Google Ads Consent Mode v2: What Healthcare Advertisers Need to Know
In March 2024, Google began requiring Consent Mode v2 for all advertisers using Google tags in the European Economic Area. The requirement was driven by the EU's Digital Markets Act and GDPR enforcement, not by HIPAA. But healthcare marketing teams in the United States immediately started asking a question Google never intended to answer: does Consent Mode v2 make our Google Ads tracking HIPAA compliant?
The short answer is no. Consent Mode v2 adjusts how Google's tags behave based on a user's consent status. It is a significant improvement over the previous version. It introduces new consent signals, provides more granular control over data collection, and enables Google to model conversions when consent is denied. But it was designed for European privacy law compliance, not for HIPAA. The gap between what Consent Mode v2 does and what HIPAA requires is the subject of this entire article.
How Consent Mode v2 Actually Works
Consent Mode v2 operates by communicating a user's consent status to Google's tags (gtag.js, Google Tag Manager) so that the tags adjust their behavior accordingly. Understanding the mechanics is essential before evaluating its adequacy for healthcare.
The consent signals. Consent Mode v2 introduces two new consent parameters alongside the original two:
ad_storage: Controls whether advertising cookies can be set (original)analytics_storage: Controls whether analytics cookies can be set (original)ad_user_data: Controls whether user data can be sent to Google for advertising purposes (new in v2)ad_personalization: Controls whether Google can use the data for personalized advertising (new in v2)
Basic mode vs. Advanced mode. In Basic mode, Google tags do not fire at all until consent is granted. No data is sent to Google, no cookies are set, and no measurement occurs for users who do not consent. In Advanced mode, Google tags fire with reduced functionality when consent is denied: cookieless pings are sent to Google with limited data, and Google uses statistical modeling to estimate the conversions it cannot measure directly.
What happens when consent is denied (Advanced mode). Google's tags send cookieless pings that include: the page URL (without path-level detail in some configurations), timestamp, user agent, and a consent state indicator. These pings do not include cookies, user identifiers, or the data that would normally flow through full tracking. Google uses these pings plus data from consenting users to statistically model the behavior of non-consenting users.
What happens when consent is granted. Google's tags function normally: full cookie setting, complete data transmission, conversion tracking, remarketing list population, and audience building. The data flow is identical to a site without Consent Mode.
Where Consent Mode v2 Falls Short for HIPAA
Consent Mode v2 was built for a different regulatory framework. Several fundamental gaps exist between what it provides and what HIPAA requires.
Gap 1: Client-Side Consent Checks Are Not Server-Side Consent Verification
Consent Mode v2 relies on a client-side consent management platform (CMP) to communicate consent status to Google's JavaScript tags in the browser. When the CMP determines that a user has consented, it sets the consent parameters, and Google's tags fire accordingly.
This is a client-side mechanism. The consent check happens in the browser. The data transmission happens from the browser. For HIPAA compliance, consent needs to be verified at the server level before any data leaves your infrastructure for a third-party platform. Client-side consent checks can be delayed by page load timing, bypassed by browser extensions, or broken by JavaScript errors. Server-side consent gating ensures that your server confirms consent before sending any data to Google, regardless of what happens in the browser.
Gap 2: Consent Mode Does Not Prevent PHI Transmission When Consent Is Granted
When a user grants consent under Consent Mode v2, Google's tags collect and transmit data exactly as they would without Consent Mode. The full page URL (including health-contextual paths like /cardiology/heart-failure-treatment), the user's IP address, device identifiers, and interaction data all flow to Google's servers.
For a healthcare website, granting consent to Google's tracking does not change the nature of the data. The data is still PHI: individually identifiable information combined with health context. Consent Mode v2 gives users a choice about whether Google collects their data. It does not change the classification of that data under HIPAA or ensure that Google treats it as PHI.
Gap 3: Google Does Not Sign BAAs for Google Ads
Regardless of Consent Mode configuration, Google does not enter into Business Associate Agreements for Google Ads customers. Under HIPAA, any vendor that creates, receives, maintains, or transmits PHI on behalf of a covered entity must sign a BAA. Without a BAA, Google has no HIPAA obligation to protect the health data it receives through its advertising tags.
