🚨 TL;DR — What You Need to Know
- 1. Google silently disabled conversion tracking for non-compliant mobile apps on July 21, 2025. No warning email. No grace period. One developer documented a 90% overnight data drop.
-
2.
Your app must pass four consent parameters to Firebase/Google Ads for EEA/UK users:
ad_storage,analytics_storage,ad_user_data,ad_personalization. - 3. Data lost during non-compliance is permanently gone. No backfill. Google's behavioral modeling only recovers ~40% and requires 1,000+ daily events to activate.
- 4. Privacy-focused analytics that collect no personal data simplify your compliance posture — providing full session coverage across all users. Consult your legal team for your specific requirements.
📉 The 90% Data Loss: What Actually Happened
On July 21, 2025, Google began silently disabling personalization, remarketing, and conversion tracking for mobile apps that hadn't implemented Consent Mode v2. No advance warning email. No grace period. The enforcement was absolute.
One mobile developer documented the aftermath: their Google Ads conversion data dropped 90% overnight. Smart Bidding algorithms, trained on years of conversion data, suddenly had nothing to optimize against. CPI (cost per install) spiked. ROAS collapsed. And the worst part — the data lost during the non-compliant period was permanently unrecoverable. There is no backfill mechanism.
This wasn't a bug. Google had announced Consent Mode v2 in November 2023 and set an initial March 2024 deadline. But mobile app developers — accustomed to Google's web-focused enforcement — assumed it wouldn't affect them. It did. As of April 2026, enforcement is described as "tighter than ever," and the consequences are permanent.
🔍 What Consent Mode v2 Is and Why Google Enforces It
Consent Mode v2 is Google's mechanism for receiving consent signals from your app. It requires four parameters to be communicated to Google's SDKs based on each user's actual consent choice:
| Parameter | Controls | Added In |
|---|---|---|
| ad_storage | Advertising cookies/identifiers | Consent Mode v1 |
| analytics_storage | Analytics cookies/identifiers | Consent Mode v1 |
| ad_user_data | Sending user data to Google for ads | v2 (new) |
| ad_personalization | Personalized advertising/remarketing | v2 (new) |
Why? The EU's Digital Markets Act (DMA) requires Google (designated a "gatekeeper") to obtain verifiable end-user consent before processing personal data for advertising. Google shifted this burden downstream — your app must prove consent was obtained and communicate the signals via Consent Mode v2. Google Play's updated policies (January 28, 2026) reinforce this by requiring explicit user consent for all data collection with affirmative user action.
🚫 What Google Blocks for Non-Compliant Mobile Apps
For EEA/UK traffic without proper consent signals, Google disables everything that matters for growth:
Conversion Tracking — Disabled
Google Ads cannot determine which installs or in-app actions came from ads. Your campaign optimization data goes dark. Smart Bidding has nothing to optimize against.
Remarketing Audiences — Disabled
Cannot build or target remarketing audiences from EEA/UK users. Your retargeting campaigns go silent for those markets.
GA4 Demographics & Interests — Disabled
No demographic or interest reporting for EEA/UK users in Google Analytics 4. Your audience insights have a Europe-shaped hole.
Enhanced Conversions — Disabled
Even server-side conversion data is blocked for non-compliant accounts. The server-side workaround doesn't work without consent signals.
Ad Personalization — Disabled
All ad personalization disabled, including non-personalized ads. Google serves no ads or limited ads only.
The permanent data loss problem
Data lost during non-compliant periods is permanently unrecoverable. Google provides no backfill mechanism. If you fix your implementation today, you start collecting from today forward — everything before that is gone.
🍎 iOS Implementation: Info.plist + setConsent()
For iOS apps, you need two things: default consent states in Info.plist and runtime updates via Firebase's setConsent().
