AdSense Cookie Consent: The Minimum That Keeps Ads Serving

EEA/UK/Switzerland need a Google-certified TCF v2.3 CMP; US states need a Do-Not-Sell link. The fastest compliant setup, plus how to verify it.

You run a content site with AdSense. A visitor from Germany loads a page, no ads appear, and the dashboard later flags “consent management.” Or you’re US-only, never thought about cookies, and AdSense quietly serves non-personalized or limited ads to a chunk of your traffic, which earns less. The fastest fix for almost every indie publisher: turn on Google’s own certified CMP under AdSense → Privacy & messaging, publish a GDPR message for the EEA/UK/Switzerland and a US state regulations message, and verify the consent string actually reaches Google. That’s the whole job for most sites, and it’s free.

Two things changed recently that this article reflects (as of June 2026): the IAB consent standard moved to TCF v2.3 (validation went live on 2 March 2026), and Google’s US state messaging now covers more states than just California.

TL;DR — the 60-second version

  1. AdSense → Privacy & messaging → create a GDPR message targeting “European Economic Area, the UK, and Switzerland.”
  2. Create a US state regulations message and set targeting to “All current and future supported US States.”
  3. Publish both. You usually don’t need to re-tag — your existing AdSense tag deploys the messages.
  4. Verify: load the site behind an EEA VPN, accept the banner, then decode the consent string (see “How to confirm it’s fixed”).

If you only do one thing, do step 1: without a Google-certified CMP, EEA/UK/Switzerland traffic cannot get personalized ads at all.

What “compliant” actually requires

RegionLegal triggerWhat AdSense needsUI label
EEA, UK, SwitzerlandGDPR + ePrivacy: consent before ad cookiesA Google-certified CMP passing a valid TCF v2.3 string”European regulations message” / GDPR message
~20 US states with comprehensive privacy laws (California, Colorado, Connecticut, Delaware, Florida, Indiana, Iowa, Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Rhode Island, Tennessee, Texas, Utah, Virginia — Indiana/Kentucky/Rhode Island took effect 1 Jan 2026)State privacy laws: opt out of “sale/share”A “Do Not Sell or Share My Personal Information” choice”US state regulations message”
Rest of USNone federalNothing required; ads serve normallyn/a

Two key dates to remember. The certified-CMP requirement has been enforced since 16 January 2024 for the EEA/UK and 31 July 2024 for Switzerland (see Google’s publisher consent requirements). And TCF v2.3 strings became mandatory on 28 February 2026; Google turned on validation on 2 March 2026.

Common causes

You’re reading this for one of these reasons. Find your bucket, then jump to the matching fix.

1. No certified CMP at all (EEA/UK/Switzerland)

In the EEA/UK/Switzerland you legally cannot set advertising cookies until the user actively consents — not pre-checked boxes, not “implied by scrolling.” Personalized AdSense ads use cookies, so they require prior consent. Without a Google-certified CMP, that traffic is only eligible for non-personalized or limited ads, never personalized.

How to spot it: VPN to Germany, open your site. If no consent UI appears, you’re non-compliant.

2. Missing US “Do Not Sell or Share” choice

As of June 2026, roughly twenty US states have comprehensive privacy laws in effect (CCPA/CPRA in California, plus Colorado, Connecticut, Delaware, Florida, Indiana, Iowa, Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Rhode Island, Tennessee, Texas, Utah, and Virginia — with Indiana, Kentucky, and Rhode Island the most recent, effective 1 Jan 2026). Most require an opt-out of “sale/share.” AdSense personalized advertising counts as a “share,” so a “Do Not Sell or Share My Personal Information” choice must exist for those visitors.

How to spot it: VPN to California, check the footer/privacy controls. No DNSMPI option = non-compliant.

A banner alone is not enough. AdSense reads consent via the IAB TCF v2.3 string. If the banner doesn’t pass a valid TC string through, AdSense treats every visit as “no consent” and stops personalizing.

How to spot it: AdSense → Reports → break down by Personalization. If “Non-personalized” is a large share of impressions despite real EU traffic, your CMP isn’t signaling correctly.

4. Your “CMP” is free but not Google-certified

Some popular cookie-banner plugins look like CMPs but don’t implement Google-certified TCF. The user clicks “Accept,” and nothing reaches AdSense.

How to spot it: open the page, accept consent, then in the DevTools console run __tcfapi('getTCData', 2, console.log). If it returns undefined, no TCF API is present and your “CMP” isn’t certified.

5. CMP loads after AdSense (race condition)

If the CMP script fires after adsbygoogle.js, AdSense sees a default “no consent” state and personalization fails even when the user later accepts.

How to spot it: DevTools → Network (or Performance) → check load order. The CMP script should fire before adsbygoogle.js.

6. Old TCF v2.2 strings now rejected (new in 2026)

As of the 28 February 2026 cutover, TC strings must use v2.3, which adds a mandatory disclosedVendors segment. Strings lacking it are now invalid. Google began validating on 2 March 2026 and returns TCF error 1.4 when the disclosed-vendors segment is missing, malformed, or doesn’t include Google (IAB vendor ID 755). The result is a fallback to Limited Ads, which can cut programmatic revenue substantially.

How to spot it: AdSense → Reports → TCF error report; look for error code 1.4. Or decode your live TC string (below) and confirm it has a “Vendors Disclosed” section that includes vendor 755.

Shortest path to fix

Step 1: Pick a certified CMP

Easiest by far: enable Google’s own CMP via AdSense → Privacy & messaging (about Privacy & messaging). It’s free, Google-certified, TCF v2.3-compliant, and deploys through your existing tag.

