Does your website use third-party services? Get GDPR compliant in minutes.

Google Tag Manager

What does Google Tag Manager do?

Google Tag Manager (GTM) is a free tag management system from Google that allows marketers and developers to manage and deploy JavaScript tags (snippets of tracking code) on websites without editing source code directly. GTM itself does not collect personal data — it is a container that loads other tags. However, it is the delivery mechanism for analytics, advertising, and remarketing tags that do collect personal data. Proper GDPR compliance requires configuring GTM with Consent Mode v2 and a consent management platform to only fire tags when appropriate consent is given.

What is Google Tag Manager?

Google Tag Manager is a free tag management system that provides a user interface for deploying and managing marketing and analytics JavaScript snippets (tags) on websites and mobile apps. Instead of embedding multiple tracking scripts directly in the HTML source code, marketers and developers install a single GTM container snippet. They then add, modify, and remove individual tags through the GTM web interface without developer involvement. GTM supports triggers (conditions for firing tags) and variables (dynamic values) that enable sophisticated conditional tag firing based on user behaviour, page content, and consent signals.

GTM''s GDPR role: the delivery mechanism

GTM itself does not collect personal data and does not require consent for the container script alone. However, GTM''s GDPR significance is immense because it controls which tracking scripts fire and when. A misconfigured GTM can cause all tracking scripts (including those requiring consent) to fire immediately on page load before any consent is given — a serious GDPR violation. Properly configured, GTM is an essential tool for GDPR-compliant tag management.

Google Consent Mode v2

Google Consent Mode v2 (mandatory for EU advertisers since March 2024) enables GTM to receive consent signals from your CMP and adjust tag behaviour accordingly. With Consent Mode, Google tags can operate in a privacy-preserving mode when consent is declined — sending aggregated, modelled conversion data without individual cookies. Implement Consent Mode v2 via your CMP''s GTM integration. Without it, Google Ads and GA4 advertising features will not function correctly for EU users.

Get GDPR compliant in 10 minutes

Free plan available · No credit card required

Try FlowConsent free

Server-side GTM for privacy

Server-side GTM (sGTM) moves tag processing from the user''s browser to a server you control. This reduces client-side data exposure, enables data enrichment and filtering before sending to vendors, and can be deployed on EU infrastructure to keep data within the EU before forwarding to third parties. sGTM is increasingly recommended for privacy-first implementations of Google''s advertising and analytics stack.

Practical compliance steps

Implement a CMP integrated with GTM. Configure GTM tag firing rules to respect consent categories. Implement Google Consent Mode v2 for all Google tags. Block non-essential tags until consent is given using GTM trigger conditions or a CMP-GTM integration. Audit all tags in your GTM container and classify by consent category. Regularly audit the GTM container to ensure no tags fire without appropriate consent.

GDPR consent category

Analytics

Websites using Google Tag Manager must obtain user consent under GDPR regulations.

Legal basisGTM itself does not require a legal basis as it does not collect personal data. However, GTM must be configured to only fire tags after the relevant consent category is obtained. GTM's Consent Mode v2 enables conditional tag firing based on consent signals. Without consent management, GTM fires all tags by default including those requiring consent.

Risk levelmedium

Applicable regulationsGDPR, ePrivacy Directive. GTM is the delivery mechanism — each tag loaded via GTM requires its own compliance assessment.

DPIA considerations

A DPIA is not required for GTM itself. DPIAs may be required for specific high-risk tags loaded via GTM (session recording tools, advertising platforms, cross-site trackers). Assess each tag category individually.

Sample consent text

This website uses Google Tag Manager to manage tracking scripts. Some scripts loaded via GTM (analytics, advertising, personalisation) require your consent. You can manage your preferences in the cookie settings below.

Technical details

Tracking methodJavaScript tag container, loads and manages all third-party tracking scripts on a website, no direct data collection by GTM itself

Server locationUnited States (Google infrastructure)

Data transferred outside the EUGoogle Tag Manager itself does not collect personal data — it is a script loader. However, it loads third-party tags that transfer data to Google and other US-based vendors. The container script is served from Google's US infrastructure. GDPR obligations arise from the tags loaded via GTM, not GTM itself. Server-side GTM (sGTM) can process data on EU infrastructure.

Third-party domains contacted

googletagmanager.comwww.googletagmanager.comtagmanager.google.com

Cookies placed

Name	Type	Duration	Purpose
gtm_none	session	Session	Google Tag Manager does not set cookies itself — cookies are set by individual tags loaded within the GTM container

Google Tag Manager collects user analytics data — you legally need a consent banner. Try FlowConsent free.

Get started free Scan your site

Frequently asked questions

Does Google Tag Manager require GDPR consent?

GTM itself does not require consent — it does not collect personal data. However, it must be configured to only fire non-essential tags (analytics, advertising, remarketing) after appropriate consent is given via your CMP. Without consent management, GTM fires all tags by default.

What is Google Consent Mode v2 and is it required?

Consent Mode v2 allows Google tags to adjust their behaviour based on consent signals from your CMP. It became mandatory for EU/EEA advertisers in March 2024 for access to Google's measurement, remarketing, and audience features. Implement via your CMP's GTM integration or directly in GTM.

Does GTM set cookies itself?

No. GTM itself does not set cookies. Cookies are set by the individual tags loaded within the GTM container. GTM's own container script does not create persistent browser storage.

Is server-side GTM better for GDPR?

Server-side GTM (sGTM) moves data processing from the browser to your server, reducing client-side exposure. Deployed on EU infrastructure, sGTM can process and filter data before forwarding to third parties. It does not eliminate consent requirements but provides greater control over data flows.

How do I configure GTM to respect consent?

Integrate your CMP with GTM to expose consent signals as GTM variables. Use GTM triggers that check consent category variables before firing tags. For Google tags, implement Consent Mode v2. For non-Google tags, use trigger conditions or CMP-based tag blocking.

Do I need to add GTM to my privacy policy?

Disclose GTM as the mechanism used to manage tracking scripts. More importantly, disclose each tracking category and the specific tools loaded. The privacy policy should describe what each tag category does, its legal basis, and the transfers involved.

Can GTM be used without a CMP?

Not compliantly on EU-facing websites where non-essential tags are deployed. Without a CMP, there is no mechanism to obtain or pass consent signals to GTM, meaning all tags fire without consent — a GDPR violation for non-essential tracking.

What CMPs integrate with Google Tag Manager?

Most major CMPs integrate with GTM: Cookiebot (Usercentrics), OneTrust, Axeptio, Didomi, CookieYes, and Tarteaucitron all provide native GTM integrations or GTM template tags. CMPs certified in the IAB TCF v2.2 also support passing TCF consent signals through GTM to advertising platforms.

Get compliant — Try FlowConsent free

Free plan · 10-min setup