Google Tag Manager (GTM) and Cookie Consent

Illustration of orchestra on stage - Cookiebot

Cookiebot CMP and Google Tag Manager

Our solution comes as a featured community CMP Template in GTM Community Template Gallery and brings you fast and seamless consent management of all third-party tags on your website for true compliance with the EU’s General Data Protection Regulation (GDPR) and other major data privacy legislations in the world.

Using Google Tag Manager for controlling services like Google Analytics or social media plugins will set cookies, which means that using Google Tag Manager requires cookie consent to function in compliance on your website.

On May 27, 2021, Google announced that Google Tag Manager has integrated consent as a core part of the platform’s inner workings so that any tag in GTM can make built-in consent checks, and not only Google’s own tags.

Our CMP fully integrates with and supports this update, so you can now use Cookiebot CMP and Google Tag Manager together to control all tags on your website without manual configuration.

See our guide for deploying Cookiebot CMP in Google Tag Manager

Cookiebot CMP lets Google Tag Manager run all third-party tags based on the consent state of your end-users.

Based on an unrivaled website scanner that detects and controls all cookies and similar trackers on your website, Cookiebot CMP enables your website to protect the privacy of your end-user, while balancing your needs for data-driven business.

Want to try Cookiebot CMP with Google Tag Manager?
Simply choose the Cookiebot CMP template from the Community Template Gallery, and inject our script for easy compliance and protection of user privacy.

Cookiebot consent management in for Google Tag Manager - Cookiebot — Cookiebot CMP is featured as the standard consent management provider in GTM

Our CMP automatically blocks all cookies and tracker until a user has given their consent.

If a user decides not to give their consent to, say, marketing cookies, when they arrive on your domain, we make sure that tags that set such cookies in Google Tag Manager don’t fire.

Our solution is a consent management platform that makes the implementation and compliant use of Google Tag Manager on your website super easy.

Let Cookiebot CMP automatically control all third-party tags (like Google Analytics, Facebook pixels and more) based on the consent state of your end-users, so that your use of Google Tag Manager (GTM) is compliant with the strict GDPR requirements of always obtaining the prior consent from visitors before processing personal data.

See our guide for deploying Cookiebot CMP in Google Tag Manager

Try Cookiebot free for 14 days – or forever if you have a small website.

Scan your website for free to see all cookies and trackers in use

Google Consent Mode is a way for your website to run all its Google-services (such as Google Tag Manager, Gtag, Google Analytics or Google Ads) based on the consent state of your end-users.

Cookiebot CMP and Google Consent Mode is fully integrated and work seamlessly together.

Illustration of Cookiebot CMP on a screen - Cookiebot CMP — Cookiebot CMP and Google Tag Manager works together like a symphony orchestra.

Cookiebot CMP manages the consents of your users and communicates their consent state to the Google Consent Mode API that governs the behavior of all Google-services based on the consents.

If a user doesn’t give consent to statistics or marketing cookies, Google Consent Mode makes sure that you still get valuable insight into your website’s performance while respecting end-user privacy.

Google Consent Mode ensures aggregate and non-identifying data if users don’t consent to cookies, including –

Timestamps
User agents
Referrers
Other basic measurements for modelling

Google Consent Mode also enables you to display contextual ads based on anonymous data instead of targeted ads based on personal data, if users don’t give their consent to marketing cookies.

Get started with Google Consent Mode

Try Cookiebot CMP free for 14 days – or forever if you have a small website.

Scan your website free with Cookiebot CMP to see what cookies and trackers you use

What is Google Tag Manager (GTM)?

Google Tag Manager (GTM) is a system that controls what tags (scripts), you want to run on your website and when you want them to run. Instead of having to code and mark-up different events on your website, Google Tag Manager takes care of that.

This can e.g. be Google Analytics that through Google Tag Manager can create statistics on user behavior on your site. This is useful information to website owners, because it lets them update and optimize their website and its content based on real-life user interactions and performance statistics.

Illustration of hands holding a conductors baton - Cookiebot — Google Tag Manager orchestrates tags that set cookies on your website, most of which are regulated by the EU’s GDPR.

What does Google Tag Manager do?

Google Tag Manager (GTM), once implemented on your website, manages all kinds of tags. It can be statistical scripts or marketing tags that are meant for advertisement. Such tags and scripts set cookies, which collect data from your users in order to compile the statistics and marketing analytics.

In other words, what Google Tag Manager does is to integrate and activate JavaScript code on your whole website or specific sections of it.

The most common uses of Google Tag Manager include:

Tracking of website page view
Tracking of button clicks
Tracking external links/outbound clicks
Tracking of conversions, such as in Google Ads
Tracking of how a user scrolls and behaves on a page
Collection of user data, such as geolocation, device type and even screen width.

