Logo Logo
Cookiebot

 

The General Data Protection Regulation (GDPR) and the ePrivacy Directive (ePR) affect how you as a website owner may use Google Tag Manager to track your visitors from the EU.

 

Try our free compliance test to check if your website’s use of cookies and online tracking is GDPR/ePR compliant.

Is my use of Google Tag Manager GDPR and ePR compliant?

Google Tag Manager is a hugely popular tool for websites of any size and shape. It organizes all third-party tags on your website (like Google Analytics or Facebook pixels), and it also controls when these are triggered. It’s handy for website owners, who don’t have their hands deep into the source code.

Cookiebot is a consent management solution that enables websites to protect the privacy of users and be compliant with both the GDPR and ePR when it comes to cookies and tracking.

What’s more, Cookiebot is now an integral part of Google Tag Manager!

Cookiebot has been selected as a standard tag in Google Tag Manager, and will be featured as the only consent solution (or consent management provider).

This means that if you use Google Tag Manager, you can now simply choose the ”Cookiebot CMP” template from the Community Template Gallery, and inject our script for easy compliance and protection of user privacy.

Google Tag Manager has selected Cookiebot as standard tag in the Community Template Gallery

Cookiebot is featured as the standard consent management provider in GTM

Cookiebot automatically blocks all cookies and tracker until a user has given their consent. If a user decides not to give their consent to, say, marketing cookies, when they arrive on your domain, Cookiebot makes sure that tags that set such cookies in Google Tag Manager don’t fire.

In a sense, Cookiebot is Google Tag Manager’s tag manager: based on the consent of your end-users, we tell Google Tag Manager what tags to fire and when.

We offer this service because the European General Data Protection Regulation has strict and specific rules as to how you are allowed to collect and handle data, or “personal information”, from your users. https://www.cookiebot.com/en/gdpr-cookies/

The GDPR protects EU citizens (even if your website is located outside of the EU) and has explicit requirements for the use of cookies of both third and first party on websites.

Cookiebot is a consent management platform that makes the implementation and compliant use of Google Tag Manager on your website super easy. We enable you to protect the privacy of your end-users, so you can utilize Google Tag Manager in a lawful way.

In this blogpost, we will:

  1. Take you through an explanation of Google Tag Manager and how to implement it,
  2. Look at Google Tag Manager vs. GDPR and what it says you can and cannot do on your website,
  3. Look at Google Tag Manager and cookies,
  4. Explain how Cookiebot makes your use of Google Tag Manager easy and compliant.

Try Cookiebot for free today to see for yourself.

What is Google Tag Manager?


Google Tag Manager is a system that controls what tags (scripts), you want to run on your website and when you want them to run. Instead of having to code and mark-up different events on your website, Google Tag Manager takes care of that.

This can e.g. be Google Analytics that through Google Tag Manager can create statistics on user behavior on your site. This is useful information to website owners, because it lets them update and optimize their website and its content based on real-life user interactions and performance statistics.

What does Google Tag Manager do?

Google Tag Manager, once implemented on your website, manages all kinds of tags. It can be statistical scripts or marketing tags that are meant for advertisement. Such tags and scripts set cookies, which collect data from your users in order to compile the statistics and marketing analytics.

In other words, what Google Tag Manager does is to integrate and activate JavaScript code on your whole website or specific sections of it.

The most common uses of Google Tag Manager include:

If this gets too technical, then think of it this way:

If your website is a symphony hall and the tags are all the different musicians you’ve chosen to house, then Google Tag Manager is the conductor. The conductor chooses what instruments are to play and when they are to play, in what order and for what duration.

In this picture, Cookiebot is the notes on the conductor’s pages that he directs the orchestra by. These notes tell him which musician are allowed to play and under what circumstances they should not be allowed to play.

How does Google Tag Manager work?

Google Tag Manager works through tags and triggers.

Tags are pieces of code, such as HTML or JavaScript, which are deployed on your website for analytics or marketing purposes, or it could be a social media plugin as well. They are also known by names such as tracking pixel, web beacons, ultrasound beacons and many others depending on their functions.

Collections of tags, such as “marketing”, are called tag containers.

Important for website owners to know, is that almost all of such “third party tags” will set cookies that, according to EU law (the GDPR), fall into categories that require prior consent, or in some cases explicit consent, from your users.

Triggers are the conditions under which tags are allowed to fire, or in other words. It means that Google Tag Manager can control when a certain tag is fired, e.g. when a customer updates their card on a check-out subpage and a certain function of the site activates to let them share their purchase on social media.

These rules can be URL-based or event-based, such as when a user scrolls or clicks on some area of your website.

In other words, tags are what happens, while triggers are when what happens.

Google Tag Manager and cookie consent


Let’s say that you’re using Google Tag Manager on your website, and you use it to deploy analytics and marketing cookies on your domain, so that you can measure your users and their behavior as they navigate your site.

