Google Tag Manager and Cookie Consent: How to Comply?

Google Tag Manager (GTM) is a powerful tool for webmasters and marketers. It allows you to handle various marketing and analytics tags and other JavaScript snippets on your website without coding. GTM also helps you manage scripts that may use third-party cookies on your website users’ browsers.

Google Tag Manager can also help you comply with the GDPR requirements, especially when managing cookies and tracking tools on your website.

In this article, we will see how Google Tag Manager uses cookies, the role of Google Consent Mode, and the importance of a consent management platform. Learn how to use GTM effectively while ensuring compliance with privacy regulations like GDPR and CCPA.

What Is Google Tag Manager & How Does It Work?

Google Tag Manager (GTM)  is a tag management system that allows you to set up and manage tracking and marketing tags on your website without changing your website's code.

Google Tag Manager is a free tool that enables companies to manage various tracking codes and snippets, known as tags, from a web-based interface. GTM simplifies managing cookies by centralizing your tags and tracking scripts.

To use GTM, you have to add two snippets of code to each website page. Then, you don't need to change your code directly; instead, you can set up and manage your tags through the GTM website.

When GTM is installed, your website or app could communicate with the Google Tag Manager servers. You can set up tags, establish triggers that determine when these tags should fire, and create variables that can be used to automate your tag configurations. A collection of tags, triggers, variables, and related configurations installed on a website or mobile app is called a container.

An example of a marketing tag could be the Google tag. The Google tag is used to install Google Analytics and other Google services. Other common examples include Google Analytics events, Google Ads conversion scripts, Meta Pixel, and remarketing tags.

Google Tag Manager allows you to integrate easily with other marketing tools like Google Analytics, Google Ads, Facebook, CRM platforms, Consent Management Platforms (CMP), etc.

Google Tag Manager allows you to perform many functions:

• collect information about users’ devices and browsers,
• collect information about user behavior and measure how they are interacting with your site,
• track page views on your site,
• track conversions, when a purchase is made,
• track button and link clicks,
• track filling out a form or signing up for a newsletter,
• track adding items to the cart and shopping cart abandonment,
• track video views,
• track custom events, etc.

You can use this data to trigger certain tags or actions, such as tracking user behavior or displaying targeted content.

Does Google Tag Manager Use Cookies?

The Google Tag Manager code does not use or set cookies. The one exception is when using GTM’s Preview and Debug mode, where GTM sets several first-party cookies to enable the preview functionality. These cookies are used to check your website and see which tags are firing. They are only set for administrators or users who have enabled the Preview and Debug mode and are deleted once they exit it.

While GTM doesn’t use cookies itself, the tags you implement through GTM may set and use cookies. For example, with the GTM you can implement Google Analytics or remarketing tags that set cookies.

Even if GTM doesn't set cookies, it can read cookies that are set on a user’s device by other parties. GTM uses a data layer to transfer data between the website and GTM. The data layer is a JavaScript object that stores information about the page and the user. This data can include information stored in cookies, such as users’ devices, preferences, or behavior. GTM can also use this data to set variables, which can be used in tags, triggers, and other GTM features.

Therefore, to reach compliance with privacy regulations like the GDPR, it is important to have proper Google Tag Manager cookie consent mechanisms in place and block third-party cookies before Cookie Consent is granted.

Read the guides on what third-party cookies are and how to block third-party cookies with Google Tag Manager. 

Cookie Consent Management in Google Tag Manager

Google Tag Manager doesn’t set cookies and doesn’t collect personal information, so it doesn’t require cookie consent.

However, some tags added through Google Tag Manager (for example, Google Analytics or tracking pixels) may use cookies to track user behavior. Thus, even if the usage of GTM depends on your marketing tools setup and configuration, it is the best practice to obtain Google Tag Manager cookie consent to ensure GDPR compliance.

A critical feature for managing GTM cookies is Google Consent Mode, which allows websites to adjust the tags’ behavior based on the user’s Cookie Consent states.

In 2020, Google introduced Google Consent Mode v2, which ensures that the tags collect the personal information of users only after cookie consent is granted. It lets you control how tags behave based on user Cookie Consent choices. If users granted Cookie Consent, the tags would fire on a web page; if users denied cookie consent- the tags would not fire.

GTM simplifies implementing Google Consent Mode by offering built-in variables and triggers for Cookie Consent management. Website owners can create additional triggers for tag firing, ensuring tags only execute with the proper consent. This GTM and Cookie Consent management integration helps maintain compliance with privacy laws.

Is Google Tag Manager GDPR-Compliant?

Since Google Tag Manager itself doesn’t set cookies, it is not GDPR-compliant or non-compliant. Compliance with GDPR is the responsibility of the website owner, so you must ensure that the GTM is compliant with the GDPR and other privacy laws. GTM compliance state depends on how it’s configured.

