Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Google Tag Manager (GTM) is a free tag management system from Google that allows marketers and developers to manage and deploy JavaScript tags (snippets of tracking code) on websites without editing source code directly. GTM itself does not collect personal data — it is a container that loads other tags. However, it is the delivery mechanism for analytics, advertising, and remarketing tags that do collect personal data. Proper GDPR compliance requires configuring GTM with Consent Mode v2 and a consent management platform to only fire tags when appropriate consent is given.
Google Tag Manager (GTM) is the free tag management system launched by Google in 2012 and used by more than 30 million websites worldwide. The container script (gtm.js) is loaded once on every page; the publisher then configures triggers, variables and tags through a web interface, without modifying the site code for each new tag. GTM is the standard distribution mechanism for Google Analytics 4, Google Ads conversion, Floodlight, Meta Pixel, TikTok Pixel, LinkedIn Insight Tag, custom HTML tags and many third party vendors.
The GTM container itself does not write any persistent cookie on the publisher domain by default; it can write _gcl_au and _gcl_aw when the Google Ads conversion linker is enabled. All other cookies observed on the page come from vendor tags triggered by GTM (Google Analytics, Google Ads, Meta Pixel, etc.). However, the simple act of loading gtm.js from googletagmanager.com discloses the visitor IP, user agent and Referer header to Google before any consent is given.
The CNIL clarified in 2020 that GTM is not, by itself, strictly necessary and therefore not exempt from consent when it loads non exempt vendor tags. Google Consent Mode v2 (mandatory since March 2024 for the EEA, Switzerland and the UK) lets GTM signal the visitor consent to each Google tag and adjust their behaviour: in basic mode the tag is blocked entirely until consent, in advanced mode the tag still pings Google with cookieless aggregate data. The publisher must collect explicit consent before activating the advanced mode and must update the privacy notice to inform users.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Google Ireland Limited is the contracting entity for EU customers; Google LLC in the United States is the principal sub processor. Loading gtm.js from googletagmanager.com discloses IP and user agent to Google. The GTM Terms incorporate the EU Standard Contractual Clauses (module 3 processor to sub processor) and Google LLC is certified under the EU US Data Privacy Framework since 10 July 2023. Customers can deploy a server side GTM container on Google Cloud Run in the European region to keep the visitor IP and request body inside the EEA.
Connect GTM to your CMP using the consent state of Google Consent Mode v2. Mark every non exempt tag with the appropriate consent type (ad_storage, analytics_storage, etc.). Disable GTM Preview Mode and the Debug Mode in production. Avoid loading gtm.js for users who have refused all categories; alternatively, route the loader through a server side GTM container hosted in the EU. Document Google Ireland Limited and Google LLC in your records of processing (GDPR art. 30) and update the privacy notice. Refresh the consent every six months in line with CNIL deliberation 2020 091.
European alternatives include Matomo Tag Manager (open source, France and EU hosting), Piano Tag Manager (formerly AT Internet, France), Commanders Act (France) and Tealium iQ (US with EU hosting). Server side options include Stape.io, Addingwell (France) and self hosted server side GTM on Cloud Run, AWS Fargate or Hetzner.
Websites using Google Tag Manager must obtain user consent under GDPR regulations.
DPIA considerations
GTM itself does not require a DPIA. The tags fired from the container do: assess each one separately and document the global tag inventory.
Sample consent text
We use Google Tag Manager (GTM), a free tag management system from Google Ireland Limited, to load measurement and advertising scripts only after the appropriate consent. The GTM container loads from googletagmanager.com; this exchange transmits your IP address, user agent and page URL to Google. We pair GTM with Google Consent Mode v2 so that each tag (Google Analytics, Google Ads, Meta Pixel, etc.) is activated only if you accept the corresponding category in our cookie preferences. Data is processed in the United States under the EU US Data Privacy Framework and the EU Standard Contractual Clauses.