Step 1: Set defaults in Info.plist
Add all four parameters with their default states set to false (denied). This ensures Google receives a "denied" signal before the user interacts with your consent dialog:
<key>google_analytics_default_allow_analytics_storage</key>
<false/>
<key>google_analytics_default_allow_ad_storage</key>
<false/>
<key>google_analytics_default_allow_ad_user_data</key>
<false/>
<key>google_analytics_default_allow_ad_personalization_signals</key>
<false/>Step 2: Update consent at runtime
After the user interacts with your consent dialog, call setConsent() with their actual choices:
// Swift — After user grants consent
Analytics.setConsent([
.analyticsStorage: .granted,
.adStorage: .granted,
.adUserData: .granted,
.adPersonalization: .granted
])
// Swift — After user denies consent
Analytics.setConsent([
.analyticsStorage: .denied,
.adStorage: .denied,
.adUserData: .denied,
.adPersonalization: .denied
])ATT + Consent Mode = Double consent burden
iOS apps face a unique double-consent situation: Apple's App Tracking Transparency (ATT) prompt and Google's Consent Mode v2 dialog. With ATT opt-in rates at 15-30%, you're already losing the majority of IDFA data. Consent Mode v2 potentially removes the remainder of your EEA analytics data too.
🤖 Android Implementation: AndroidManifest.xml + setConsent()
Step 1: Set defaults in AndroidManifest.xml
<meta-data
android:name="google_analytics_default_allow_analytics_storage"
android:value="false" />
<meta-data
android:name="google_analytics_default_allow_ad_storage"
android:value="false" />
<meta-data
android:name="google_analytics_default_allow_ad_user_data"
android:value="false" />
<meta-data
android:name="google_analytics_default_allow_ad_personalization_signals"
android:value="false" />Step 2: Update consent at runtime
// Kotlin — After user grants consent
Firebase.analytics.setConsent {
analyticsStorage(ConsentStatus.GRANTED)
adStorage(ConsentStatus.GRANTED)
adUserData(ConsentStatus.GRANTED)
adPersonalization(ConsentStatus.GRANTED)
}
// Kotlin — After user denies consent
Firebase.analytics.setConsent {
analyticsStorage(ConsentStatus.DENIED)
adStorage(ConsentStatus.DENIED)
adUserData(ConsentStatus.DENIED)
adPersonalization(ConsentStatus.DENIED)
}Geo-targeting shortcut: eu_consent_policy
For ad_user_data and ad_personalization, you can use the value eu_consent_policy instead of denied. This denies consent only for EEA users while granting it by default elsewhere — useful if your compliance concern is specifically the EU market.
📋 CMP Selection: Google UMP SDK and TCF v2.3
If your app uses AdMob, you must use a Google-certified Consent Management Platform (CMP) that integrates with IAB's Transparency and Consent Framework. There are about 29 Google-certified CMPs, but only approximately 21 of them support mobile apps.
Option 1: Google's UMP SDK (Free)
- Google's own User Messaging Platform SDK (version 3.2.0+)
- Free, but limited customization of the consent dialog
- Firebase must be initialized before the UMP SDK
- Must call
requestConsentInfoUpdate()at every app launch
Option 2: Third-Party Certified CMP
- More customization options and multi-platform support
- Typically paid (per-app or per-user pricing)
- Must still be on Google's certified list
- Verify mobile app support — not all certified CMPs have mobile SDKs
TCF v2.3 deadline: Already passed
TCF v2.3 became mandatory on March 1, 2026. TC strings generated after this date must include the new mandatory "Disclosed Vendors" segment. Without it, Google serves Limited Ads (lower revenue) or drops ad requests entirely. If your CMP hasn't updated to TCF v2.3, you're already losing revenue.
🤖 Behavioral Modeling: Why It Won't Save You
Google offers machine learning-based "behavioral modeling" to reconstruct some conversion data from aggregate anonymized signals when consent is denied. Before you count on it, understand its limitations:
1,000 daily events minimum
Requires 1,000+ daily events from both consenting and denying users. Most small-to-medium mobile apps cannot meet this bar.
~40% data recovery
In documented cases, behavioral modeling recovered approximately 40% of attribution data after consent mode was properly implemented. The remaining 60% was permanently lost.
No retroactive modeling
Modeling only applies after your implementation is correct. Data from the non-compliant period is gone forever — no retroactive reconstruction.
Behavioral modeling is a partial safety net, not a solution. For apps that make product decisions based on conversion data, a 60% data gap is the difference between optimizing blind and optimizing with confidence.
🎭 The Privacy Theater Problem
The most common failure mode isn't missing a consent dialog — it's having one that looks functional but doesn't actually pass consent signals to Google's SDKs. Your app shows a beautifully designed GDPR banner, the user taps "Accept," and... nothing happens on Google's end.
