Logo Logo
Cookiebot

 

The General Data Protection Regulation (GDPR) and the ePrivacy Directive (ePR) affect how you as a website owner may use Google Tag Manager to track your visitors from the EU.

 

Try our free compliance test to check if your website’s use of cookies and online tracking is GDPR/ePR compliant.

With Cookiebot, you can easily make your use of Google Tag Manager GDPR compliant.

Cookiebot is a service that helps you make your use of cookies and online tracking compliant with the EU-legislation on personal data and online privacy: the GDPR and the ePrivacy Directive.

In this step-by-step guide, we will show you how to:

  1. Implement the cookie consent banner in Google Tag Manager
  2. Control cookies
  3. Display the cookie declaration on a subpage.

Is my use of Google Tag Manager GDPR and ePR compliant?

1. Implement the cookie consent banner in Google Tag Manager (GTM)


Are you ready? First of all, it is important to note that we assume that you already have...

  1. an account in Google Tag Manager (henceforth: GTM),
  2. created a website container in GTM and,
  3. added the GTM container snippet to your website as required: Tag Manager Answer: 6103696

When you implement Cookiebot using GTM, Cookiebot will also be able to control tags not set from GTM, i.e. script tags that are inserted directly in your website template. Just mark up such tags for 'prior consent' as described in Step 3 of our general implementation tutorial.

In your GTM container create a new tag by clicking "New" > "Custom HTML Tag".

In the "HTML" field, insert the following snippet and replace the serial number "00000000-0000-0000-0000-000000000000" with your own serial number from the "Your scripts" tab in the Cookiebot Manager:

<script id="Cookiebot" src="https://consent.cookiebot.com/uc.js?cbid=00000000-0000-0000-0000-000000000000" type="text/javascript"></script>
<script>
function CookiebotCallback_OnAccept() {
    if (Cookiebot.consent.preferences)
        dataLayer.push({'event':'cookieconsent_preferences'});
    if (Cookiebot.consent.statistics)
        dataLayer.push({'event':'cookieconsent_statistics'});
    if (Cookiebot.consent.marketing)
        dataLayer.push({'event':'cookieconsent_marketing'});
}
</script>

Choose "All pages" as trigger and apply a name to your tag at the top of the configuration page, e.g. "Cookie Consent". Click "Save" to create the tag. This is what your tag configuration should look like (except for the value of the serial number):

Finally, click "Publish" to push your changes live to your site.

Also, make sure that you have registered and saved the domain name(s) of your website(s) in Cookiebot. The consent banner is now active on your website.

2. Controlling cookies


To honor the visitor's consent, you need to define the logic that controls the behavior of cookie-setting scripts on your website.

Example: Google Analytics

In this example, we will show you how to implement and control Google Analytics Universal (GAU) with Cookiebot in GTM, so that GAU will only set cookies if the visitor has accepted statistic cookies.

From the GTM "Triggers" list, click "New".

Choose "Custom Event" and enter an event name for the trigger, "cookieconsent_statistics", in the field "Event name".

Click "Save" to create the trigger.

This is what your trigger configuration should look like:

Repeat the above for each type of cookies, so that you have three triggers named "cookieconsent_preferences", "cookieconsent_statistics" and "cookieconsent_marketing".

Now create the GAU tag by clicking "New" from the Tags list - or edit your existing GAU tag.

If creating a new GAU tag, select "Universal Analytics" under the "Choose tag type" pane.

Select "New Variable" in the select box under "Google Analytics settings" and enter your GAU Tracking ID (available from Google Analytics) in the field "Tracking ID".

Click "Save".

As trigger, select the trigger you have just created, "cookieconsent_statistics".

Click "Save" to create or update the tag.

This is what your final GAU tag configuration should look like (except for the Tracking ID):

Finally, click "Publish" to push your changes live to your site.

Google Analytics Universal is now enabled on your website and in compliance with the consents of your visitors.

Controlling cookies with multiple triggers 

While the approach above is efficient when using only one trigger on a tag, you need a different approach when controlling cookies on tags with multiple triggers.

In GTM, a tag will fire if any of the triggers on a tag evaluate to true. Since we want the tag to fire only when the existing trigger and the relevant cookie consent event both evaluate to true, you must add a condition to the existing trigger instead of adding the cookie consent trigger to the tag itself. Trigger conditions must all evaluate to true in order for the trigger to fire.

The values of the cookie consent trigger condition to add are: Event - equals - cookieconsent_marketing.

Replace "cookieconsent_marketing" with  "cookieconsent_preferences"  or  "cookieconsent_statistics", depending on the type of cookies set by the tag.

Example on adding a cookie consent condition to an existing trigger:

If your trigger is of a different type than "Custom Event", eg. "Click - Just Links", you will not be able to define a trigger condition based on an Event as illustrated above. In this case you need to define a new "User-Defined Variable" of type "Custom JavaScript" for each category of cookies. 

