Updated October 22, 2020.
Google Tag Manager is a hugely popular tool for websites of any size and shape. It organizes all third-party tags on your website (like Google Analytics or Facebook pixels), and it also controls when these are triggered.
It’s handy for website owners who don’t have their hands deep into the source code. Cookiebot is a standard tag in Google Tag Manager.
Cookiebot also works seamlessly with Google Consent Mode that lets you run all your website’s Google-services, like Gtag and GTM, based on the consent of your end-users. Read on for more on Google Tag Manager and GDPR compliance.
Want to try Cookiebot with Google Tag Manager?
Simply choose the Cookiebot CMP template from the Community Template Gallery, and inject our script for easy compliance and protection of user privacy.
Cookiebot is featured as the standard consent management provider in GTM
Cookiebot automatically blocks all cookies and tracker until a user has given their consent.
If a user decides not to give their consent to, say, marketing cookies, when they arrive on your domain, Cookiebot makes sure that tags that set such cookies in Google Tag Manager don’t fire.
In a sense, Cookiebot is Google Tag Manager’s tag manager: based on the consent of your end-users, we tell Google Tag Manager what tags to fire and when.
Cookiebot offers consent management for your website in full compliance with the EU’s General Data Protection Regulation and its strict and specific rules for how you are allowed to collect and handle personal data from your users.
Cookiebot is a consent management platform that makes the implementation and compliant use of Google Tag Manager on your website super easy.
Cookiebot enables you to protect the privacy of your end-users, so you can utilize Google Tag Manager in a lawful way.
Try Cookiebot free for 30 days... or forever if you have a small website.
Google Consent Mode is a way for your website to run all its Google-services (such as Google Tag Manager, Gtag, Google Analytics or Google Ads) based on the consent state of your end-users.
If a user doesn’t give consent to statistics or marketing cookies, Google Consent Mode makes sure that you still get valuable insight into your website’s performance while respecting end-user privacy.
Google Consent Mode ensures aggregate and non-identifying data if users don’t consent to cookies, including –
Google Consent Mode also enables you to display contextual ads based on anonymous data instead of targeted ads based on personal data, if users don’t give their consent to marketing cookies.
Try Cookiebot free for 30 days – or forever if you have a small website.
Google Tag Manager (GTM) is a system that controls what tags (scripts), you want to run on your website and when you want them to run. Instead of having to code and mark-up different events on your website, Google Tag Manager takes care of that.
This can e.g. be Google Analytics that through Google Tag Manager can create statistics on user behavior on your site. This is useful information to website owners, because it lets them update and optimize their website and its content based on real-life user interactions and performance statistics.
Google Tag Manager (GTM), once implemented on your website, manages all kinds of tags. It can be statistical scripts or marketing tags that are meant for advertisement. Such tags and scripts set cookies, which collect data from your users in order to compile the statistics and marketing analytics.
The most common uses of Google Tag Manager include:
If this gets too technical, then think of it this way:
If your website is a symphony hall and the tags are all the different musicians you’ve chosen to house, then Google Tag Manager is the conductor. The conductor chooses what instruments are to play and when they are to play, in what order and for what duration.
In this picture, Cookiebot is the notes on the conductor’s pages that he directs the orchestra by. These notes tell him which musician are allowed to play and under what circumstances they should not be allowed to play.
Google Tag Manager works through tags and triggers.
Collections of tags, such as “marketing”, are called tag containers.
Important for website owners to know, is that almost all of such “third party tags” will set cookies that, according to EU law (the GDPR), fall into categories that require the explicit prior consent of your users.
Triggers are the conditions under which tags are allowed to fire, or in other words. It means that Google Tag Manager can control when a certain tag is fired, e.g. when a customer updates their card on a check-out subpage and a certain function of the site activates to let them share their purchase on social media.
These rules can be URL-based or event-based, such as when a user scrolls or clicks on some area of your website.
In other words, tags are what happens, while triggers are when what happens.
Let’s say that you’re using Google Tag Manager on your website, and you use it to deploy analytics and marketing cookies on your domain, so that you can measure your users and their behavior as they navigate your site.
In that case, your website will have several cookies set that activate and collect users’ data when they arrive on your domain. This means that personal information, such as IP addresses, names and location data will be collected for statistical and marketing purposes.
Try Cookiebot free for 30 days – or forever if you have a small website
The General Data Protection Regulation that came into force in May 2018 has some strict rules about what you can do on your website with cookies.