GTM is commonly used to implement third-party tags that use cookies and collect personal data. These third-party tags may require user consent under the GDPR. Therefore, it is best practice to obtain Google Tag Manager cookie consent to become GDPR-compliant.

You must obtain explicit Cookie Consent before collecting their personal data. This applies to any data collected through tracking or marketing tags implemented through GTM, such as those from Google Analytics, Facebook, and other services.

To ensure GDPR compliance, you should implement a cookie consent banner on your website and configure GTM to only fire tags after the user has granted cookie consent.

This can be done either by using a trigger exception feature in GTM or by using a Consent Management Platform (CMP).

A trigger exception, also known as a blocking trigger, is a sort of trigger that is used to block another trigger's ability to fire under some conditions. So, you can specify that a tag should not fire until a user accepts cookies. Read the Google guide on how to set a blocking trigger.

A more powerful solution to regulate GDPR compliance while using GTM is by using a CMP.

CookieScript CMP is a CMP, evaluated by both Google and website operators:

• CookieScript CMP is a Google-certified CMP.
• CookieScript CMP recently received a Golden badge in the new Google Tiering system.
• CookieScript CMP was ranked by users as the best CMP on a peer-review site G2.

Google Tag Manager and Website Performance

When GTM is properly configured, it can speed up the website and improve your SEO by enabling asynchronous tag loading, which can lead to faster page load times and potentially better search engine rankings. GTM allows you to implement tracking tags without modifying the website’s code. You just need to create a GTM container and add the tracking tags to the container, which can then be placed on the website by adding the GTM container code.

However, if GTM is not properly configured, it can slow down a website. For example, when there are too many tags being added to the GTM container, when there is a poor implementation of the tags, or if tags are firing multiple times, this can cause the website to slow down.

To ensure that GTM does not slow down your website and does not damage your SEO, follow these recommendations:

• Use a cookie Consent Management Platform (CMP) that integrates with GTM.
• Keep the minimal number of tags in the container.
• Regularly review and audit the tags in the container and remove unnecessary ones.
• Use Google Tag Manager’s debugging tools to test and optimize the tags.
• Use tag sequencing to fire tags in the correct order.
• Use the “blocking triggers” feature in GTM to prevent a tag from firing until a certain event occurs. For example, you need to get cookie consent before placing cookies.

How to Comply with Cookie Laws When Using Google Tag Manager?

If you use Google Tag Manager to deploy tags on your website, follow these recommendations to comply with privacy laws:

1. Integrate a Consent Management Platform (CMP). A CMP allows you to create cookie banners, collect and store cookie consent, track user preferences and provide cookie declaration reports. When selecting a CMP, make sure that the CMP is compatible with GTM, supports Google Consent Mode v2, and provides APIs or triggers to inform GTM about users’ consent choices.
2. Implement Google Consent Mode v2. If you are using Google and other tracking and advertising services like Google Ads, Floodlight, Google Analytics 4, and Conversion Linker in the EEA markets, you need to use a Cookie Banner integrated with Google Consent Mode v2. GTM provides a built-in consent mode to achieve compliance. It helps manage tag behavior depending on a cookie consent’s state.
   Remember: Add a consent initialization tag to initialize the consent state when the page loads.
   Perform consent checks to configure each tag to respect the user consent state.
   Read the guide on Google Consent Mode v2 implementation instructions.
3. Audit your tags. To comply with the GDPR, you should audit your GTM container and identify which tags set cookies, and which tags require user consent. An example could be Google Analytics, and Facebook Pixel tags. Categorize these tags into categories like essential, analytics, marketing, and functional, as it is required by the cookie compliance standards.
4. Configure GTM for consent states. Set up GTM triggers to control tag firing based on user consent. You can create consent variables in GTM to capture cookie consent states (e.g. analyticsConsent = true) or use consent variables to create custom triggers (e.g. Google Analytics tags fire only if analyticsConsent is true).
   Read the guide on how to configure GTM tags based on the Google Consent Mode state selected by users. 
5. Test your GTM implementation. Use GTM’s Preview and Debug mode to ensure your tags fire correctly based on user consent. Verify that:
   Tags requiring consent don’t fire if the consent is not granted.
   Essential tags (e.g., strictly necessary cookies, needed for site functionality) fire regardless of user consent state.
6. Identify cookies. Scan your website for cookies to identify cookies and other trackers to set by your website. Check if these cookies collect user data, and if they are first-party cookies or third-party cookies. Keep a list of all third-party scripts and tags your GTM deploys.
7. Block third-party cookies. Configure GTM to automatically block all third-party and other non-essential cookies until a user gives consent to use them.
8. Update your Privacy Policy. Clearly explain what cookies are used on your website, what information they collect, and for what purposes.
9. Provide a cookie banner to get cookie consent. If cookies collect user data, you should add a Cookie Banner to your website to get user consent. The Cookie Banner should provide all necessary information about the cookies used and allow users to opt out of these cookies. You should also allow users to withdraw user consent at any time later. Keep a log of all consent received to use as proof if requested.
10. Use a granular cookie consent notice. Users should be able to accept or reject certain categories of cookies. Provide brief explanations of these categories of cookies and how users can manage their preferences.

