Back to Insights
Data Implementation 7/31/2024 5 min read

Beyond Consent Mode: Granular Consent Enforcement with CMPs in Server-Side GA4 on Cloud Run

Beyond Consent Mode: Granular Consent Enforcement with CMPs in Server-Side GA4 on Cloud Run

In previous posts, we've explored building a robust server-side Google Analytics 4 (GA4) pipeline with Google Tag Manager (GTM) Server Container on Cloud Run, enriching data with BigQuery, enforcing data quality, and activating insights. This approach offers significant advantages for data accuracy and resilience. However, a crucial aspect of modern analytics—especially in privacy-first environments—is granular consent management.

While Google's Consent Mode is an excellent foundation, many organizations operate with more stringent privacy requirements or utilize comprehensive Cookie Consent Management Platforms (CMPs) that provide highly granular consent signals (e.g., for specific data processing purposes, vendors, or IAB TCF v2.0/GPP strings). The challenge then becomes: How do we ensure these detailed consent choices are not only captured but also actively enforced within our server-side GA4 pipeline on Cloud Run? Simply relying on basic analytics_storage or ad_storage might not be enough to meet complex regulatory compliance or to fully respect user choices for various data uses like personalization, security, or feature testing.

Sending data that violates user consent, even accidentally, can lead to compliance risks, fines, and erosion of user trust. The problem is ensuring that every server-side tag, every enrichment call, and every data point sent to GA4 respects the specific, granular consent granted by the user at every step.

This blog post will guide you through implementing advanced, granular consent enforcement by integrating your CMP's detailed consent signals with your GTM Server Container on Cloud Run. We'll cover how to ingest, parse, and utilize these signals to dynamically control your data flow, ensuring true privacy compliance.

The Problem: Beyond Basic Consent Mode

Google Consent Mode provides a standardized way to communicate consent state (granted/denied) for analytics_storage and ad_storage. This is a great starting point, but many CMPs offer much more detailed choices, such as:

  • Consent for specific purposes (e.g., personalization, security, measurement, fraud prevention).
  • Consent for specific vendors (e.g., Google, Facebook, a custom analytics tool).
  • Jurisdiction-specific consent frameworks like IAB TCF (Transparency & Consent Framework) v2.0 or IAB GPP (Global Privacy Platform) strings, which encode complex consent and legitimate interest signals across multiple vendors and purposes.

The default GTM Server Container setup often doesn't natively expose these granular details to the server-side environment in an easily usable format. This leaves a gap where data might be processed or sent to vendors without the explicit, granular consent required.

Our Solution: A Granular Consent Enforcement Layer

We'll extend our server-side architecture to include a dedicated layer for ingesting, parsing, and enforcing granular consent signals. This layer will live primarily within your GTM Server Container, potentially offloading complex parsing to a dedicated Cloud Run service for robust handling of formats like TCF strings.

The flow will be:

  1. Client-Side CMP: Captures user consent and creates a consent string/object.
  2. GTM Web Container: Receives the consent string and sends it along with the event data to the GTM Server Container.
  3. GTM Server Container (Consent Ingestion): Captures the incoming consent string as an event data variable.
  4. GTM Server Container (Consent Parsing/Enrichment): Calls a custom Cloud Run service (Python) to parse the complex consent string into a simplified, actionable set of flags (e.g., purpose_1_granted: true, vendor_google_granted: true).
  5. GTM Server Container (Consent Enforcement): Uses these parsed flags in custom variables, tags, and triggers to dynamically:
    • Fire or block GA4 tags.
    • Modify data sent to GA4 (e.g., anonymize IDs if personalization is denied).
    • Conditionally call or modify requests to external enrichment services (e.g., don't send user_id to an audience segmentation service if profiling consent is denied).

Here's the visual representation:

graph TD
    A[User's Browser with CMP] -->|1. User Consent Choice| B(CMP & GTM Web Container);
    B -->|2. Event + Granular Consent String (e.g., TCF/GPP)| C(GTM Server Container on Cloud Run);
    C --> D{3. Ingest Consent String Variable};
    D -->|4. HTTP Request with Consent String| E[Consent Parsing Service (Python on Cloud Run)];
    E -->|5. Parse & Return Simplified Consent Object| D;
    D --> F{6. Evaluate Consent for Tags/Services};
    F -->|Conditional Send (GA4 Tag)| G[Google Analytics 4];
    F -->|Conditional Call/Modify (Enrichment Service)| H[Enrichment Service (Python on Cloud Run)];
    H --> I[BigQuery];

    subgraph Server-Side Consent Logic
        D; E; F;
    end

Core Components & Implementation Steps

1. Client-Side CMP and GTM Web Container Setup

Your CMP will typically expose consent details through its JavaScript API or by storing them in localStorage. For TCF v2.0, this is often accessed via window.__tcfapi. For IAB GPP, there are specific global objects.