In that case, your website will have several cookies set that activate and collect users’ data when they arrive on your domain. This means that personal information, such as IP addresses, names and location data will be collected for statistical and marketing purposes.

Google Tag Manager and GDPR

The General Data Protection Regulation that came into force in May 2018 has some strict rules about what you can do on your website with cookies.

The EU law is binding law in all 28 member states, and if you have visitors from the EU, you are obligated to abide by the rules – even if you, as mentioned earlier, and your website is located in, say, the US.

So, if you have any type of cookie or tracking technology on your website, the GDPR states that you must:

This is also known as prior consent and means that you are not legally allowed to use analytics and marketing tags through Google Tag Manager without first obtaining the consent to do so by the users that you wish to collect data from.

The fines for non-compliance with the GDPR are up to €20 million or 4% of a company’s annual global turnover per infringement – whichever is highest. The French data protection authority CNIL fined Google €50 million for infringements and violations of the GDPR in the spring of 2019.

This all means that Google Tag Manager and GDPR have a breaking point – they are not mutually exclusive, but if you use GTM and have visitors from the EU, you need to be extra careful not to be non-compliant.

As mentioned before, Google Tag Manager and GDPR are not mutually exclusive if you have a consent solution like Cookiebot.

Cookiebot and Google Tag Manager


Cookiebot is a compliance solution, a consent management platform for your website that enables you to make sure that your domains’ use of cookies and tracking is GDPR compliant.

Our technology first scans your website and all of its subpages, finding all cookies and similar tracking technologies present – without exception (everything from HTTP/JavaScript cookies, HTML5 Local Storage, Flash Local Shared Object, Silverlight Isoltaed Storage, IndexedDB, ultrasound beacons, pixel tags… and the list goes on).

Cookiebot then generates a cookie declaration with descriptions of every cookie found on your website that can be used as part of your consent dialog’s details and as a separate cookie report, integrated in your privacy policy.

After Cookiebot completes its scan, our customizable consent banner will display all the cookies and trackers on your website within four categories, three of which (preferences, statistics and marketing) the user can give and revoke their consent to.

The user then gives their consent and based on the specifics of this consent (e.g. whether they opted in for marketing cookies, or out of analytics), the cookies and trackers are then activated on your website.

Cookiebot and Google Tag Manager - compliance and consent

Until the consent is given by the user, Cookiebot automatically controls all cookies so that no user data is collected until after consent is obtained from your users, as mandated by the GDPR.

What Cookiebot then does is to tell Google Tag Manager what tags to run.

If the user decides to not have marketing or analytics cookies set on their devices, Cookiebot changes the conditions for which Google Tag Manager runs tags, and so will not run tags that set marketing or analytics cookies.

In that sense, Cookiebot acts like the privacy protecting bridge intermediary that controls what Google Tag Manager is allowed to do based on the specifics of your users’ consent.

By using Cookiebot, you can ensure that the cookies and trackers that you deploy as tags through Google Tag Manager meets cookie consent requirements, i.e. doesn’t collect personal information on users before they’ve given their consent to it.

Google Tag Manager and cookie consent are not mutually exclusive – if you use Cookiebot.

Read more about the Cookiebot functions here.

How to implement Google Tag Manager with Cookiebot


In order to “get the best of both worlds” – meaning website optimization through analytics and marketing, as well as being GDPR compliant and respecting your users’ privacy – you need to make sure that:

  1. The Google Tag Manager script is the first script to load on your website.
  2. Your Google Tag Manager script is marked with: data-cookieconsent=”ignore” to ensure that Google Tag Manager will always be allowed to load.
  3. You insert the Cookiebot script with automatic cookie blocking immediately after the Google Tag Manager script.
  4. Create 3 triggers in Google Tag Manager, which are fired upon custom event cookie_consent_[category] category = {preferences, statistical, marketing}

Here is an example of how that looks –

Google Tag Manager and Cookiebot's automatic cookie blocking

To know more about the technical aspects of the implementation, check out our support page dedicated to Google Tag Manager and Cookiebot

Summary


If you have a website, you most likely use cookies. You’re also very likely to use Google Tag Manager, which means you probably collect personal information from your users. Google Tag Manager and the cookies that you can set through GTM are regulated by the GDPR.

If your users are from inside the EU, you are bound by EU’s General Data Protection Regulation to provide them with detailed information on all the cookies and similar tracking technology present on your website, and the choice of consent.

You are not allowed to process any user data before such a consent has been obtained.

But don’t worry – you can use Google Tag Manager and set analytics and marketing tags in a GDPR compliant way if you use a consent solution like Cookiebot.

Resources


Try Cookiebot for free today

Cookiebot’s support site on Google Tag Manager and Cookiebot

Learn more about the GDPR and what it requires of your website.

General help for Cookiebot implementation

GDPR official law text

Make your website’s use of cookies and online tracking GDPR/ePR compliant today

Try for free