CookieScript CMP and Google Tag Manager Cookie Consent

A Consent Management Platform (CMP) is a helpful tool for organizations using Google Tag Manager to comply with the GDPR and other privacy laws. CMPs help websites collect, manage, and store user consent and automatically adjust the execution of cookies based on user cookie preferences.

Integrating a CMP with GTM makes it easier to obtain legally compliant cookie consent while using customizable cookie banners, geo-targeting functionality, and multi-language versions of a website.

CookieScript is the perfect solution for cookie compliance while using Google Tag Manager:

• Best CMP. In 2024, CookieScript CMP was ranked the best CMP by users on a peer-reviewed site G2.
• Cookie Banner and cookie consent management. CookieScript CMP can install a customized cookie banner on your website enabling users to provide granular consent for different types of cookies. It collects cookie consent and ensures the site does not store cookies until the user grants cookie consent.
• Blocking of third-party cookies. It blocks all Third-Party Cookies by default except for strictly necessary ones.
• Google-certified CMP. CookieScript is a Google-certified CMP partner and comes with a full IAB TCF v2.2 integration.
• Supports Google Consent Mode v2.
• Multiple integrations. CookieScript CMP integrates easily with Google ad services and analytics platforms, including Google Analytics 4 via Google Tag Manager, so you could use Google advertisement products easily. The CookieScript CMP is also integrated with other platforms, including content management systems such as Drupal, Magento, Shopify, WordPress, PrestaShop, etc.
• Geo-targeting functionality. 

Frequently Asked Questions

What Is Google Tag Manager?

Google Tag Manager (GTM) is a tag management system that allows you to set up and manage tracking and marketing tags on your website without changing your website's code. It’s a free tool that enables companies to manage various tracking codes and snippets, known as tags, from a web-based interface. GTM simplifies managing cookies by centralizing your tags and tracking scripts.

Does Google Tag Manager use cookies?

The Google Tag Manager code does not set cookies. The one exception is when using GTM’s Preview and Debug mode, where GTM sets several first-party cookies for administrators to enable the preview functionality and are deleted once they exit it. Use CookieScript Cookie Scanner to scan your website for cookies and other website trackers.

Does Google Tag Manager need cookie consent?

Google Tag Manager doesn’t set cookies and doesn’t collect personal information, so it doesn’t require cookie consent. However, some tags added through GTM may use cookies to track user behavior. Thus, it is the best practice to obtain Google Tag Manager cookie consent to ensure GDPR compliance.

Can Google Tag Manager read cookies?

Google Tag Manager can read cookies that are set on a user’s device. GTM uses a data layer to transfer data between the website and GTM. This data can include information stored in cookies, such as user device, preferences, or behavior. If you use cookies, you need to get cookie consent. CookieScript CMP allows you to implement GTM, create cookie banners, and collect cookie consent.

Does Google Tag Manager collect personal information?

Google Tag Manager (GTM) does not collect personal information. It is a tool for managing and implementing tracking and marketing tags on a website. However, the tags that are implemented through GTM may collect personal information about website visitors, depending on the tags’ configuration. Use CookieScript CMP, which is integrated with GTM, to comply with the GDPR.

How to comply with cookie laws when using Google Tag Manager?

To comply with cookie laws, follow these steps: integrate a Consent Management Platform like CookieScript, implement Google Consent Mode v2, audit your tags, configure GTM for consent states, test your GTM implementation, identify cookies, block third-party cookies, and update your Privacy Policy.

Is Google Tag Manager GDPR-Compliant?

Since Google Tag Manager itself doesn’t set cookies, it is not GDPR-compliant or non-compliant. GTM compliance state depends on how it’s configured. To ensure GDPR compliance, you should implement a cookie consent banner on your website and configure GTM to only fire tags after the user has granted cookie consent.

Do ad blockers block Google Tag Manager?

Ad blockers can block Google Tag Manager, especially when advanced settings to remove tracking scripts are enabled. If GTM is blocked by ad blockers, tags implemented through GTM will not execute, so important website features and analytics tracking could be affected.

Do I need a Privacy Policy for Google Tag Manager?

Yes, you need a Privacy Policy when using GTM. Under data protection regulations like the GDPR, businesses collecting personal information through tags implemented via GTM must have a Privacy Policy that discloses that they collect data, for what reasons they collect it, and do they share or sell data to third parties. Use CookieScript Privacy Policy Generator to create a Privacy Policy for your website or app.

Can Google Tag Manager affect my website performance and SEO?

When GTM is properly configured, it can speed up the website and improve your SEO by enabling asynchronous tag loading which can lead to faster page load times and potentially better search engine rankings. However, if GTM is not properly configured, it can slow down a website. Use CookieScript CMP to GTM and comply with privacy laws.