From fines to better bottom line: The ultimate guide to data and consent in 2025

In 2025, a basic cookie banner will no longer suffice. The Norwegian and European regulatory authorities have tightened the rules significantly, and if you make mistakes, it can cost you dearly. At the same time, advertising platforms have a greater need than ever for good data to provide you with cheaper ads that actually convert. Here, we show you three concrete steps to ensure that you collect data legally, achieve better campaign results, and can sleep well at night.

Why you should look at this yesterday

  • Legal requirements: From 2025, all tracking mechanisms must wait for valid consent. Semi-legal banners will not suffice.

  • Economic risk: GDPR fines can be quite hefty, to say the least.

  • Costly to stand still: Without the right signals, Google, Meta, and LinkedIn lose the ability to optimize. The result is more expensive clicks, wrong customers, and lost growth.

The road to nirvana (not the band)

Step 1: Get consent in order

  • Use a TCF 2.2-certified CMP (Consent Management Platform) with "Reject all" as visible as "Accept all." This is not a recommendation, but a requirement in 2025.

  • Block all non-essential cookies and scripts until consent is given.

  • Make it easy then. Don't try to trick your guests.

Step 2: Set up the advertising platforms correctly

  • Google: Implement Consent Mode v2 in advanced mode.

  • Meta: Configure Conversions API with deduplication against pixel, and respect consent.

  • LinkedIn: Use Insight Tag and Conversion API, but only when the user has consented.

2.1 Setup in Google Tag Manager

This is how you ensure that Consent Mode and consent actually work in practice:

  1. Add consent variables

Go to Variables in GTM and enable "Built-in variables" for Consent (e.g., ad_user_data and ad_personalization).

  1. Link tags to consent

In each individual tag (Google Ads, GA4, Meta Pixel, LinkedIn Insight Tag), select "Consent settings" and define which purposes must be accepted before the tag can fire.

  1. Use trigger groups

Create trigger groups that combine consent variables with events so that a tag only runs when the user has provided the right consent.

  1. Test in Preview

Use GTM Preview Mode or Tag Assistant to check that the tags are indeed blocked on rejection and fire on acceptance.

  1. Document the setup

Create a simple overview of which tags require which consent. This overview can be used as documentation if you receive an audit from the Data Protection Authority.

Step 3: Send back the right signals

  • Google Enhanced Conversions sends encrypted (hashed) email or phone numbers when a user converts. This provides a better match rate for your ads.

  • Meta Conversions API (CAPI) transfers conversion data directly from your server to Meta, resulting in more accurate data and eliminating uncertainty with browser blockages.

  • Server-side tagging gives you full control over the data flow, improves the speed of your website, and ensures better compliance.

Costs vs. savings

"Oh come on, Christian, we don’t have time to update the Cookie banner with "Reject" as the default option." Yes, that calculation can quickly lead to significant losses if you receive a fine from the major regulators.

In summary

  • CMP with "Reject all" as visible as "Accept all".

  • Consent Mode v2 activated and tested.

  • Tags in GTM linked to consent variables.

  • Enhanced Conversions (Google), CAPI (Meta and LinkedIn) activated via server-side.

If you have any questions about this, feel free to contact us here: Contact

2026