Consent Mode is not legally required for US-only traffic under current federal law. Two factors drive implementation regardless: Google’s product requirements that mandate specific parameters for Enhanced Conversions and remarketing regardless of geography, and the expansion of state-level privacy legislation that is converging toward a de facto national consent framework.
Google’s Product Requirements
Even without a legal mandate, two Google product features require v2 parameters:
Enhanced Conversions sends hashed personal data (email, phone number, physical address) to Google for identity matching against Google’s user base. Because personal data is being processed for advertising purposes, Google requires the ad_user_data parameter to be implemented and set to granted before it will use this data. This requirement applies regardless of the user’s geography.
Without ad_user_data, Enhanced Conversions data gets silently dropped server-side. Your implementation appears to work in preview mode, but the identity matching pipeline is disabled. Enhanced Conversions typically provides 5-15% more attributed conversions, so this isn’t a minor feature — it directly affects your Google Ads optimization performance.
Remarketing requires the ad_personalization parameter. When this parameter isn’t set to granted, remarketing audiences stop building. No new users enter audience lists, and existing audience membership isn’t refreshed. If you run any retargeting campaigns through Google Ads, this parameter must be present and granted for the users you want to include in audiences.
These aren’t compliance requirements in the GDPR sense. They’re product requirements that Google has tied to the Consent Mode API. If you use Enhanced Conversions or remarketing, you need Consent Mode v2 regardless of whether your users are in the EU.
The Expanding State Privacy Landscape
The US doesn’t have a comprehensive federal privacy law, but individual states are filling the gap rapidly. As of early 2026:
- 20 states now have comprehensive privacy laws, with more taking effect through 2026
- 8 states mandate recognition of the Global Privacy Control (GPC) browser signal
- California, Colorado, and Connecticut have conducted a joint investigative sweep that produced seven-figure settlements for non-compliance
California’s 2026 regulations add two provisions that directly affect analytics and advertising implementations:
- Mandatory risk assessments for data processing activities involving personal information for advertising purposes
- Expanded dark pattern prohibitions — asymmetric consent buttons (large “Accept” button, small “Reject” link) are explicitly called out as non-compliant
The practical impact: even if your site only targets US users, a significant and growing portion of your audience lives in states with privacy laws that require some form of consent or opt-out mechanism for advertising data usage.
Google’s US-Specific Mechanisms
Google provides two mechanisms for US privacy compliance that integrate with Consent Mode:
Restricted Data Processing (RDP) is Google’s CCPA compliance mechanism. When activated, Google limits how it uses personal data for users in scope. RDP can be triggered through the Consent Mode API or through separate configuration in Google Ads and GA4.
IAB Privacy Multi-State Privacy Agreement via GPP strings provides a standardized way to communicate US privacy signals. The Global Privacy Platform (GPP) string is the successor to the IAB’s US Privacy String (CCPA-specific) and covers multiple state frameworks in a single signal.
CMPs that support both TCF v2.2 (for EEA/UK) and GPP (for US) can handle both regulatory frameworks through the same consent banner.
Recommended Configuration
The recommended setup uses region-specific defaults that respect each jurisdiction’s consent model:
// EEA and UK: opt-in required (deny by default)gtag('consent', 'default', { 'ad_storage': 'denied', 'ad_user_data': 'denied', 'ad_personalization': 'denied', 'analytics_storage': 'denied', 'region': ['EEA', 'GB'], 'wait_for_update': 500});
// California: opt-out model (grant by default, provide opt-out)gtag('consent', 'default', { 'ad_storage': 'granted', 'ad_user_data': 'granted', 'ad_personalization': 'granted', 'analytics_storage': 'granted', 'region': ['US-CA']});
// Rest of US: grant by defaultgtag('consent', 'default', { 'ad_storage': 'granted', 'ad_user_data': 'granted', 'ad_personalization': 'granted', 'analytics_storage': 'granted', 'region': ['US']});The region parameter follows a most-specific-wins rule: US-CA overrides the general US setting for California users. As more states enact privacy laws, you can add region-specific entries (e.g., US-CO for Colorado, US-CT for Connecticut) without changing the broader default.
For California users, the opt-out mechanism is critical. Consent defaults to granted, but users must have a visible way to deny consent. When they exercise this right (typically through a “Do Not Sell My Personal Information” link or by sending the GPC signal), the CMP should fire:
gtag('consent', 'update', { 'ad_storage': 'denied', 'ad_user_data': 'denied', 'ad_personalization': 'denied', 'analytics_storage': 'granted' // Analytics typically permitted});Note that analytics storage often remains granted under CCPA opt-out since the user is opting out of the sale of personal data, not of analytics measurement. This distinction varies by state law and should be reviewed with legal counsel.
Implementation Scope
US privacy law is expanding: more states, stricter requirements, more enforcement. The implementation work is the same whether done proactively or reactively:
- Configure region-specific consent defaults
- Ensure the CMP supports both TCF v2.2 and GPP
- Wire the CMP to send all four v2 parameters
- Add opt-out mechanisms for states that require them