If this gets too technical, then think of it this way:

If your website is a symphony hall and the tags are all the different musicians you’ve chosen to house, then Google Tag Manager is the conductor. The conductor chooses what instruments are to play and when they are to play, in what order and for what duration.

In this picture, Cookiebot CMP is the notes on the conductor’s pages that he directs the orchestra by. These notes tell him which musician are allowed to play and under what circumstances they should not be allowed to play.

How does Google Tag Manager work?

Google Tag Manager works through tags and triggers.

Tags are pieces of code, such as HTML or JavaScript, which are deployed on your website for analytics or marketing purposes, or it could be a social media plugin as well. They are also known by names such as tracking pixel, web beacons, ultrasound beacons and many others depending on their functions.

Collections of tags, such as “marketing”, are called tag containers.

Important for website owners to know, is that almost all of such “third party tags” will set cookies that, according to EU law (the GDPR), fall into categories that require the explicit prior consent of your users.

Triggers are the conditions under which tags are allowed to fire, or in other words. It means that Google Tag Manager can control when a certain tag is fired, e.g. when a customer updates their card on a check-out subpage and a certain function of the site activates to let them share their purchase on social media.

These rules can be URL-based or event-based, such as when a user scrolls or clicks on some area of your website.

In other words, tags are what happens, while triggers are when what happens.

Illustration of a violin with a cursor arrow - Cookiebot — Much like different notes in a symphony, tags and triggers are orchestrated by Google Tag Manager.

See our guide for deploying Cookiebot CMP in Google Tag Manager

Try Cookiebot CMP free for 14 days – or forever if you have a small website

Scan your website for free to see all cookies and trackers in use

Let’s say that you’re using Google Tag Manager on your website, and you use it to deploy analytics and marketing cookies on your domain, so that you can measure your users and their behavior as they navigate your site.

In that case, your website will have several cookies set that activate and collect users’ data when they arrive on your domain.

This means that personal information, such as IP addresses, names and location data will be collected for statistical and marketing purposes.

Get started with Google Consent Mode

The EU’s General Data Protection Regulation (GDPR) that came into force in May 2018 has some strict rules about what you can do on your website with cookies.

The EU law is binding law in all 27 member states, and if you have visitors from the EU, you are obligated to abide by the rules – even if you, as mentioned earlier, and your website is located in, say, the US.

So, if you have any type of cookie or tracking technology on your website, the GDPR states that you must:

Obtain clear and unambiguous consent from its users,
Prior to any processing of personal data,
After specifying all types of cookies and other tracking technology present and operating on its pages,
In easy-to-understand ways that enable users to consent and to revoke consent on each specific category of cookies,
To then be able to safely and confidentially document each user consent,
Consent must be renewed annually. However, some national data protection guidelines recommend more frequent renewal, e.g. 6 months. Check your local data protection guidelines for compliance.

The European Data Protection Board (EDPB) is the leading supervisor on GDPR enforcement in the EU. Their guidelines and decisions form the basis of enforcement for the national data protection authorities in each EU country.

On May 4, 2020, the EDPB adopted guidelines on valid consent in the EU. They include that –

Cookie banners are not allowed to have pre-ticked checkboxes. All cookies (except necessary cookies) must be deselected by default.
Continued scrolling and browsing on a website does not constitute valid consent. Users must make a clear and affirmative action indicating their choice of consent.
Cookie walls cannot be used to obtain a valid consent, i.e. making user consent conditional for access to a website and its services is deemed unlawful.

Learn more about the EDPB guidelines on valid consent in the EU

This is also known as prior consent and means that you are not legally allowed to use analytics and marketing tags through Google Tag Manager without first obtaining the explicit consent to do so by the users that you wish to collect data from.

The fines for non-compliance with the GDPR are up to €20 million or 4% of a company’s annual global turnover per infringement – whichever is highest. The French data protection authority CNIL fined Google €50 million for infringements and violations of the GDPR in the spring of 2019.

This all means that Google Tag Manager and GDPR have a breaking point – they are not mutually exclusive, but if you use GTM and have visitors from the EU, you need to be extra careful not to be non-compliant.

As mentioned before, Google Tag Manager and GDPR are not mutually exclusive if you have a consent solution like Cookiebot CMP.

Cookiebot CMP is a compliance solution, a consent management platform for your website that enables you to make sure that your domains’ use of cookies and tracking is GDPR compliant.

The Cookiebot CMP technology first scans your website and all of its subpages, finding all cookies and similar tracking technologies present – without exception (everything from HTTP/JavaScript cookies, HTML5 Local Storage, Flash Local Shared Object, Silverlight Isolated Storage, IndexedDB, ultrasound beacons, pixel tags… and the list goes on).

Cookiebot CMP then generates a cookie declaration with descriptions of every cookie found on your website that can be used as part of your consent dialog’s details and as a separate cookie report, integrated in your privacy policy.

