Google just made your cookie banner the most important config
Google is removing Signals as a control on Google Ads cookies and IDs from 15 June 2026. Your cookie consent banner becomes the primary thing between user data and Google's ad business.
…and most teams I talk to haven’t noticed.
From 15 June 2026, Google is consolidating the two controls that govern how advertising data flows from GA4 into Google Ads. Signals will continue to operate, but only for signed-in user data in GA4 behavioural reporting; it no longer affects Ads cookies and IDs. The primary gate for Ads cookies and IDs is ad_storage, with ad_user_data and ad_personalization controlling how that data is used for Ads features. All three sit inside Consent Mode and are governed by your cookie banner.
The official notice frames this as “simplification” (partly fair). Two overlapping controls were genuinely confusing, and consolidating them is reasonable product hygiene. The practical effect is that for linked properties, Ads-side consent settings become the single source of truth, with ad_storage as the main gate. If your banner is misconfigured, Google will automatically start collecting more data from your site than it does today.
The change is global; it applies in Australia, not just the EU.
What actually changes
Today, Google Signals and ad_storage operate as two independent gates. Either being off blocks the flow of ad identifiers from GA4 into Google Ads. From 15 June, only ad_storage matters. If a user grants it (or your banner defaults to granted, which is its own problem), Google Ads collects the full identifier stack and links activity to signed-in Google accounts where possible. If they deny it, Google falls back to URL-based parameters like gclid and limited consent-compatible signals (basic conversion measurement, modelled conversions). The full identifier-linked stack is gated on ad_storage granted.
The cookie consent banner is now the primary control point for advertising data collection across the GA4/Ads link in most implementations. Consent Mode can also be set server-side or via tag manager logic, but for the typical setup, the CMP is what the system reads. GA4, your tag manager and your Ads account all defer to whatever it sends. The old configuration could absorb a misconfigured banner because Signals provided a fallback; the new one cannot, which moves CMP correctness from a measurement concern into a compliance one.
Why this matters more in Australia than people realise
The OAIC has been clear that controllers (the website operator, not Google) carry liability for what tracking pixels collect. The tracking pixel guidance from November 2024 made the position explicit. The Privacy and Other Legislation Amendment Act 2024 gave the OAIC direct infringement notice powers up to $330k per body corporate. Tranche 2 of the Privacy Act reforms is in drafting, expected in 2026 based on current government signalling, with directional signals already clear: an expanded definition of personal information to capture online identifiers, a “fair and reasonable” test for data handling, and stricter consent rules.
Australia is heading in the same direction as the EU on this, on a slower clock. The Google change does not alter Australian advertisers’ obligations under the APPs, but it does remove a safety rail that many teams have been quietly relying on without realising it.
Different exposures by business model
The mechanics are identical regardless of business model. The practical consequence varies.
Transactional / e-commerce. Smart Bidding and Performance Max campaigns are directly exposed. A misconfigured ad_storage degrades bidding signal quality in days, not months. Mid-market retailers running PMax with thin first-party data sit at the sharpest end. Modelled conversions only partially compensate. IMO the fix is upstream (consent audit), not downstream (bid strategy change).
Subscription. Acquisition holds up reasonably well. The exposure sits in retention and win-back, where audience building for upsell/cross-sell/reactivation depends on signed-in account linkage. LTV modelling depends on consent continuity, so signal gaps compound rather than show up cleanly in a single campaign.
Lead generation / B2B. Conversion volume is already thin, so Smart Bidding has less room to absorb signal loss and remarketing efficiency drops. The bigger exposure is compliance, because LCM funnels collect PII (name, email, company) earlier than other models, and the OAIC’s pixel guidance names this directly.
Publishers and affiliates. The advertiser-side dynamics do not apply here, but third-party pixel liability does, and yield is directly tied to consent rates inside Google Ad Manager and AdSense. I will write about this separately.
What to actually do
If you have a GA4 property linked to Google Ads (probably 98% of advertisers reading this), the audit is the same regardless of business model. Verify all four Consent Mode v2 parameters fire correctly (ad_storage + ad_user_data + ad_personalization + analytics_storage). Check what the banner sends as the default before user interaction. If ad_storage defaults to granted before any consent action, you have a problem, and you have probably had one for a while. Update privacy disclosures. Capture a 30-day baseline before 15 June so you can tell the difference between a platform change and a configuration error after the fact.
The work itself is not complex. The hard part is that most organisations do not know which team owns it.
My read
This is well-designed product simplification on Google’s side and it sharply increases operational risk for any advertiser running a misconfigured CMP. The control surface narrows, the default behaviour leaks more data into Google’s ad business, and the liability for both sits with the advertiser. The audit window before 15 June is the cheapest moment to fix it.