Updated August 6, 2020.
Google Tag Manager (GTM) is the world’s most popular tool for organizing all third-party tags on websites, and controlling when these are triggered. It’s handy for website owners who don’t have their hands deep into the source code.
Our consent management platform (CMP) is a featured community CMP Template in Google Tag Manager. Find the standard tag in the GTM Community Template Gallery, to control all third-party tags on your website based on the consent state of your end-users.
Cookiebot CMP also works seamlessly with Google Consent Mode that lets you run all your website’s Google-services, like Gtag and GTM, based on end-user consent.
In this blogpost, learn about Google Tag Manager, cookie consent and GDPR compliance with the Cookiebot CMP tag.
Our solution comes as a featured community CMP Template in GTM Community Template Gallery and brings you fast and seamless consent management of all third-party tags on your website for true compliance with the EU’s General Data Protection Regulation (GDPR) and other major data privacy legislations in the world.
Using Google Tag Manager for controlling services like Google Analytics or social media plugins will set cookies, which means that using Google Tag Manager requires cookie consent to function in compliance on your website.
On May 27, 2021, Google announced that Google Tag Manager has integrated consent as a core part of the platform's inner workings so that any tag in GTM can make built-in consent checks, and not only Google's own tags.
Our CMP fully integrates with and supports this update, so you can now use Cookiebot CMP and Google Tag Manager together to control all tags on your website without manual configuration.
Cookiebot CMP lets Google Tag Manager run all third-party tags based on the consent state of your end-users.
Based on an unrivaled website scanner that detects and controls all cookies and similar trackers on your website, Cookiebot CMP enables your website to protect the privacy of your end-user, while balancing your needs for data-driven business.
Want to try Cookiebot CMP with Google Tag Manager?
Simply choose the Cookiebot CMP template from the Community Template Gallery, and inject our script for easy compliance and protection of user privacy.
Cookiebot CMP is featured as the standard consent management provider in GTM
Our CMP automatically blocks all cookies and tracker until a user has given their consent.
If a user decides not to give their consent to, say, marketing cookies, when they arrive on your domain, we make sure that tags that set such cookies in Google Tag Manager don’t fire.
Our solution is a consent management platform that makes the implementation and compliant use of Google Tag Manager on your website super easy.
Let Cookiebot CMP automatically control all third-party tags (like Google Analytics, Facebook pixels and more) based on the consent state of your end-users, so that your use of Google Tag Manager (GTM) is compliant with the strict GDPR requirements of always obtaining the prior consent from visitors before processing personal data.
Try Cookiebot free for 30 days - or forever if you have a small website.
Google Consent Mode is a way for your website to run all its Google-services (such as Google Tag Manager, Gtag, Google Analytics or Google Ads) based on the consent state of your end-users.
Cookiebot CMP and Google Tag Manager works together like a symphony orchestra.
If a user doesn’t give consent to statistics or marketing cookies, Google Consent Mode makes sure that you still get valuable insight into your website’s performance while respecting end-user privacy.
Google Consent Mode ensures aggregate and non-identifying data if users don’t consent to cookies, including –
Google Consent Mode also enables you to display contextual ads based on anonymous data instead of targeted ads based on personal data, if users don’t give their consent to marketing cookies.
Try Cookiebot CMP free for 30 days – or forever if you have a small website.
Google Tag Manager (GTM) is a system that controls what tags (scripts), you want to run on your website and when you want them to run. Instead of having to code and mark-up different events on your website, Google Tag Manager takes care of that.
This can e.g. be Google Analytics that through Google Tag Manager can create statistics on user behavior on your site. This is useful information to website owners, because it lets them update and optimize their website and its content based on real-life user interactions and performance statistics.
Google Tag Manager orchestrates tags that set cookies on your website, most of which are regulated by the EU's GDPR.
Google Tag Manager (GTM), once implemented on your website, manages all kinds of tags. It can be statistical scripts or marketing tags that are meant for advertisement. Such tags and scripts set cookies, which collect data from your users in order to compile the statistics and marketing analytics.
The most common uses of Google Tag Manager include:
If this gets too technical, then think of it this way:
If your website is a symphony hall and the tags are all the different musicians you’ve chosen to house, then Google Tag Manager is the conductor. The conductor chooses what instruments are to play and when they are to play, in what order and for what duration.
In this picture, Cookiebot CMP is the notes on the conductor’s pages that he directs the orchestra by. These notes tell him which musician are allowed to play and under what circumstances they should not be allowed to play.
Google Tag Manager works through tags and triggers.
Collections of tags, such as “marketing”, are called tag containers.
Important for website owners to know, is that almost all of such “third party tags” will set cookies that, according to EU law (the GDPR), fall into categories that require the explicit prior consent of your users.
Triggers are the conditions under which tags are allowed to fire, or in other words. It means that Google Tag Manager can control when a certain tag is fired, e.g. when a customer updates their card on a check-out subpage and a certain function of the site activates to let them share their purchase on social media.
These rules can be URL-based or event-based, such as when a user scrolls or clicks on some area of your website.
In other words, tags are what happens, while triggers are when what happens.
Much like different notes in a symphony, tags and triggers are orchestrated by Google Tag Manager.
