Google Tag Manager: GDPR-compliant use explained

by Aaron Schlütter
3 min read
10/9/22 10:00 AM

Google Tag Manager GDPR-compliant

In this blog post, we are dedicated to explaining the correct usage of Google Tag Manager in compliance with data protection laws, specifically following the General Data Protection Regulation (GDPR). Additionally, we will delve into the essentials by answering basic questions about what Google Tag Manager is, why its usage and the option of self-hosting are beneficial, and a detailed explanation of how it all functions.

What is Google Tag Manager?

Google Tag Manager (GTM) simplifies the implementation of code snippets in websites or apps. GTM allows for the easy management of tracking and marketing tools, known as tags, through a web-based user interface, eliminating the need to alter the source code. In addition to supporting standard web analytics tools, GTM can also deploy custom HTML codes or JavaScripts. The functions of these tags are diverse, and they are often used to analyze users' online behavior (in general or on a specific site), optimize marketing campaigns, or deliver targeted advertising.

Why do we use Google Tag Manager?

In addition to the obvious time and effort savings that come with using a tag management system, such a system can also be used for consent-driven tag deployment. