What G100, G111 and Google Consent Mode's GCS codes mean
You open your browser's developer tools, switch to the Network tab and, among
the requests heading to Google, you spot an odd parameter: gcs=G100. It's not a
bug — it's the user's consent fingerprint traveling along with every measurement.
Learning to read it is the fastest way to know whether your Consent Mode setup is
correct.
The gcs parameter: consent state in 4 characters
Google adds the gcs parameter to every measurement request. Its format is
G1xy, where each position is a binary decision:
x→ad_storage:1granted,0denied.y→analytics_storage:1granted,0denied.
That gives you the four values you'll see in production:
| Code | ad_storage | analytics_storage | What it means |
|---|---|---|---|
G100 | Denied | Denied | The user rejected everything. Google measures without cookies. |
G101 | Denied | Granted | Analytics only: GA4 with cookies, Ads without them. |
G110 | Granted | Denied | Ads only: Ads with cookies, GA4 without them. |
G111 | Granted | Granted | Full consent. Everything works with cookies. |
The fixed
1after theGmeans Consent Mode is active and sent a signal. If you don't seegcs, or it arrives empty, that's a sign the implementation isn't firing before Google's tags — the most common mistake.
Beyond gcs: the gcd parameter and the 4 permissions
The gcs only covers two permissions. Since the March 2024 update, Consent
Mode v2 works with four signals, and they all travel in a more detailed
parameter: the gcd.
| Signal | What it controls |
|---|---|
ad_storage | Advertising cookies (conversions, remarketing). |
analytics_storage | Analytics cookies (Google Analytics 4). |
ad_user_data | Permission to send user data to Google. |
ad_personalization | Permission for personalization and remarketing. |
Unlike the gcs, the gcd doesn't just say "granted" or "denied": it also
encodes how that state was reached (denied by default, denied and then
confirmed by the user, denied by default but granted after the choice, and so on).
It's the granular version of the same story.
Important for the EEA: to comply with the March 2024 update, ad_storage and
analytics_storage aren't enough. You must also send ad_user_data and
ad_personalization; without them, Google Ads turns off ad personalization
features even if the user accepted.
What happens when consent is denied (G100 state)
Here's the nuance that confuses almost everyone: G100 does not mean total
silence. It means cookieless measurement. Let's look at what travels and what
doesn't.
Cookieless pings
When the user declines, Google still receives anonymized signals called cookieless pings. These pings:
- Don't read or write cookies, and are sent over a cookieless domain.
- Include passive, functional information: timestamp, browser (user agent) and referrer URL.
- Include aggregated, non-identifying signals: the boolean consent state, whether the page carries ad-click parameters (GCLID/DCLID) and a random page-load number.
- Contain no user identifiers and cannot be used for remarketing.
With that aggregated data, Google Ads and GA4 model the conversions and key events lost to the missing consent, without tracking anyone individually.
How the IP address is handled
The IP is technically necessary to establish the connection, but it gets special treatment when consent is denied:
- Google Ads truncates the IP address at the moment of collection.
- Google Analytics does not store or log IP addresses.
In neither case is the IP kept in the clear to profile the user.
Basic vs. advanced: a decision that changes the data
How you implement Consent Mode determines how many of those pings Google receives:
| Aspect | Basic mode | Advanced mode |
|---|---|---|
| Tag loading | Blocked until the user interacts | Load with a default state (denied) |
| Before consent | Nothing is sent | Cookieless pings are sent |
| Modeling | General model | Advertiser-specific model (more accurate) |
Advanced mode recovers more conversions thanks to modeling, in exchange for sending cookieless pings from the very first moment. It's the recommended option for most sites that rely on Google Ads.
How Conma solves it
Reading gcs=G111 in the Network tab is proof that everything fits. Conma makes
sure it always arrives in the right order:
- It declares all 4 permissions as
deniedby default, synchronously, before any Google tag runs. - It updates the state to
grantedin under 500 ms once the user decides. - It guarantees
ad_user_dataandad_personalizationalways travel, so you don't lose personalization in the EEA. - It stores a signed certificate of every choice, with legal validity.
If you want the full context on why this is mandatory from June 2026, read our guide to comply with Google Consent Mode v2.