Google Tag Manager (GTM) does not set tracking files by itself. It acts as a delivery system for scripts and pixels that write data to a visitor's browser.
When you add a Facebook Pixel or Google Analytics tracking code to your website, GTM controls when and where these scripts execute. Privacy regulators view the site owner as the data controller responsible for what these third-party scripts do. If a tag deployed through GTM writes data without prior permission, the website owner faces the legal consequences. Recent enforcement actions across Europe highlight that improper tag configuration is a primary source of data protection violations.
Fining a company 1.5 million EUR in 2022, the French CNIL explicitly cited the failure to withhold tracking scripts before users interacted with a cookie banner.
To configure GTM legally, you must align your tag firing rules with user choices. This requires connecting your consent management platform to the GTM data layer. The container will then read the data layer variables to block or execute tags based on the explicit choices recorded.
Legal Requirements for Tag Deployment
Article 5(3) of the ePrivacy Directive mandates that you store information on a user's device only after they give explicit permission. This rule applies regardless of whether the script comes directly from your source code or through a container management system.
The General Data Protection Regulation adds the requirement that this permission must be freely given, specific, informed, and unambiguous. You cannot use pre-ticked boxes or assume consent from a user scrolling the page. Any tag that sets non-essential trackers must wait in a paused state until the user actively clicks an accept button. Under strict GDPR consent standards, firing a marketing tag on the initial page load is unlawful. The Spanish AEPD recently updated its guidelines to explicitly ban blanket continuous browsing assumptions for exactly this reason.
A compliant GTM setup physically prevents data collection tags from triggering until the required consent variable returns a positive value.
You must audit every active tag in your workspace before adjusting any trigger rules. Assign each script to a specific regulatory category to determine its lawful basis for processing. A tag that manages your live chat widget operates differently under the law than a tag tracking conversions for a social media advertising campaign.
Scripts that remember user choices, like language settings or shopping cart contents, usually fall under functional cookies. These often qualify for the strictly necessary exemption and can fire without prior permission from the visitor.
Measurement tools require careful handling in your container setup. Tags that deploy analytics cookies need active user opt-in in most European jurisdictions. Some authorities like the French CNIL offer limited exemptions for strictly anonymised, first-party audience measurement under specific configurations. Most default Google Analytics 4 installations do not meet this exemption standard and must wait for explicit user permission.
Any tag deploying marketing cookies, such as the TikTok Pixel or LinkedIn Insight Tag, strictly requires prior opt-in everywhere.
| Tag Type | Purpose | Consent Required |
|---|---|---|
| System / Essential | Security, load balancing, core functions | No (Strictly Necessary) |
| Google Analytics 4 | Audience measurement, behaviour tracking | Yes (Analytics) |
| Google Ads Remarketing | Retargeting, profile building | Yes (Marketing) |
| Zendesk / Intercom | Customer support chat | Usually No (Functional) |
Understanding the Data Layer
The data layer is a JavaScript object that sits between your website and your GTM container. It holds structured information about the page context, user actions, and current privacy preferences. When a visitor interacts with your privacy banner, the platform pushes an event to this layer detailing exactly which categories the user accepted or rejected.
GTM uses these data layer events to evaluate trigger conditions. If a user rejects advertising trackers, the data layer updates to reflect a negative state for that specific category.
You must configure your marketing tags to check this state before executing their code. Instead of using the default page view trigger, you replace it with a custom event trigger that requires a positive consent signal. This keeps the Meta Pixel dormant if the visitor ignores the banner or selects a reject option. Failing to replace default triggers is a common technical error compliance teams find during website audits. Implementing custom event triggers provides a hard mechanism to block unauthorised data collection.
Testing this mechanism requires opening your site in an incognito window and monitoring the network tab in your browser developer tools.
Built-in Consent and Advanced Settings
GTM includes native settings to help you manage these rules without writing complex custom variables for every single tag. You can assign built-in checks like ad_storage or analytics_storage directly in the tag configuration panel. If the user has not granted the corresponding permission, the container automatically blocks the tag from firing.
The system integrates deeply with Google Consent Mode to handle granular user choices. When active, this framework adjusts how Google-specific tags behave based on the status passed from your banner.
If a user rejects analytics tracking, a GA4 tag configured with this mode will not set standard tracking identifiers on the device. It will instead send cookieless, anonymised pings to Google servers to log basic interactions. This allows you to model conversions and basic traffic volumes without violating the user's explicit refusal. You must still configure the initial trigger correctly, as sending even cookieless pings requires a lawful basis in some jurisdictions.
The Information Commissioner's Office in the UK warns that non-cookie tracking methods fall under the same strict regulatory rules if they single out specific users.
Auditing Third-Party Templates
GTM offers a community template gallery where you can install pre-configured tags from hundreds of vendors. You must exercise caution when adding these third-party templates to your workspace. The template creator determines what data the script accesses and where it sends that information.
Many community templates lack built-in privacy checks and will execute immediately upon page load if assigned a standard trigger. You bear the legal responsibility for any personal data these third-party scripts capture and transmit.
Conduct a thorough review of the permissions tab before importing any new template into your container. GTM displays exactly which cookies the script intends to read or write and which external domains it will contact. If a template requests unrestricted access to all browser cookies, you should evaluate if that level of access is strictly necessary for its function. Restricting tag permissions provides an additional layer of defence against accidental data leaks.
You can manually edit template permissions to block injection of unknown scripts or restrict network requests to approved domains only.
The Server-Side Tracking Alternative
Many organisations are moving their tag management infrastructure to server-side containers to improve data security. In a server-side setup, the visitor's browser communicates only with a server you control, rather than sending data directly to vendors like Meta or Google. Your server then processes the data stream, removes sensitive information, and forwards it to the third-party platforms.
This architecture gives you absolute control over what data leaves your infrastructure. You can strip out IP addresses, user agents, and cross-site identifiers before the vendor ever sees the request.
Server-side tracking does not eliminate the need for user permission. If your initial data collection involves accessing information stored on the user's device, the ePrivacy Directive still applies in full. You must secure active opt-in before sending that initial data stream to your server container. The advantage lies strictly in data governance, not in bypassing consumer privacy rights.
Regulators assess compliance based on the initial access to the terminal equipment, regardless of where the data goes afterward.
Regular monitoring of your container setup prevents compliance drift over time. Marketing teams frequently add new tags to support campaigns, sometimes bypassing the established privacy triggers in a rush to launch.
Frequently Asked Questions
Does using Google Tag Manager mean I need a cookie banner?
GTM itself is just a container and does not require a banner. The individual tags you deploy inside GTM determine your legal obligations regarding user consent.
Can I fire Google Analytics tags on page load if I anonymise IP addresses?
No. IP anonymisation is a privacy best practice, but dropping the analytics tracker still requires prior explicit consent under European law.
How do I test if my GTM setup is legally compliant?
Open your website in an incognito window and check the browser's developer tools. If marketing or analytics trackers appear before you interact with the banner, your triggers are misconfigured.
What happens if a user ignores the consent popup?
Under European privacy laws, ignoring a popup counts as a refusal. GTM must keep all non-essential tags blocked until the user actively clicks an accept button.
Does server-side tagging bypass GDPR consent rules?
No. Server-side setups improve data security and governance but do not remove the legal requirement to obtain consent before accessing information on a user's device.
Take Control of Your Tag Management
If you are not sure which tags are firing before users grant permission, start with a cookie scan. Kukie.io detects exactly which scripts deploy trackers on your site, helping you configure your triggers correctly. You can identify non-compliant tags instantly and fix your configuration before regulators notice.