This "privacy theater" is dangerous because:
- Detection delay is 48-72 hours. Google's diagnostic system takes 2-3 days to report whether consent signals are being received correctly. You won't know your implementation is broken until days of data are already lost.
- Testing is non-trivial. You can't simply check your consent dialog visually. You need to verify that
setConsent()is actually being called with the correct parameters and that Google's servers are receiving the signals. - CMP updates can break things. When your CMP updates its SDK, the integration between the CMP and Firebase can silently break. Regular verification is non-optional.
Verification checklist
- □ Consent dialog appears before any Firebase/Google data collection
-
□
setConsent()called with all four parameters after user interaction - □ Firebase initialized before CMP/UMP SDK
- □ Wait 48-72 hours and check Google Ads diagnostic reports
- □ Test both consent and denial paths (don't just test "Accept")
- □ Verify TC string includes "Disclosed Vendors" segment (TCF v2.3)
🛡️ The Privacy-First Alternative
Every section above describes a compliance burden that exists because Google's analytics infrastructure collects personal data. Consent Mode v2, CMP integration, TCF v2.3, behavioral modeling thresholds — all of this stems from one architectural decision: collecting data that triggers consent requirements.
What if your analytics platform retained no personal data in the first place?
Consent Mode v2 compliance burden vs. privacy-first analytics
| Requirement | Firebase + Consent Mode v2 | Privacy-First Analytics |
|---|---|---|
| CMP integration | Required | N/A — no Google SDK |
| Consent dialog | Required for EEA/UK | Consult your legal team |
| TCF v2.3 compliance | Required for AdMob | N/A — no Google SDK |
| EEA data coverage | Partial (consent-dependent) | Not gated by consent signals |
| Data lost on consent denial | Yes — permanently | N/A — no personal data stored |
| Behavioral modeling required | Yes (1,000 events/day min) | No — direct measurement |
| Fields stored | 25+ fields (IDs, device info, etc.) | 5 fields (no personal data) |
Respectlytics stores exactly 5 fields: event_name, session_id, timestamp, platform, and country. Session IDs are anonymized identifiers stored only in RAM that rotate automatically. IP addresses are processed transiently for approximate country lookup and immediately discarded. No personal data is ever persisted.
Because Respectlytics doesn't use Google SDKs, your analytics data is not gated by Consent Mode v2 signals. No behavioral modeling needed for data recovery. No dependency on CMP integration or TCF compliance for your analytics to function.
Data minimization by design simplifies your compliance posture. Consult your legal team to determine your specific requirements.
❓ Frequently Asked Questions
What is Google Consent Mode v2 for mobile apps?
Consent Mode v2 requires apps using Firebase Analytics, Google Ads, or AdMob to communicate four consent parameters (ad_storage, analytics_storage, ad_user_data, ad_personalization) based on each EEA/UK user's consent choice. Without it, Google disables conversion tracking, remarketing, and ad personalization.
What happens if my mobile app doesn't implement Consent Mode v2?
Google disables conversion tracking, remarketing audiences, demographic reporting, enhanced conversions, and all ad personalization for EEA/UK traffic. Data lost during non-compliant periods is permanently unrecoverable.
How do I implement Consent Mode v2 in iOS and Android?
Set default consent states (all denied) in Info.plist (iOS) or AndroidManifest.xml (Android). At runtime, call Firebase's setConsent() method with the user's actual consent choices. Use a Google-certified CMP for the consent dialog.
Does behavioral modeling recover all lost conversion data?
No. Behavioral modeling requires 1,000+ daily events from both consenting and denying users — most small-to-medium apps can't meet this. Documented cases show ~40% recovery. The remaining 60% is permanently lost.
Can I avoid Consent Mode v2 entirely?
Privacy-focused analytics that store only anonymized session data — event name, session ID, timestamp, platform, and country — collect no personal data by design. This data minimization approach provides full session coverage. Consult your legal team to determine your specific consent requirements.
Legal Disclaimer: This information is provided for educational purposes and does not constitute legal advice. Regulations vary by jurisdiction and change over time. Consult your legal team to determine the requirements that apply to your situation.