Blog

The GA4 client setting nobody touches but should

Buried under "Advanced settings" is the toggle that determines whether your server enforces consent or trusts the browser to do it.

Blog FAQ Add-ons Developer guides Videos

In the GA4 client config in sGTM, expand the "Advanced settings" section. There is a checkbox labelled "Override consent state at server." Off by default. Almost no team turns it on. It is the most consequential consent setting in the entire container.

What it does

When off, the GA4 client trusts the consent state that arrived in the request payload. Whatever the browser claimed, the server forwards. If the consent state was missing or wrong on the page, the server has no way to correct it.

When on, the server can override the consent state based on its own logic. You provide a Custom Variable that returns the canonical consent state, and the GA4 client uses that value instead of the one in the payload.

Why this matters

The most common consent bug is the page failing to push consent state into the data layer for some events. The events fire, no consent state attached, GA4 falls back to the most permissive default, and your reports include data that should have been suppressed.

With server-side override, you read the canonical consent from a first-party cookie (set by your CMP, like Cookiebot or OneTrust) and apply it consistently to every event. The browser cannot accidentally bypass it.

The variable that supplies the override

const cookie = getCookieValues('CookieConsent')[0] || '';
return {
  ad_storage: cookie.indexOf('marketing:true') !== -1 ? 'granted' : 'denied',
  analytics_storage: cookie.indexOf('statistics:true') !== -1 ? 'granted' : 'denied',
  ad_user_data: cookie.indexOf('marketing:true') !== -1 ? 'granted' : 'denied',
  ad_personalization: cookie.indexOf('marketing:true') !== -1 ? 'granted' : 'denied'
};

Reference this variable in the "Server-side consent state" field on the GA4 client. Every incoming event has its consent state replaced with the server-determined values.

When not to use it

If your CMP integration on the page is rock-solid and audited, the override is redundant. If your team has no first-party CMP cookie to read from server-side, it has nothing to read.

For every other case, turn it on. The cost is one Custom Variable; the upside is consent enforcement that works even when the page-side integration silently breaks. The full Consent Mode v2 signal mapping applies the same way.