Try Cookiebot CMP free for 30 days – or forever if you have a small website
Let’s say that you’re using Google Tag Manager on your website, and you use it to deploy analytics and marketing cookies on your domain, so that you can measure your users and their behavior as they navigate your site.
In that case, your website will have several cookies set that activate and collect users’ data when they arrive on your domain.
This means that personal information, such as IP addresses, names and location data will be collected for statistical and marketing purposes.
The EU's General Data Protection Regulation (GDPR) that came into force in May 2018 has some strict rules about what you can do on your website with cookies.
The EU law is binding law in all 27 member states, and if you have visitors from the EU, you are obligated to abide by the rules – even if you, as mentioned earlier, and your website is located in, say, the US.
So, if you have any type of cookie or tracking technology on your website, the GDPR states that you must:
The European Data Protection Board (EDPB) is the leading supervisor on GDPR enforcement in the EU. Their guidelines and decisions form the basis of enforcement for the national data protection authorities in each EU country.
On May 4, 2020, the EDPB adopted guidelines on valid consent in the EU. They include that –
This is also known as prior consent and means that you are not legally allowed to use analytics and marketing tags through Google Tag Manager without first obtaining the explicit consent to do so by the users that you wish to collect data from.
The fines for non-compliance with the GDPR are up to €20 million or 4% of a company’s annual global turnover per infringement – whichever is highest. The French data protection authority CNIL fined Google €50 million for infringements and violations of the GDPR in the spring of 2019.
This all means that Google Tag Manager and GDPR have a breaking point – they are not mutually exclusive, but if you use GTM and have visitors from the EU, you need to be extra careful not to be non-compliant.
As mentioned before, Google Tag Manager and GDPR are not mutually exclusive if you have a consent solution like Cookiebot CMP.
After Cookiebot CMP completes its scan, our customizable consent banner will display all the cookies and trackers on your website within four categories, three of which (preferences, statistics and marketing) the user can give and revoke their consent to.
The user then gives their consent and based on the specifics of this consent (e.g. whether they opted in for marketing cookies, or out of analytics), the cookies and trackers are then activated on your website.
Tags and triggers orchestrated by Google Tag Manager and the cookies they set are regulated by the EU's GDPR.
Until the consent is given by the user, Cookiebot CMP automatically controls all cookies so that no user data is collected until after consent is obtained from your users, as mandated by the GDPR.
Only strictly necessary cookies are allowed to be set when a user arrives on a website, and consent banners that manage user consent are not allowed to have pre-ticked checkboxes on any other categories of cookies.
What Cookiebot CMP then does is to tell Google Tag Manager what tags to run.
If the user decides to not have marketing or analytics cookies set on their devices, Cookiebot CMP changes the conditions for which Google Tag Manager runs tags, and so will not run tags that set marketing or analytics cookies.
In that sense, Cookiebot CMP acts like the privacy protecting bridge intermediary that controls what Google Tag Manager is allowed to do based on the specifics of your users’ consent.
By using Cookiebot CMP, you can ensure that the cookies and trackers that you deploy as tags through Google Tag Manager meets cookie consent requirements, i.e. doesn’t collect personal information on users before they’ve given their consent to it.
Google Tag Manager and GDPR are not mutually exclusive – if you use Cookiebot CMP.
In order to “get the best of both worlds” – meaning website optimization through analytics and marketing, as well as being GDPR compliant and respecting your users’ privacy – you need to make sure that:
Here is an example of how that looks –
To know more about the technical aspects of the implementation, check out our support page dedicated to Google Tag Manager and Cookiebot CMP.
If your users are from inside the EU, you are bound by EU’s General Data Protection Regulation to provide them with detailed information on all the cookies and similar tracking technology present on your website, and the choice of consent.
You are not allowed to process any user data before such a consent has been obtained.
But don’t worry – you can use Google Tag Manager and set analytics and marketing tags in a GDPR compliant way if you use a consent solution like Cookiebot CMP.
Google Tag Manager (GTM) is a popular tool for controlling tags on websites. Google Tag Manager can be used to control everything from statistical scripts or marketing tags that collect data for analytics and advertising, like tracking website page views, button clicks and how users scroll and behave. Websites use Google Tag Manager to update and optimize their websites and its content based on tracking of user interactions.
Google Tag Manager works through tags and triggers. Tags are pieces of code that are embedded on a website by Google Tag Manager that set trackers such as tracking pixels, web beacons or ultrasound beacons, depending on their technology. Triggers are the conditions under which tags are activated, e.g. when a user clicks or scrolls. Almost all third-party tags will set cookies on users’ browsers and therefore require the consent of users before activation.
The General Data Protection Regulation (GDPR) is an EU data privacy law that governs the processing of personal data of individuals inside the EU. The GDPR requires websites to obtain the clear and affirmative consent from users before being allowed to activate cookies that process personal data, such as IP addresses, browser and search history.
Google Tag Manager can be used to deploy analytics and marketing cookies on your website, which means that you will need the prior consent from users in order to lawfully use Google Tag Manager in the EU. Statistics and marketing cookies must be deactivated by default until a user has given their prior consent.