CMP and Consent Mode Installed? Why UK Google Ads Sites Still Fail PECR
If you’ve installed a consent management platform like OneTrust or CookieYes and switched on Google Consent Mode v2, it’s fair to think the compliance job is done. You’ve got a banner, the consent signals are firing back to Google, your Ads account has stopped complaining, and the whole thing feels neatly wrapped up.
The awkward truth is that the finish line you crossed was Google’s, not the ICO’s. They’re not the same line, and the gap between them is where a lot of small UK businesses running Google Ads are quietly non-compliant without realising it.
This post walks through the checks worth running on your own site. None of them need a developer, and most of them take an afternoon. If you find yourself nodding through all five without spotting an issue, brilliant, you’re in better shape than most. If a few make you wince, (welcome to the club – I’ve been caught out by this before – hence the post!) then read on.
Google’s rules and PECR are two different things
Google’s EU User Consent Policy sets out what signals you need to send back to Google if you want your ads to work properly for people in the EEA and UK. It’s a commercial policy backed by loss of ad functionality if you ignore it. Consent Mode v2 is the technical mechanism that sends those signals.
PECR is the law. Regulation 6 says you need consent before storing or reading information on someone’s device, unless a narrow exception applies. UK GDPR sets the bar for what valid consent looks like: freely given, specific, informed, and an unambiguous positive action.
The reason people muddle the two is that a CMP plus Consent Mode looks like it covers both. It doesn’t. The CMP handles the banner and passes the signals. Whether your banner actually meets PECR, whether your tags stay properly blocked before consent, and whether the consent you’re collecting is valid in the first place, those are separate questions, and no plugin can answer them for you.
If you want the fuller picture of how Consent Mode v2 fits into a WordPress setup specifically, my step-by-step GA4 and Consent Mode v2 guide for UK sites walks through the setup that most of these checks assume you’ve already done.
Here are the five checks.
1. Whether your ad tags are actually blocked before consent
Consent Mode has two flavours: basic and advanced. Most CMPs default to advanced, and it’s the one Google prefers because it gives you better conversion modelling.
In advanced mode, your Google tags load on page view. When consent is denied, they send “cookieless pings” back to Google rather than nothing at all. Google is comfortable with this. The ICO’s position is more cautious. Under PECR, you’re not meant to store or access information on someone’s device before you have their consent, and there’s a reasonable argument that an advanced-mode tag firing off to Google servers is doing exactly that, even if it isn’t dropping a cookie in the strict sense.
You can check this yourself in about two minutes. Open a private browsing window, load your site with developer tools open, and watch the network tab. If you see requests hitting googleadservices.com, google-analytics.com, or googletagmanager.com before you’ve clicked anything on the banner, that’s the gap.
What to do: Find out whether your CMP is set to basic or advanced mode and decide with your eyes open which trade-off you’re making. Advanced mode gives you better data. Basic mode gives you a cleaner PECR position. Neither is objectively right, but pretending the choice isn’t there is a problem.
2. Whether your Accept and Reject buttons carry equal weight
The ICO’s finalised April 2026 guidance is explicit about this. Accept and Reject must be presented with equal prominence. It’s not a new rule, but it’s now spelled out clearly, and it’s the single most common failure on small business sites.
If your banner has a bright, colourful “Accept All” button and a small grey “Manage preferences” text link, you’re not compliant. The user is being nudged to accept, which means the consent isn’t freely given, which means it isn’t valid, which means the tags you fired based on it were fired without a lawful basis.
Consent Mode has no view on any of this. It’ll happily pass “granted” signals that PECR would consider invalid.
What to do: Look at your banner with fresh eyes. If Accept and Reject aren’t visually equivalent, fix it. Most CMPs let you sort this in settings without touching any code.
3. Whether you’re relying on the analytics exception when you shouldn’t be
The Data (Use and Access) Act introduced a low-risk analytics exception that came into force on 5 February 2026. Some businesses have taken this as a green light to stop asking for consent for analytics cookies. Sometimes that’s fine. Often it isn’t.
The exception only applies where analytics cookies are used solely for statistical purposes. If your GA4 property is linked to Google Ads, if you’re exporting audiences to Ads for remarketing, or if the same cookie is doing double duty for analytics and advertising, the exception doesn’t apply and consent is still required.
Most small businesses running Google Ads have GA4 linked to Ads. That link alone pulls their analytics out of the exception.
What to do: Check whether GA4 is linked to a Google Ads account. If it is and you’ve been treating analytics as consent-free, that needs revisiting.
4. Whether your non-Google tags are gated the same way
Consent Mode v2 deals with Google tags. It doesn’t deal with anything else. If your site is also running Meta Pixel, LinkedIn Insight Tag, HubSpot tracking, TikTok Pixel, Hotjar, Microsoft Clarity, or affiliate tracking scripts, those tags have their own PECR obligations. The ICO has explicitly confirmed that affiliate tracking pixels need consent.
Your CMP should be blocking these too, but plenty of implementations only cover the Google stack because that’s what the setup guide walked through. Everything else quietly loads on page view.
What to do: Open your tag manager container and go through every tag that fires. For each one, check whether it’s gated behind a consent trigger. Anything firing regardless of consent is a problem that has nothing to do with Consent Mode.
5. Whether you can prove the consent you collected
PECR doesn’t spell out record-keeping in the same way UK GDPR does, but if the ICO comes knocking or a subject access request lands on your desk asking what you did with someone’s data, you need to be able to demonstrate that consent was validly obtained.
Most CMPs log consent events. Fewer businesses know where those logs live, how long they’re kept, or how to export them. If your answer to “show me the consent record for the visitor who bought something on 14 March” is “I’d have to ask the vendor”, that’s a record-keeping gap.
What to do: Find out where your CMP stores consent logs, how long they’re retained, and how you’d retrieve them if asked. If retention is shorter than your marketing data retention, that’s another thing to sort.
The pattern behind all five
Every check has the same shape. The CMP is doing what it was designed to do. Consent Mode is doing what it was designed to do. Neither is designed to check whether your overall approach is PECR-compliant, because that’s a legal judgement about your specific setup, not a technical function.
That’s why “install a CMP” is a starting point, not a solution. The tools handle the mechanics. Someone still has to make the calls about banner design, tag configuration, analytics scope, and consent records, and those calls are what decide whether you’re actually compliant.
This is also why compliance often lands on people who weren’t hired to do it. In a small business, this stuff frequently defaults to the IT manager or the marketing lead, both of whom already have full-time jobs that aren’t privacy. If that sounds familiar, our post on the quiet overload of the small business IT manager covers why this keeps happening and what a more sensible split of responsibilities looks like.
When it’s worth getting a second pair of eyes
You can run the five checks yourself in an afternoon, and for most small businesses that will close the obvious gaps. Where it starts to make sense to bring someone in is when the answers stop being simple. If you’re running paid campaigns at scale, if you’ve got several tracking pixels doing overlapping jobs, or if you’ve got any doubt about whether your setup would survive an ICO complaint, an independent review is worth the fee.
That’s the work I do at Privacy Ally. If you’d like a hand with any of the above, get in touch and we can talk through what your setup actually looks like.