Example:
Create a user-defined variable and name it "Cookiebot.consent.marketing". In the field "Custom Javascript", enter the following snippet:

function()
{
  return Cookiebot.consent.marketing.toString()
}

Repeat these steps to create a variable for "preferences" and "statistics"-cookies as well by replacing "marketing" in the above variable name and Javascript.

Now go back to your trigger configuration and add a new condition referring to one or more of the above variables, e.g. "Cookiebot.consent.marketing" - contains - true

Please note: If your existing trigger is of the event type "Page View", you need to change it to event type "Window Loaded" since the visitor's consent is not available to GTM before the window has loaded.

3. Implementing the cookie declaration


If you want to display the cookie declaration for your website in full length on a specific subpage, e.g. on a separate cookie declaration page or as part of your privacy policy, GTM can inject the declaration in real-time into an empty HTML placeholder element on the subpage, identified by attribute "id" or a classname.

First you need to create a new trigger with the path to the page in question, e.g. "/privacypolicy".

From the Triggers list, click "New" and select "Page View" as type on the "Choose trigger type" pane.

Select "Some Page Views" and define this condition for the trigger to fire:

url path - equals  - /privacypolicy

Click "Save" to create the trigger.

This is what your trigger configuration should look like (except the final url path):

 

From the Tags list create a new "Custom HTML Tag". In the field "HTML" copy/paste the snippet below and replace the Cookiebot serial "00000000-0000-0000-0000-000000000000" with your own serial as described earlier.

Also make sure that the variable "contentPlaceholder" is set to the correct HTML element on your page, i.e. by renaming the element id "bodycontent" to the id of your own placeholder element.

<script>
var contentPlaceholder = document.getElementById("bodycontent");
var cookieDeclarationScript = document.createElement("script");
cookieDeclarationScript.type = "text/javascript";
cookieDeclarationScript.id = "CookieDeclaration";
cookieDeclarationScript.src = "https://consent.cookiebot.com/00000000-0000-0000-0000-000000000000/cd.js";
contentPlaceholder.appendChild(cookieDeclarationScript);
</script>

Under the "Triggering" section, select the trigger you have just created. Click "Save" to create the tag. This is what your tag configuration should look like (except for the value of the serial):

Finally, click "Publish" to push your changes live to your site.

The cookie declaration will now display at the path you have defined above.

Final remarks: What to know about the GDPR


The GDPR, ‘The General Data Protection Regulation’, is the most significant initiative on online privacy and personal data protection in over 20 years.

It entered into force on May 25 2018 and affects all websites that are located in the EU, or have users from the EU.

The fines and penalties for non-compliance are very heavy: Up to € 20 million, or 4% of the organization's global yearly turnover, whichever is higher.

GDPR and cookies

For owners of websites and blogs, the primary aspect to be aware of is the use of cookies and online tracking going on in connection with your site. This goes for cookies of first party and third party provenance alike.

Almost all websites use cookies.

Most cookies track data, that by themselves or combined with other data can be considered personal according to the definition in the GDPR.

Therefore, it is adamant that you take action to render your use of cookies compliant with the regulations. Read more about the GDPR and cookies.

Two aspects are of primary importance to meet the requirements:

1. Get a GDPR-compliant cookie policy

Make sure that your users have access to read a proper cookie policy for your website. For a cookie policy to be compliant, it has to provide accurate and specific information on the cookies in use on your website, and instructions on how to opt in and out of them.

Other than that, it doesn’t matter whether your cookie policy is an independent document or integrated in your privacy policy, as long as the information is easily accessible for your users.

Read the full introduction to getting a GDPR compliant cookie policy.

2. GDPR and ePR compliant cookie consent

To render your use of cookies GDPR and ePR compliant, you have to obtain consent from your users first.

The consent must be…

  • given prior to the setting of the cookies. This means that you have to implement a solution that is able to pause the cookies until the consent for setting them has been obtained.
  • based on true insight. Your users must be provided with specific and accurate information on what they are giving their consent to.
  • retrievable. You should give your users access to their settings, so that they can change their mind about what cookies they want to accept on your website.  
  • based on a true choice. The users must be able to use the website even though they have rejected all cookies that are not strictly necessary.
  • stored as documentation. All given consents must be securely kept as proof that consent has been given.
  • renewed once a year. Every 12 months, the user consent must be renewed.

Read our article on cookie consent and learn more about the requirements, and how to comply with all of the above in one single stroke.

WordPress, Plugin and cookies

If you have a WordPress site, you can easily comply by adding the Cookiebot Plugin.

Read more about WordPress, cookies and plugins here.

Make your website’s use of cookies and online tracking GDPR/ePR compliant today

Try for free