Example: Sending TCF v2.0 Consent String from GTM Web Container

Assuming your CMP makes the tcString available, you'd configure your GTM Web Container to push this to the data layer or directly to the GA4 configuration tag.

Data Layer Push (Recommended for consistency):

// This script would run after CMP loads and consent is established
window.addEventListener('tcfapiReady', function() {
    __tcfapi('getTCData', 2, function(tcData, success) {
        if (success && tcData.tcString) {
            window.dataLayer.push({
                'event': 'tcf_consent_update',
                'tcf_consent_string': tcData.tcString,
                // Optionally, include other specific consent values
                'analytics_storage_tcf_status': tcData.vendor.consents['755'] ? 'granted' : 'denied', // Example for Google LLC
                'personalization_tcf_purpose_1': tcData.purpose.consents['1'] ? 'granted' : 'denied' // Example for Purpose 1: Store/access information
            });
        }
    });
});

You would then configure your GA4 Configuration Tag in GTM Web Container to include tcf_consent_string as a user_property or event_parameter (if it's tied to an event). For server-side, it's best to send it as a top-level event parameter or include it in user_properties if it represents a user's persistent consent state.

2. GTM Server Container: Ingesting Consent

Once the GTM Web Container sends the tcf_consent_string (or equivalent) as part of the event payload, your GTM Server Container needs to capture it.

GTM Server Container Variable: Create an Event Data variable (e.g., {{Event Data - tcf_consent_string}}) to extract the tcf_consent_string from the incoming event data.

3. GTM Server Container: Parsing Granular Consent (Cloud Run Service)

Parsing complex strings like TCF v2.0 can be intricate, often requiring external libraries. This makes it a perfect candidate for a dedicated, lightweight Python service on Cloud Run. The GTM Server Container will call this service, send the raw consent string, and receive a simplified, actionable JSON object.

a. Python Consent Parsing Service (Cloud Run)

This example uses a simplified approach. For full TCF v2.0 parsing, you'd integrate a library like iabtcf (Python) or a similar one in Node.js.

main.py for Consent Parsing Service:

import os
import json
import base64
from flask import Flask, request, jsonify
from google.cloud import bigquery
import logging

app = Flask(__name__)
logging.basicConfig(level=logging.INFO)
logger = logging.getLogger(__name__)

# --- Simplified TCF v2.0 Parsing (Illustrative - for full implementation use iabtcf library) ---
# For demonstration: Assume we only care about Google's vendor consent (ID 755) and Purpose 1 (Store/access information)
# In a real scenario, you'd use a robust TCF parsing library.
def parse_tcf_string_simplified(tc_string):
    consent_data = {
        'analytics_storage_granted': False,
        'ad_storage_granted': False,
        'personalization_granted': False,
        'vendor_google_analytics_granted': False,
        'has_tc_string': False
    }
    if not tc_string:
        return consent_data

    consent_data['has_tc_string'] = True

    try:
        # TCF string is Base64 URL-safe encoded. It consists of multiple parts.
        # This is a highly simplified mock. A real parser would decode and interpret bits.
        # For simplicity, we'll assume certain patterns or look for known consent signals.

        # Mocking for illustration:
        # In reality, you'd decode the Base64 string and parse the GVL for vendors/purposes.
        # e.g., using a library:
        # from iabtcf.v2 import TCString
        # tc_data = TCString.parse(tc_string)
        # consent_data['vendor_google_analytics_granted'] = tc_data.vendor.consents[755] # Google LLC ID
        # consent_data['personalization_granted'] = tc_data.purpose.consents[1] # Purpose 1

        # For this example, let's just pretend based on the presence of the string
        # or simplified interpretation
        if "XYZ" in tc_string: # Placeholder for actual parsing logic
             consent_data['analytics_storage_granted'] = True
             consent_data['ad_storage_granted'] = True
        if "ABC" in tc_string: # Placeholder for actual parsing logic
             consent_data['personalization_granted'] = True
             consent_data['vendor_google_analytics_granted'] = True

        # Fallback/default logic for standard consent mode if TCF string implies it
        # This would be integrated with the CMP's native consent_mode update.
        # For this example, we're assuming the TCF string is the primary source.