Consent Mode v2 does not change Google's BAA status. A healthcare organization using Consent Mode v2 with Google Ads still faces the fundamental gap: Google is receiving data that may constitute PHI under HIPAA without the contractual framework that HIPAA requires.
Gap 4: Advanced Mode Still Sends Data to Google Without Consent
In Advanced mode, when a user denies consent, Google's tags still send cookieless pings to Google's servers. These pings contain limited data, but they include the page URL and timestamp. On a healthcare website, a cookieless ping from /depression-treatment-options still communicates that someone visited a mental health treatment page to Google's servers. The ping is less identifiable without cookies, but the health context is still transmitted.
For HIPAA compliance, the expectation is that no health data flows to a platform without BAA coverage when consent is denied. Advanced mode's cookieless pings violate this expectation for healthcare websites.
Kaiser Permanente ($47.5M class action, 2025). Kaiser's websites, patient portals, and mobile apps used third-party tracking code that transmitted health information to Google, Microsoft, Meta, and X without member consent from 2017 to 2024. The breach affected 13.4 million members across 9 states. Source
Kaiser's case demonstrates the scale of liability when Google tracking runs on healthcare properties. Consent Mode v2 would have reduced the data flowing to Google for users who denied consent, but it would not have prevented the underlying issue: Google receiving health-contextual data from Kaiser's websites for users who did consent, without BAA coverage.
What Consent Mode v2 Does Well (and Where Healthcare Can Use It)
Consent Mode v2 is not useless for healthcare advertisers. It solves a real problem, just not the HIPAA problem.
GDPR and state privacy law compliance. For healthcare organizations that serve patients in EU member states or in US states with comprehensive privacy laws (California, Colorado, Connecticut, and others), Consent Mode v2 provides a framework for adjusting Google's data collection based on consent status. This addresses the privacy law requirement, even if it does not address HIPAA.
Conversion modeling preserves campaign insights. When users deny consent, Google's conversion modeling estimates the conversions that were not directly measured. For healthcare advertisers, this means you do not lose all visibility into campaign performance when consent rates are low. The modeled data is directionally useful for budget allocation and campaign optimization.
A signal to patients about privacy respect. Implementing consent management (even if Consent Mode alone is not sufficient for HIPAA) demonstrates to patients that your organization takes data privacy seriously. This matters for trust, and it matters for the broader trajectory of healthcare compliance, which is moving firmly toward consent-first data practices.
The Architecture That Actually Works: Server-Side Tracking with Consent Mode
The compliant approach for healthcare advertisers is not to choose between Consent Mode v2 and server-side tracking. It is to layer them.
Server-side tracking as the foundation. All data collection and transmission to Google should route through your server, not through the browser. Your server receives the page interaction data, verifies consent, and sends conversion events to Google's API (Measurement Protocol or Google Ads API) with the health context stripped. Google receives: "a conversion happened in campaign X." Google does not receive: the URL path, the patient's health interest, or uncontrolled tracking data.
Consent Mode v2 as the browser-level layer. Deploy Consent Mode v2 in Basic mode on your healthcare website. When consent is denied, no Google tags fire. Period. No cookieless pings. No data transmission. This is the conservative configuration for healthcare because even limited data transmission to Google from health-specific pages creates potential PHI exposure.
Server-side consent gating as the authoritative control. Your server checks consent status before sending any data to Google, regardless of what the browser-level consent configuration says. Even if a consent management platform misconfigures on the client side, your server acts as the final gate. This dual-layer approach (client-side Consent Mode in Basic mode plus server-side consent verification) ensures that no data reaches Google without verified consent.
Sutter Health ($21.5M class action, 2025). Sutter Health implemented Google Analytics, the Meta Pixel, and other advertising tracking tools on its MyHealthOnline patient portal. Tracked and disclosed private patient data to Google and Facebook without authorization from June 2015 through March 2020. Source
Sutter Health's case involved Google Analytics running on a patient portal for five years before detection. Consent Mode v2 did not exist during Sutter's exposure period, but even if it had, it would not have addressed the core issue: Google Analytics on a patient portal sends PHI to Google regardless of the consent framework because Google does not hold a BAA.
Implementing the Compliant Stack
Step 1: Deploy Consent Mode v2 in Basic mode. Configure your consent management platform to implement Consent Mode v2 in Basic mode. When consent is denied, ensure that all Google tags are completely suppressed. No cookieless pings. No reduced-functionality data collection.