After Cookiebot CMP completes its scan, our customizable consent banner will display all the cookies and trackers on your website within four categories, three of which (preferences, statistics and marketing) the user can give and revoke their consent to.

The user then gives their consent and based on the specifics of this consent (e.g. whether they opted in for marketing cookies, or out of analytics), the cookies and trackers are then activated on your website.

Illustration of people playing the violin - Cookiebot — Tags and triggers orchestrated by Google Tag Manager and the cookies they set are regulated by the EU’s GDPR.

Until the consent is given by the user, Cookiebot CMP automatically controls all cookies so that no user data is collected until after consent is obtained from your users, as mandated by the GDPR.

Only strictly necessary cookies are allowed to be set when a user arrives on a website, and consent banners that manage user consent are not allowed to have pre-ticked checkboxes on any other categories of cookies.

What Cookiebot CMP then does is to tell Google Tag Manager what tags to run.

If the user decides to not have marketing or analytics cookies set on their devices, Cookiebot CMP changes the conditions for which Google Tag Manager runs tags, and so will not run tags that set marketing or analytics cookies.

In that sense, Cookiebot CMP acts like the privacy protecting bridge intermediary that controls what Google Tag Manager is allowed to do based on the specifics of your users’ consent.

By using Cookiebot CMP, you can ensure that the cookies and trackers that you deploy as tags through Google Tag Manager meets cookie consent requirements, i.e. doesn’t collect personal information on users before they’ve given their consent to it.

Google Tag Manager and GDPR are not mutually exclusive – if you use Cookiebot CMP.

See our guide for deploying Cookiebot CMP in Google Tag Manager

Get started with Google Consent Mode

How to implement Google Tag Manager with Cookiebot CMP

In order to “get the best of both worlds” – meaning website optimization through analytics and marketing, as well as being GDPR compliant and respecting your users’ privacy – you need to make sure that:

The Google Tag Manager script is the first script to load on your website.
Your Google Tag Manager script is marked with: data-cookieconsent=”ignore” to ensure that Google Tag Manager will always be allowed to load.
You insert the Cookiebot script with automatic cookie blocking immediately after the Google Tag Manager script.
Create 3 triggers in Google Tag Manager, which are fired upon custom event cookie_consent_[category] category = {preferences, statistics, marketing}

Here is an example of how that looks –

Google Tag Manager & Cookiebot cookie blocking code - Cookiebot

To know more about the technical aspects of the implementation, check out our support page dedicated to Google Tag Manager and Cookiebot CMP.

Summary

If you have a website, you most likely use cookies. You’re also very likely to use Google Tag Manager (GTM), which means you probably collect personal information from your users. Google Tag Manager and the cookies that you can set through GTM are regulated by the GDPR.

If your users are from inside the EU, you are bound by EU’s General Data Protection Regulation to provide them with detailed information on all the cookies and similar tracking technology present on your website, and the choice of consent.

You are not allowed to process any user data before such a consent has been obtained.

But don’t worry – you can use Google Tag Manager and set analytics and marketing tags in a GDPR compliant way if you use a consent solution like Cookiebot CMP.

FAQ

What is Google Tag Manager (GTM)?

Google Tag Manager (GTM) is a popular tool for controlling tags on websites. Google Tag Manager can be used to control everything from statistical scripts or marketing tags that collect data for analytics and advertising, like tracking website page views, button clicks and how users scroll and behave. Websites use Google Tag Manager to update and optimize their websites and its content based on tracking of user interactions.

Try Cookiebot CMP free for 14 days for GDPR compliance

How does Google Tag Manager (GTM) work?

Google Tag Manager works through tags and triggers. Tags are pieces of code that are embedded on a website by Google Tag Manager that set trackers such as tracking pixels, web beacons or ultrasound beacons, depending on their technology. Triggers are the conditions under which tags are activated, e.g. when a user clicks or scrolls. Almost all third-party tags will set cookies on users’ browsers and therefore require the consent of users before activation.

Try Cookiebot CMP free for 14 days for GDPR compliance

What is the EU’s GDPR?

The General Data Protection Regulation (GDPR) is an EU data privacy law that governs the processing of personal data of individuals inside the EU. The GDPR requires websites to obtain the clear and affirmative consent from users before being allowed to activate cookies that process personal data, such as IP addresses, browser and search history.

Learn more about the GDPR and cookies

Is Google Tag Manager GDPR compliant?

Google Tag Manager can be used to deploy analytics and marketing cookies on your website, which means that you will need the prior consent from users in order to lawfully use Google Tag Manager in the EU. Statistics and marketing cookies must be deactivated by default until a user has given their prior consent.

Try Cookiebot CMP free for 14 days for GDPR compliant use of Google Tag Manager