    except Exception as e:
        logger.error(f"Error parsing TCF string: {e}")
        # On error, default to denied or a safe state
        pass

    return consent_data

@app.route('/parse_consent', methods=['POST'])
def parse_consent():
    try:
        data = request.get_json()
        tc_string = data.get('tcf_consent_string')
        gpp_string = data.get('gpp_consent_string') # For IAB GPP

        if not tc_string and not gpp_string:
            logger.warning("No TCF or GPP consent string provided.")
            return jsonify({'error': 'No consent string provided'}), 400

        parsed_consent = {}
        if tc_string:
            parsed_consent.update(parse_tcf_string_simplified(tc_string))
            logger.info(f"TCF string processed. Has string: {parsed_consent.get('has_tc_string')}")
            # Add GPP parsing if gpp_string is present

        return jsonify(parsed_consent), 200

    except Exception as e:
        logger.error(f"Error during consent parsing: {e}", exc_info=True)
        return jsonify({'error': str(e)}), 500

if __name__ == '__main__':
    app.run(debug=True, host='0.0.0.0', port=int(os.environ.get('PORT', 8080)))

requirements.txt:

Flask
# iabtcf # Uncomment if using full TCF parsing library

Deploy to Cloud Run:

gcloud run deploy consent-parsing-service \
    --source . \
    --platform managed \
    --region YOUR_GCP_REGION \
    --allow-unauthenticated \
    --memory 512Mi \
    --cpu 1

Note the URL of this service.

b. GTM Server Container Custom Variable Template for Calling Parsing Service

Create a custom variable template in your GTM Server Container that calls the Cloud Run service.

Example Custom Variable Template (e.g., "Consent Parser")

const sendHttpRequest = require('sendHttpRequest');
const JSON = require('JSON');
const log = require('log');
const getEventData = require('getEventData');
const setInEventData = require('setInEventData'); // To add parsed consent back to eventData

// Configuration fields for the template:
//   - parsingServiceUrl: Text input for your Cloud Run service URL
//   - tcfConsentStringParam: Text input for the event data key holding the TCF string (e.g., 'tcf_consent_string')
//   - gppConsentStringParam: Text input for the event data key holding the GPP string (e.g., 'gpp_consent_string')

const parsingServiceUrl = data.parsingServiceUrl;
const tcfConsentString = getEventData(data.tcfConsentStringParam);
const gppConsentString = getEventData(data.gppConsentStringParam);

if (!parsingServiceUrl) {
    log('Consent Parsing Service URL is not configured.', 'ERROR');
    data.gtmOnFailure(); // Or gtmOnSuccess() with default denied state
    return;
}

const payload = {};
if (tcfConsentString) {
    payload.tcf_consent_string = tcfConsentString;
}
if (gppConsentString) {
    payload.gpp_consent_string = gppConsentString;
}

if (!tcfConsentString && !gppConsentString) {
    log('No TCF or GPP consent string found for parsing. Defaulting to denied.', 'INFO');
    // Set default denied flags if no consent string is present
    setInEventData('parsed_consent.analytics_storage_granted', false, true);
    setInEventData('parsed_consent.ad_storage_granted', false, true);
    setInEventData('parsed_consent.personalization_granted', false, true);
    setInEventData('parsed_consent.vendor_google_analytics_granted', false, true);
    data.gtmOnSuccess();
    return;
}

sendHttpRequest(parsingServiceUrl, {
    method: 'POST',
    headers: {'Content-Type': 'application/json'},
    body: JSON.stringify(payload)
}, (statusCode, headers, body) => {
    if (statusCode >= 200 && statusCode < 300) {
        try {
            const response = JSON.parse(body);
            log('Consent parsing service responded successfully:', response);

            // Add parsed consent flags to the event data context
            // Prefix with 'parsed_consent.' for clarity and to avoid conflicts
            for (const key in response) {
                setInEventData('parsed_consent.' + key, response[key], true); // true for ephemeral
            }
            data.gtmOnSuccess();
        } catch (e) {
            log('Error parsing consent service response:', e, 'ERROR');
            data.gtmOnFailure();
        }
    } else {
        log('Consent parsing service call failed:', statusCode, body, 'ERROR');
        data.gtmOnFailure();
    }
});

GTM SC Configuration:

  1. Create this as a Custom Variable Template (e.g., Consent Parser).
  2. Grant necessary permissions: Access event data, Send HTTP requests.
  3. Create a Custom Variable (e.g., {{Parsed Consent Flags}}) using this template. Configure its parsingServiceUrl, tcfConsentStringParam, etc.
  4. Crucially, ensure this variable is evaluated before any tags or other variables that need to act on granular consent. You might place it in the "Pre-load" or "Initialization" phases for all events.

