Updated April 3, 2020.
Google Tag Manager is a hugely popular tool for websites of any size and shape. It organizes all third-party tags on your website (like Google Analytics or Facebook pixels), and it also controls when these are triggered.
It’s handy for website owners, who don’t have their hands deep into the source code.
Cookiebot is a consent management solution that enables websites to protect the privacy of users and be compliant with both the GDPR and ePR when it comes to cookies and tracking.
What’s more, Cookiebot is now an integral part of Google Tag Manager!
Cookiebot has been selected as a standard tag in Google Tag Manager, and is featured as the only consent solution (or consent management provider).
This means that if you use Google Tag Manager, you can now simply choose the ”Cookiebot CMP” template from the Community Template Gallery, and inject our script for easy compliance and protection of user privacy.
Cookiebot is featured as the standard consent management provider in GTM
Cookiebot automatically blocks all cookies and tracker until a user has given their consent. If a user decides not to give their consent to, say, marketing cookies, when they arrive on your domain, Cookiebot makes sure that tags that set such cookies in Google Tag Manager don’t fire.
In a sense, Cookiebot is Google Tag Manager’s tag manager: based on the consent of your end-users, we tell Google Tag Manager what tags to fire and when.
We offer this service because the European General Data Protection Regulation has strict and specific rules as to how you are allowed to collect and handle data, or “personal information”, from your users.
Cookiebot is a consent management platform that makes the implementation and compliant use of Google Tag Manager on your website super easy. We enable you to protect the privacy of your end-users, so you can utilize Google Tag Manager in a lawful way.
Try Cookiebot for free today to see for yourself.
Google Tag Manager is a system that controls what tags (scripts), you want to run on your website and when you want them to run. Instead of having to code and mark-up different events on your website, Google Tag Manager takes care of that.
This can e.g. be Google Analytics that through Google Tag Manager can create statistics on user behavior on your site. This is useful information to website owners, because it lets them update and optimize their website and its content based on real-life user interactions and performance statistics.
Google Tag Manager, once implemented on your website, manages all kinds of tags. It can be statistical scripts or marketing tags that are meant for advertisement. Such tags and scripts set cookies, which collect data from your users in order to compile the statistics and marketing analytics.
The most common uses of Google Tag Manager include:
If this gets too technical, then think of it this way:
If your website is a symphony hall and the tags are all the different musicians you’ve chosen to house, then Google Tag Manager is the conductor. The conductor chooses what instruments are to play and when they are to play, in what order and for what duration.
In this picture, Cookiebot is the notes on the conductor’s pages that he directs the orchestra by. These notes tell him which musician are allowed to play and under what circumstances they should not be allowed to play.
Google Tag Manager works through tags and triggers.
Collections of tags, such as “marketing”, are called tag containers.
Important for website owners to know, is that almost all of such “third party tags” will set cookies that, according to EU law (the GDPR), fall into categories that require the explicit prior consent of your users.
Triggers are the conditions under which tags are allowed to fire, or in other words. It means that Google Tag Manager can control when a certain tag is fired, e.g. when a customer updates their card on a check-out subpage and a certain function of the site activates to let them share their purchase on social media.
These rules can be URL-based or event-based, such as when a user scrolls or clicks on some area of your website.
In other words, tags are what happens, while triggers are when what happens.
Let’s say that you’re using Google Tag Manager on your website, and you use it to deploy analytics and marketing cookies on your domain, so that you can measure your users and their behavior as they navigate your site.
In that case, your website will have several cookies set that activate and collect users’ data when they arrive on your domain. This means that personal information, such as IP addresses, names and location data will be collected for statistical and marketing purposes.
The General Data Protection Regulation that came into force in May 2018 has some strict rules about what you can do on your website with cookies.
The EU law is binding law in all 27 member states, and if you have visitors from the EU, you are obligated to abide by the rules – even if you, as mentioned earlier, and your website is located in, say, the US.
So, if you have any type of cookie or tracking technology on your website, the GDPR states that you must:
This is also known as prior consent and means that you are not legally allowed to use analytics and marketing tags through Google Tag Manager without first obtaining the explicit consent to do so by the users that you wish to collect data from.
The fines for non-compliance with the GDPR are up to €20 million or 4% of a company’s annual global turnover per infringement – whichever is highest. The French data protection authority CNIL fined Google €50 million for infringements and violations of the GDPR in the spring of 2019.
This all means that Google Tag Manager and GDPR have a breaking point – they are not mutually exclusive, but if you use GTM and have visitors from the EU, you need to be extra careful not to be non-compliant.
As mentioned before, Google Tag Manager and GDPR are not mutually exclusive if you have a consent solution like Cookiebot.
After Cookiebot completes its scan, our customizable consent banner will display all the cookies and trackers on your website within four categories, three of which (preferences, statistics and marketing) the user can give and revoke their consent to.
The user then gives their consent and based on the specifics of this consent (e.g. whether they opted in for marketing cookies, or out of analytics), the cookies and trackers are then activated on your website.
Until the consent is given by the user, Cookiebot automatically controls all cookies so that no user data is collected until after consent is obtained from your users, as mandated by the GDPR.
Only strictly necessary cookies are allowed to be set when a user arrives on a website, and consent banners that manage user consent are not allowed to have pre-ticked checkboxes on any other categories of cookies.
What Cookiebot then does is to tell Google Tag Manager what tags to run.
If the user decides to not have marketing or analytics cookies set on their devices, Cookiebot changes the conditions for which Google Tag Manager runs tags, and so will not run tags that set marketing or analytics cookies.
In that sense, Cookiebot acts like the privacy protecting bridge intermediary that controls what Google Tag Manager is allowed to do based on the specifics of your users’ consent.
By using Cookiebot, you can ensure that the cookies and trackers that you deploy as tags through Google Tag Manager meets cookie consent requirements, i.e. doesn’t collect personal information on users before they’ve given their consent to it.
Google Tag Manager and GDPR are not mutually exclusive – if you use Cookiebot.
In order to “get the best of both worlds” – meaning website optimization through analytics and marketing, as well as being GDPR compliant and respecting your users’ privacy – you need to make sure that:
Here is an example of how that looks –
To know more about the technical aspects of the implementation, check out our support page dedicated to Google Tag Manager and Cookiebot.
If your users are from inside the EU, you are bound by EU’s General Data Protection Regulation to provide them with detailed information on all the cookies and similar tracking technology present on your website, and the choice of consent.
You are not allowed to process any user data before such a consent has been obtained.
But don’t worry – you can use Google Tag Manager and set analytics and marketing tags in a GDPR compliant way if you use a consent solution like Cookiebot.