Step 2: Remove client-side Google tags from health-specific pages. For pages that contain health-contextual content (service lines, condition pages, provider pages, patient portals), remove client-side Google tracking entirely. These pages should be tracked exclusively through server-side infrastructure.
Step 3: Implement server-side conversion tracking. Use a HIPAA-compliant CDP to send conversion events to Google's API. The CDP collects data from your server, verifies consent, strips health context, and sends hashed conversion signals to Google. Google receives attribution data for campaign optimization without receiving PHI.
Step 4: Monitor continuously. A web scanner should verify that no client-side Google tags appear on health-specific pages, that Consent Mode is correctly configured in Basic mode, and that no marketing team member or agency has reintroduced direct Google tracking. Every enforcement case in the reference database involved tracking that ran for years before detection.
FAQ
Does Google Consent Mode v2 make my healthcare website HIPAA compliant?
No. Consent Mode v2 adjusts how Google's tags behave based on consent but does not address the HIPAA requirements of BAA coverage, PHI classification, or server-side data control. It is a privacy law compliance tool designed for GDPR and state privacy laws, not a HIPAA compliance tool. Healthcare organizations need server-side tracking architecture with consent verification in addition to Consent Mode.
Should I use Basic mode or Advanced mode for a healthcare website?
Basic mode. In Basic mode, Google tags do not fire at all when consent is denied. In Advanced mode, cookieless pings still send limited data (including page URLs with potential health context) to Google. For healthcare websites where page URLs reveal health information, even limited data transmission to Google creates PHI exposure. Basic mode is the conservative and compliant choice.
Does Consent Mode v2 work with the Google Ads conversion tracking tag?
Yes. Consent Mode v2 controls the behavior of all Google tags, including the Google Ads conversion tag, Google Analytics tag, and Google Tag Manager. When consent is denied in Basic mode, the conversion tag does not fire, which means those conversions are not tracked. Server-side conversion tracking through Google's API compensates for this gap by sending conversion events from your server after consent verification.
How does conversion modeling work, and can I rely on it for campaign optimization?
When consent is denied, Google uses data from consenting users to statistically model the behavior of non-consenting users. The accuracy depends on your consent rate and traffic volume. For healthcare sites with lower consent rates (which are common given the sensitivity of health data), the modeled data may be less reliable. Server-side conversion tracking provides a more accurate signal because it captures consented conversions directly and sends them to Google without relying on statistical modeling.
Do I still need a consent management platform if I use server-side tracking?
Yes. A consent management platform serves two purposes. First, it provides the consent signal to Consent Mode v2 so that Google's tags behave correctly in the browser. Second, it captures and records consent status so that your server-side infrastructure can verify consent before sending any data to Google or other platforms. The consent management platform and server-side tracking work together. Neither alone is sufficient for healthcare compliance.
Google Consent Mode v2 is a step forward for privacy-conscious advertising. But for healthcare organizations, it is one layer in a multi-layer compliance architecture, not a standalone solution. The HIPAA requirements of BAA coverage, PHI protection, and server-side data control go beyond what any browser-based consent mechanism can provide. If your healthcare organization is evaluating Consent Mode v2, Ours Privacy provides the server-side infrastructure, consent management, and continuous monitoring that turns consent from a checkbox into a genuine compliance control.
Related reading:
Google Ads for Healthcare: The Complete HIPAA Compliance Setup Guide
Google Ads Enhanced Conversions for Healthcare: Server-Side Setup Without PHI Leakage
Google Ads Audience Targeting for Healthcare: What's Safe and What's Not
HIPAA-Compliant Tools
Continue Learning
Explore more HIPAA compliance resources for healthcare marketers.
Tool Compliance Reviews
Find out which marketing tools are HIPAA compliant and which ones put your organization at risk.
Server-Side TrackingServer-Side Tracking Guides
Replace risky client-side pixels with secure, compliant data collection that protects patient privacy.
Advertising Platform Guides
Step-by-step guides for running compliant healthcare campaigns on Google, Meta, TikTok, and more.
GlossaryHealthcare Marketing Glossary
Clear definitions for healthcare marketing, privacy, and compliance terms explained for marketing teams.