After this variable runs, you'll have access to values like {{Event Data - parsed_consent.personalization_granted}} in your GTM Server Container.

4. GTM Server Container: Dynamic Tag Firing & Data Modification

Now, you can use these parsed_consent.* flags to control everything.

a. Conditional GA4 Tag Firing: Modify your GA4 event tags and configuration tags to only fire when specific consent conditions are met.

Example Trigger Condition for GA4 Event Tag:

  • Event: page_view
  • Conditions:
    • {{Event Data - parsed_consent.analytics_storage_granted}} equals true
    • AND {{Event Data - parsed_consent.vendor_google_analytics_granted}} equals true (if you want to ensure Google's vendor consent is also granted)

This ensures that GA4 events are only sent if both general analytics storage and specific vendor consent for Google are granted.

b. Conditional Data Modification for GA4: If personalization_granted is false, you might choose to remove or hash user_id or other identifiers before sending them to GA4.

Example in another Custom Variable/Tag Template (e.g., "PII Scrubber based on Consent"):

const getEventData = require('getEventData');
const setInEventData = require('setInEventData');
const deleteFromEventData = require('deleteFromEventData');
const log = require('log');
const crypto = require('crypto');

// This template runs AFTER the Consent Parser and PII Hasher (from previous blog)

const personalizationConsent = getEventData('parsed_consent.personalization_granted');
const userId = getEventData('user_id'); // Assuming user_id is already hashed if PII Hashing tag ran

if (personalizationConsent === false) {
    if (userId) {
        // If personalization is denied, we might redact or send an anonymized ID,
        // even if it was previously hashed for general privacy.
        // For example, delete the user_id for GA4's user-level data collection.
        deleteFromEventData('user_id');
        log('Personalization denied: user_id removed from event for GA4.', 'INFO');
    }
    // You could also set ad_personalization_enabled to false if this is handled in GTM SC
    // setInEventData('ad_personalization_enabled', false, true);
}

data.gtmOnSuccess();

c. Conditional Enrichment Service Calls: If your enrichment service adds customer segments for personalization, you might only call it if personalization consent is granted.

Example in your existing Enrichment Service Custom Template (from "Mastering Server-Side GA4" blog):

// ... (previous code) ...

const personalizationConsent = getEventData('parsed_consent.personalization_granted');

// Only call enrichment service if personalization consent is granted
if (personalizationConsent === false) {
    log('Personalization consent denied. Skipping enrichment service call.', 'INFO');
    data.gtmOnSuccess();
    return;
}

// ... (rest of the sendHttpRequest to enrichment service) ...

This prevents sending user identifiers to your enrichment service if the user has explicitly denied consent for such purposes.

5. Handling Consent Changes

For consent changes, your client-side CMP should trigger a new gtag('consent', 'update', ...) command or a custom event data layer push. Your GTM Server Container setup would then process this new consent string just like an initial event, updating the parsed_consent flags for subsequent events in that session.

Benefits of Granular Consent Enforcement

  • True Compliance: Meets stricter regulatory requirements (e.g., GDPR, CCPA) by respecting specific user choices for data processing purposes and vendors.
  • Enhanced User Trust: Demonstrates a commitment to privacy by actively enforcing granular consent, which can lead to better user relationships and potentially higher opt-in rates.
  • Reduced Risk: Minimizes the risk of privacy violations, potential fines, and reputational damage.
  • Optimized Data Flow: Prevents unnecessary processing or sending of data to downstream systems when consent is denied, potentially saving on data processing costs.
  • Future-Proofing: Provides a flexible framework to adapt to evolving privacy regulations and new consent standards (like IAB GPP).

Conclusion

Moving beyond basic Consent Mode to implement granular consent enforcement is a critical step for any organization serious about data privacy and compliance. By integrating your CMP's detailed consent signals with your GTM Server Container on Cloud Run, you establish a robust, server-side gatekeeper for all your analytics and marketing data. This architecture ensures that every event sent to GA4, every call to an enrichment service, and every piece of data processed respects the user's specific choices, building trust and safeguarding your business in the ever-changing privacy landscape. Embrace this advanced approach to elevate your data governance and build a truly privacy-centric analytics environment.