Third-party domains contacted
googletagmanager.comgoogletagmanager.comwww.googletagmanager.comwww.googletagmanager.comtagmanager.google.comtagassistant.google.comgstatic.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| gtm_none | session | Session | Google Tag Manager does not set cookies itself — cookies are set by individual tags loaded within the GTM container |
| _gtm_id | First party (Google Tag Manager, optional) | Session | Optional internal session marker used in some advanced server side GTM setups. The base GTM container itself does not set cookies. |
| cookieConsent | First party (managed by your CMP) | 12 months | Stores the consent state communicated to GTM Consent Mode v2 by the integrated CMP. |
Google Tag Manager collects user analytics data — you legally need a consent banner. Try FlowConsent free.
GTM itself does not require consent — it does not collect personal data. However, it must be configured to only fire non-essential tags (analytics, advertising, remarketing) after appropriate consent is given via your CMP. Without consent management, GTM fires all tags by default.
Consent Mode v2 allows Google tags to adjust their behaviour based on consent signals from your CMP. It became mandatory for EU/EEA advertisers in March 2024 for access to Google's measurement, remarketing, and audience features. Implement via your CMP's GTM integration or directly in GTM.
No. GTM itself does not set cookies. Cookies are set by the individual tags loaded within the GTM container. GTM's own container script does not create persistent browser storage.
Server-side GTM (sGTM) moves data processing from the browser to your server, reducing client-side exposure. Deployed on EU infrastructure, sGTM can process and filter data before forwarding to third parties. It does not eliminate consent requirements but provides greater control over data flows.
Integrate your CMP with GTM to expose consent signals as GTM variables. Use GTM triggers that check consent category variables before firing tags. For Google tags, implement Consent Mode v2. For non-Google tags, use trigger conditions or CMP-based tag blocking.
Disclose GTM as the mechanism used to manage tracking scripts. More importantly, disclose each tracking category and the specific tools loaded. The privacy policy should describe what each tag category does, its legal basis, and the transfers involved.
Not compliantly on EU-facing websites where non-essential tags are deployed. Without a CMP, there is no mechanism to obtain or pass consent signals to GTM, meaning all tags fire without consent — a GDPR violation for non-essential tracking.
Most major CMPs integrate with GTM: Cookiebot (Usercentrics), OneTrust, Axeptio, Didomi, CookieYes, and Tarteaucitron all provide native GTM integrations or GTM template tags. CMPs certified in the IAB TCF v2.2 also support passing TCF consent signals through GTM to advertising platforms.
The base GTM container does not set tracking cookies. Cookies appear only when individual tags fire (Google Analytics _ga, Google Ads _gcl_au, Meta Pixel _fbp, etc.). Each tag should have its own cookie policy entry.
Loading the empty GTM container before consent is permissible if no consent gated tag fires. Pair GTM with a CMP and Consent Mode v2 to ensure marketing and analytics tags only run when granted.
Legitimate interest (Art. 6(1)(f) GDPR) for the empty container (technical dispatcher). Consent (Art. 6(1)(a) + Art. 5(3) ePrivacy) for each non essential tag fired from GTM.
Yes. gtm.js is served from Google's global CDN by Google LLC (US). Server side GTM in a European Google Cloud region keeps payloads in Europe. Transfers covered by the EU US Data Privacy Framework.
GTM itself does not require a DPIA. The tags it fires can: assess each one (Analytics, Ads, Pixel) separately and aggregate them in your DPIA inventory.
Connect a CMP, enable Google Consent Mode v2, set consent_types on every tag, restrict publish rights, document GTM as a processor in your Article 30 record, and consider Server Side GTM in an EU region.
Matomo Tag Manager (EU, open source), Piwik PRO Tag Manager (EU), Tealium iQ (US), Adobe Experience Platform Launch (US), Commanders Act TagCommander (France), Tag Manager Plus (open source).
Do not list the GTM container itself as a tracking cookie because it does not set one. List each tag fired by GTM separately. Mention Google LLC as the GTM processor with EU US Data Privacy Framework reference.