18 Apr 2026

Got Google Analytics or Google ads on your web site? Don’t forget to check some important compliance instructions, in a LinkedIn post from Jennifer L. Vercellone, Esq. And remember, “Each Google platform (GA4, Ads, GMP) must be configured to honor those signals.”

Read the whole thing. As far as I can tell, here’s the list of things to check.

Now remember to set up “Basic vs. Advanced Consent Mode”.

And “Consent Mode reflects your CMP—it does not override it. And each Google platform must be configured to act on those signals.” See the list above.

There’s no “consent mode” in the law, but “consent mode” has to be upgraded—because of code churn on the Google side—and a CMP to configure, and multiply by the number of different Google services you’re using. Yes, this is a lot of Jira tickets, or whatever you use. And if you get one wrong, you lose the compliance game.

This set of changes is due before June 15, 2026. But don’t worry. Google will put out another set any day now.

No, Google doesn’t set up their services to keep sites on the right side of the law by default. No, they don’t even have one illegal/legal switch that you can flip for all the Google services at once. They put work on the advertisers, publishers, and app developers.

When Google tells 404 Media,

This report is based on a fundamental misunderstanding of how our products work. We honor opt-out provided by advertisers and publishers as required by law.

they might be correct, in a sense. If advertisers and publishers read the right documentation and do what it says, or hire the right team of compliance nerds, then maybe it is possible to use Google services in a way that complies with the law. (More coverage of this issue: Websites break California privacy law at ‘industrial scale,’ survey finds) But often people leave things set up in a way that…

  • passes more information to Google

  • is technically illegal

…and Google can be shocked to discover non-compliance along with regulators.

The conclusion to Vercellone’s LinkedIn post explains.

CMP, Consent Mode, and each Google platform must be configured as a system—not in isolation. Misalignment at any layer = compliance and measurement gaps.

A normal company wouldn’t be able to get away with dumping all this work on others. If one plumber hooked up your water heater to shock you in the shower, you could call a different plumber. Plumbers have to compete, and they read the building code for you.

But Google, because monopoly, just gets to sit back and do monopoly stuff. Google has figured out how to avoid consequences of CCPA-style privacy laws, while still getting a lot of the extra personal data that comes with breaking the law, and putting all the costs, and the risks of non-compliance, onto publishers, app developers, and advertisers. Google shifts the compliance tax onto smaller companies, just as Amazon did with the risks of operating delivery vans on a micromanaged, tight schedule.

Well played, Google.

Naturally, this whole disappointing situation has, as they say, important lessons for policy makers. Drafting a CCPA-clone, or near clone, privacy bill is copying a game level that Google has already beaten. Future laws can and should offer a compliance tax cut to legit companies. More: what California got wrong on privacy laws