Alternatives if you need heavy customization (all are certified — confirm v2.3 support):

  • Cookiebot — paid, full-featured
  • OneTrust — enterprise
  • iubenda — paid, simple
  • Klaro! — open source, self-hosted (verify it is on Google’s certified list before relying on it for EEA traffic)

For most indie sites, Google’s Privacy & messaging is the right answer.

Step 2: Create the GDPR message

In AdSense → Privacy & messagingEuropean regulations:

  1. Click Create message.
  2. Set targeting to “European Economic Area, the UK, and Switzerland.”
  3. Choose consent options. To still earn from people who decline, allow “Consent or do not consent” (declining serves non-personalized ads) rather than forcing consent.
  4. Style it, then Publish.

Step 3: Create the US state regulations message

In AdSense → Privacy & messagingUS states:

  1. Click Create message.
  2. Under Targeting, choose “All current and future supported US States” so newly regulated states (Indiana, Kentucky, Rhode Island, and any future additions) are covered automatically.
  3. If you previously used default text, Google has already updated it to read “Do Not Sell or Share My Personal Information.” If you customized the text, revise it to match CPRA wording.
  4. Publish.

Step 4: Confirm tag/load order

You usually do not need to re-tag — publishing a message deploys it through your existing AdSense tag. If you load the AdSense script manually, make sure nothing requests ads before the CMP initializes. A minimal manual head looks like this, CMP first:

<head>
  <script async src="https://fundingchoicesmessages.google.com/i/pub-XXXXXXXXX?ers=1"></script>
  <script async src="https://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js?client=ca-pub-XXXXXXXX"></script>
</head>

If you push ad slots in your own code, gate the first request until consent is known so AdSense never sees a premature “no consent”:

<script>
  (window.adsbygoogle = window.adsbygoogle || []).pauseAdRequests = 1;
</script>

With Google’s CMP this is rarely necessary — it signals consent state to AdSense for you.

Step 5: Add a persistent DNSMPI control

Make the opt-out reachable from the footer on every page. Google’s US state message includes its own privacy link; if you also want a static one, link to your control:

<a href="/do-not-sell">Do Not Sell or Share My Personal Information</a>

Step 6: Update /privacy to reference your CMP

Add a line such as: “We use Google’s consent management platform to gather consent for advertising cookies and to honor US opt-out requests. You can change your choices at any time using the privacy controls in the page footer.” Then make sure that footer link actually re-opens the consent UI.

How to confirm it’s fixed

Don’t trust “the banner shows up.” Confirm the consent signal reaches Google:

  1. Open the site in an incognito window behind an EEA VPN (e.g. Germany).

  2. The GDPR message appears; click Consent.

  3. In the DevTools console, run:

    __tcfapi('getTCData', 2, (d, ok) => console.log(ok, d.tcString));
  4. Copy the tcString and paste it into the IAB TCF decoder at iabtcf.com. Confirm it decodes as v2.3, shows a “Vendors Disclosed” section, and that Google (vendor ID 755) appears as disclosed with consent.

  5. VPN to California: the footer/privacy control shows a “Do Not Sell or Share My Personal Information” option.

  6. VPN to the US outside the covered states: no banner is required and ads serve normally.

  7. After a day or two, check AdSense → Reports → Personalization. Personalized share for EU traffic should rise, and the TCF error report should show no 1.4 errors.

Prevention

  • Default to Google’s Privacy & messaging for new sites — free, certified, and tag-deployed.
  • Use the “All current and future supported US States” targeting so you don’t have to chase each new state law.
  • Always let decliners see non-personalized ads; never fully block ads on decline — you only lose revenue.
  • Test from at least three regions (EEA, a covered US state, rest of US) after any consent change.
  • Re-check the TCF error report after IAB framework updates; commercial CMPs must recertify with Google at least every 12 months, and version bumps (like v2.2 to v2.3) can silently invalidate strings.
  • Keep a footer link that re-opens the consent UI so users can change their minds.

FAQ

Will I lose all ad revenue without a CMP? No, but you lose the most valuable part. EEA/UK/Switzerland traffic without a certified CMP is only eligible for non-personalized or limited ads, which typically pay much less than personalized ads.

I’m US-only. Do I need any of this? You don’t need the GDPR message, but as of June 2026 around twenty states have comprehensive privacy laws in effect (California, Colorado, Connecticut, Delaware, Florida, Indiana, Iowa, Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Rhode Island, Tennessee, Texas, Utah, Virginia). If you get US traffic at all, publish the US state regulations message with the “All current and future supported US States” targeting. It’s a few clicks and keeps you compliant as more states add laws.

My ads dropped to “Limited Ads” in early March 2026 — why? Almost certainly the TCF v2.3 cutover. Google began validating on 2 March 2026 and rejects strings without a valid disclosedVendors segment that includes Google (vendor 755), returning error 1.4. Update your CMP to emit v2.3 strings; Google’s own CMP already does.

How do I know my CMP is actually Google-certified? Decode a live TC string at iabtcf.com and confirm it’s v2.3 with Google disclosed, and watch the AdSense TCF error report for code 1.4. If __tcfapi returns undefined in the console, there’s no TCF API at all.

Do I have to re-tag my site after publishing messages? Usually no. Publishing a message in Privacy & messaging deploys it through your existing AdSense tag. Manual re-tagging is only needed for custom or non-standard setups.

Tags: #AdSense #Monetization #Debug #Troubleshooting