Free scan
Google Ads · troubleshooting

Google Ads remarketing fires before consent

doubleclick.net and googleadservices.com requests on page load mean your remarketing audiences are filling with visitors who never opted in. Here's why, and the Consent Mode v2 fix.

What it looks like

Fresh incognito window, DevTools → Network, filter on doubleclick or googleads, banner untouched. An ungated setup shows requests to googleads.g.doubleclick.net (e.g. /pagead/viewthroughconversion/…) and www.googleadservices.com firing with the page, sometimes joined by google.com/pagead/1p-user-list/… — the remarketing list hit. Application → Cookies shows _gcl_au set on first paint.

The business-side tell: your remarketing audiences keep growing at roughly the rate of total traffic, which means visitors are being added to ad audiences before they've answered the banner.

DevTools → Network — fresh incognito, banner untouched:
GET googleads.g.doubleclick.net/pagead/viewthroughconversion/… ← fires with the page
GET www.googleadservices.com/pagead/conversion/… ← before any banner click
Cookie: _gcl_au=1.1.… ← set on first paint

Not sure what's firing on your site? See every pre-consent tracker — free, 30 seconds.

Real browser scan, no signup to run it. You see a summary of the findings; the full report with every tracker unlocks with your email.

Why it happens

1. gtag config for the AW- ID fires on load

The Google Ads tag (gtag('config','AW-XXXX')) sits next to the GA snippet in <head> with no Consent Mode defaults before it — so the remarketing hit goes out with the page.

2. Ads tags in GTM without consent requirements

The Google Ads remarketing and conversion-linker tags in Google Tag Manager have no Consent settings, so they fire as soon as the container loads.

3. Consent Mode v2 signals never set

ad_user_data and ad_personalization — the two consent signals Google added for ads in Consent Mode v2 — were never defaulted to denied, so Google's ad tags treat them as granted.

4. Legacy conversion snippets hardcoded on pages

An old campaign left a site-wide remarketing snippet or per-page conversion snippets hardcoded in templates (thank-you pages are a classic spot), bypassing whatever gating you added later.

The risk context

California's Invasion of Privacy Act (CIPA), Penal Code § 631, prohibits intercepting a communication without the consent of all parties. Since 2022, plaintiff firms have applied that decades-old wiretapping statute to websites — arguing that adding a visitor to advertising audiences and sending their browsing to Google's ad systems before the visitor consents is an intercepted communication. Statutory damages under § 637.2 run up to $5,000 per violation, and plaintiffs argue each affected visitor session is a separate count, which is why even small sites receive demand letters. Similar all-party-consent statutes in Pennsylvania (WESCA), Florida (FSCA), and Massachusetts have produced parallel filings.

Beyond the wiretap statutes, this is squarely a comprehensive-privacy-law issue: under CCPA/CPRA, sharing visitor data for cross-context behavioral advertising is what consumers have the right to opt out of, and states like Texas and Colorado require honoring universal opt-out signals for targeted advertising.

To be precise about what a network log can tell you: a tracker firing before consent is a technical finding — it establishes when a script transmitted data, not whether any law was broken. But timing is exactly what these claims are built on, which is why fixing the timing is the practical response.

How to fix it

  1. Add Consent Mode v2 defaults before any gtag/GTM code, defaulting ad_storage, ad_user_data, and ad_personalization to denied — see the snippet below.
  2. Wire your CMP to update consent on accept (most CMPs have a Google Consent Mode integration — enable it).
  3. In GTM, set every Google Ads tag (remarketing, conversion, conversion linker) to require ad_storage consent.
  4. Hunt down legacy hardcoded snippets: search templates for AW-, googleadservices, and viewthroughconversion, and move anything you find into the gated setup.
  5. Re-scan to confirm no requests reach doubleclick.net or googleadservices.com before consent.

Consent-gating snippet

<!-- Place BEFORE the GTM/gtag snippet. Consent Mode v2 defaults:
     ads signals denied until your CMP updates them after opt-in. -->
<script>
  window.dataLayer = window.dataLayer || [];
  function gtag(){dataLayer.push(arguments);}
  gtag('consent', 'default', {
    ad_storage: 'denied',
    ad_user_data: 'denied',
    ad_personalization: 'denied',
    analytics_storage: 'denied',
    wait_for_update: 500
  });
</script>

Your CMP calls gtag('consent','update',{ad_storage:'granted', ad_user_data:'granted', ad_personalization:'granted'}) only after the visitor accepts marketing.

Verify the fix in 30 seconds — free re-scan, no signup.

Real browser scan, no signup to run it. You see a summary of the findings; the full report with every tracker unlocks with your email.

Common questions

Why are Google Ads tags firing before my consent banner?

Usually the gtag config for your AW- ID runs on page load with no Consent Mode defaults, the ads tags in GTM have no consent requirements, the Consent Mode v2 signals (ad_user_data, ad_personalization) were never defaulted to denied, or a legacy remarketing/conversion snippet is still hardcoded in page templates from an old campaign.

Is pre-consent remarketing a legal problem?

A remarketing hit before consent is a technical finding, not a legal conclusion. It is, however, the timing pattern pre-consent tracking claims focus on, and under CCPA/CPRA and other comprehensive state laws, sharing visitor data for targeted advertising is exactly what consumers can opt out of. Consent Mode v2 with denied defaults removes the pattern. Not legal advice.

How do I make Google Ads tags wait for consent?

Add a Consent Mode v2 default-denied snippet before gtag/GTM (ad_storage, ad_user_data, ad_personalization), enable your CMP's Consent Mode integration, require ad_storage on every ads tag in GTM, remove legacy hardcoded snippets, and verify with a free re-scan.

Related

Google Analytics loads before consentMeta Pixel fires before consentAll tracker compliance guidesPrivacy laws by state
Monitor my site ($99/mo) Estimate my exposure