The EU law is binding law in all 27 member states, and if you have visitors from the EU, you are obligated to abide by the rules – even if you, as mentioned earlier, and your website is located in, say, the US.
So, if you have any type of cookie or tracking technology on your website, the GDPR states that you must:
The European Data Protection Board (EDPB) is the leading supervisor on GDPR enforcement in the EU. Their guidelines and decisions form the basis of enforcement for the national data protection authorities in each EU country.
On May 4, 2020, the EDPB adopted guidelines on valid consent in the EU. They include that –
This is also known as prior consent and means that you are not legally allowed to use analytics and marketing tags through Google Tag Manager without first obtaining the explicit consent to do so by the users that you wish to collect data from.
The fines for non-compliance with the GDPR are up to €20 million or 4% of a company’s annual global turnover per infringement – whichever is highest. The French data protection authority CNIL fined Google €50 million for infringements and violations of the GDPR in the spring of 2019.
This all means that Google Tag Manager and GDPR have a breaking point – they are not mutually exclusive, but if you use GTM and have visitors from the EU, you need to be extra careful not to be non-compliant.
As mentioned before, Google Tag Manager and GDPR are not mutually exclusive if you have a consent solution like Cookiebot.
After Cookiebot completes its scan, our customizable consent banner will display all the cookies and trackers on your website within four categories, three of which (preferences, statistics and marketing) the user can give and revoke their consent to.
The user then gives their consent and based on the specifics of this consent (e.g. whether they opted in for marketing cookies, or out of analytics), the cookies and trackers are then activated on your website.
Until the consent is given by the user, Cookiebot automatically controls all cookies so that no user data is collected until after consent is obtained from your users, as mandated by the GDPR.
Only strictly necessary cookies are allowed to be set when a user arrives on a website, and consent banners that manage user consent are not allowed to have pre-ticked checkboxes on any other categories of cookies.
What Cookiebot then does is to tell Google Tag Manager what tags to run.
If the user decides to not have marketing or analytics cookies set on their devices, Cookiebot changes the conditions for which Google Tag Manager runs tags, and so will not run tags that set marketing or analytics cookies.
In that sense, Cookiebot acts like the privacy protecting bridge intermediary that controls what Google Tag Manager is allowed to do based on the specifics of your users’ consent.
By using Cookiebot, you can ensure that the cookies and trackers that you deploy as tags through Google Tag Manager meets cookie consent requirements, i.e. doesn’t collect personal information on users before they’ve given their consent to it.
Google Tag Manager and GDPR are not mutually exclusive – if you use Cookiebot.
In order to “get the best of both worlds” – meaning website optimization through analytics and marketing, as well as being GDPR compliant and respecting your users’ privacy – you need to make sure that:
Here is an example of how that looks –
To know more about the technical aspects of the implementation, check out our support page dedicated to Google Tag Manager and Cookiebot.
Try Cookiebot free for 30 days – or forever if you have a small website.
If your users are from inside the EU, you are bound by EU’s General Data Protection Regulation to provide them with detailed information on all the cookies and similar tracking technology present on your website, and the choice of consent.
You are not allowed to process any user data before such a consent has been obtained.
But don’t worry – you can use Google Tag Manager and set analytics and marketing tags in a GDPR compliant way if you use a consent solution like Cookiebot.
Google Tag Manager is a popular tool for controlling tags on websites. Google Tag Manager can be used to control everything from statistical scripts or marketing tags that collect data for analytics and advertising, like tracking website page views, button clicks and how users scroll and behave. Websites use Google Tag Manager to update and optimize their websites and its content based on tracking of user interactions.
Google Tag Manager works through tags and triggers. Tags are pieces of code that are embedded on a website by Google Tag Manager that set trackers such as tracking pixels, web beacons or ultrasound beacons, depending on their technology. Triggers are the conditions under which tags are activated, e.g. when a user clicks or scrolls. Almost all third-party tags will set cookies on users’ browsers and therefore require the consent of users before activation.
The General Data Protection Regulation (GDPR) is an EU data privacy law that governs the processing of personal data of individuals inside the EU. The GDPR requires websites to obtain the clear and affirmative consent from users before being allowed to activate cookies that process personal data, such as IP addresses, browser and search history.
Google Tag Manager can be used to deploy analytics and marketing cookies on your website, which means that you will need the prior consent from users in order to lawfully use Google Tag Manager in the EU. Statistics and marketing cookies must be deactivated by default until a user has given their prior consent.