GTG cross‑domain measurement when Google consent support is enabled.)*
4. (Optional) Enable Debug Mode — toggle Debug Mode to test configuration without affecting live data.
5. Enable Advanced Google Consent Mode — check this box to manage granular consent signals for Google services.
   • If Advanced Consent Mode is enabled: the default consent state is set before Evidon scripts load. Google Consent is updated when the end‑user consents in the Evidon UCP banner/options dialog. While consent is not provided, Google tags send cookieless pings.
   • If Advanced Consent Mode is not enabled: the default consent state and update are set after the end‑user consents. All Google tags must be blocked (via event triggers) until user consent is provided — see Section 2: GTM Recipe Implementation.
6. Non‑Production Notice — lets you configure and test consent notices in development/staging without impacting the live site.

7. Configure Default Consent State — click Add row and assign default consent (Denied/Granted) to each category relevant to each region (e.g., Ad Storage, Analytics Storage, Ad Personalization, Ad User Data).

   

2026 / GTG note: Evidon now declares all six Consent Mode v2 signals (adding functionality_storage and security_storage) and writes the GTG ICS object automatically. If you deploy Google Tag Gateway, no extra GTM configuration is needed for late consent — the ICS object handles it. You can pre‑grant consent for DTC/no‑banner regions using window.evidon.globalConsentDefaults, and disable all Google signals with window.evidon.enableGoogleConsentSupport = false. See Evidon Configuration Switches.

Using Evidon Callback Methods (Optional)

To use Evidon callbacks as optional activities within GTM, import a pre‑configured GTM Template Recipe:

1. Download the GTM Template Recipe

   • Log in to https://privacy.evidon.com.

     

   • Click Manage → Get Site Notice Tag.

   • Select GTM Template Recipe from the dropdown and choose the desired consent mode.

     

   • Click Download to get the JSON file.
2. Import the Template Recipe into GTM
   • Log in to GTM and navigate to your container.
   • Go to Admin → Import Container.
   • Upload the GTM recipe JSON.
   • Choose the appropriate workspace and Merge (to add) or Overwrite (to replace). A new Evidon Consent Tag is generated.
3. Update the logic in Callbacks
   • Open Evidon Consent Tag in edit mode.

   • In the Custom HTML, update your code in the given placeholders.

     

Step 3: Test and Deploy

1. Use GTM's Preview Mode to verify the template's functionality.
2. Validate that consent signals are correctly passed to Google Analytics and Ads — confirm all six signals appear (see Debugging & Verifying GTG).
3. Publish the container once testing is successful.

The template approach is recommended due to its ease of use, lower risk of errors, and maintainability, and it ensures compliance with Evidon and Google's latest updates (including the 2026 GTG requirements).

Section 2: GTM Recipe Implementation

Overview

The GTM Recipe Implementation method involves importing a pre‑configured GTM container that includes the tags, triggers, and variables required for Evidon CMP integration. This method is suitable for users familiar with GTM and requires more manual configuration.

If you are following the Evidon template implementation approach in the GTM console, the 'GTM Recipe' script is not compatible — instead select the 'GTM Template Recipe'.

Step 1: Import the Recipe

1. Log in to UCP Download.
2. Click Manage in the menu.
3. Click Get Notice Tag.
4. In the modal, open the dropdown and choose GTM Recipes.
5. Choose the level of consent: Vendor or Categories.
6. Download the JSON file.

Step 2: Configure Tags and Triggers in Google Tag Manager

1. Log in to GTM and select Admin.
2. Select Import Container and import the JSON file.
3. Choose to Overwrite or Merge, then Confirm.

Once imported, your triggers are set up. Then assign the correct load rules to your tags:

Category consent:

1. Open or create the tag you are adding to the consent wall.
2. In Triggers, assign the All Categories trigger and the appropriate Category Consent trigger.
3. Save.

Vendor consent:

1. Open or create the tag.
2. In Triggers, assign the All Vendors trigger.
3. Assign the specific Vendor trigger.
4. Save.

Triggers on a tag act as an "OR" condition — if either executes, the tag fires.

Step 3: Test and Validate

1. Use GTM preview mode to test the setup thoroughly.
2. Validate consent signals using browser developer tools and Evidon CMP's testing tools.
3. Ensure no conflicts exist between CMP scripts and GTM configuration.

Debugging & Verifying GTG

When Google consent support is enabled and the notice is an IAB TCF v2 notice, Evidon monitors the timing between the banner appearing and the user deciding, inspects the page for Google tags, and reports whether GTG is in use.

To verify your setup:

1. Open your site with the browser developer console open.
2. After the banner shows and you make a decision (or as a returning user), look for the `[Evidon CMP] GTG Late Consent Report` log. It reports:
3. Banner shown timestamp / "consent pre‑given"
4. User decision timestamp and time‑to‑consent (ms)
5. Whether Google tags were found
6. Whether third‑party GTM/GA tags are loaded (from googletagmanager.com / google-analytics.com)
7. Whether GTG is detected (tags served from your first‑party domain)
8. Inspect window.evidon.gtgDebug for the raw detection data.
9. Inspect window.google_tag_data.ics.entries to confirm the ICS object is populated with all six signals after consent.
10. In GTM Preview / the Tag Assistant, confirm that gtag('consent','default') (with region scoping and wait_for_update) and gtag('consent','update') (with all six signals) are present.

Warnings you may see:

• ACTION REQUIRED — late consent detected and GTG enrollment is verified: Google tags are receiving consent signals after initial execution. Take one of the following actions:
• Adopt Advanced Consent Mode (U+C) — Recommended. Advanced Consent Mode (U+C) is the recommended mechanism for GTG-enabled tags because it is compatible with manual GTG deployments where you control script import order. It sets consent defaults synchronously before any tag fires, sends cookieless pings while consent is pending (preserving conversion modeling), and works correctly regardless of whether tags are served from Google’s domain or from your first-party domain via GTG. Enable Advanced Consent Mode in your Evidon GTM template configuration, then also enable Data Transmission Controls to restrict what data Google tags can transmit based on consent state, and set Global Consent Defaults to define a denied baseline for all consent types on every page load according to your need.
• Migrate all tags into a GTM container and deploy GTM via GTG. This centralises load-order control so that GTM’s built-in consent checks apply to all tags within the container. When GTM itself is served through GTG, the container’s consent state is evaluated before any tag fires.
• Set up GTG manually where you control the script import order. Instead of using one-click CDN injection, place the first-party GTG script path directly in your page source. Position it after the Evidon CMP snippet so consent defaults are always declared first. Manual GTG is fully compatible with Advanced Consent Mode.
• OK — GTG detected: late consent signals are handled via ICS entries.
• OK — consent pre‑given (returning user): no late‑consent window exists.

Disclaimer

This document provides technical guidance for implementing the Evidon Consent Management Platform (CMP). It is the responsibility of the user to ensure compliance with applicable data protection laws and regulations, including but not limited to GDPR, CCPA, or other regional privacy frameworks. Evidon offers tools and resources to support compliance but assumes no liability for errors in implementation or misuse of this documentation. Users are strongly advised to consult their legal team to confirm that all implementations meet relevant legal and regulatory requirements.

For issues or questions related to Google Consent Mode, email google.cmp.support@crownpeak.com. For other questions, contact support@crownpeak.com or use our support portal.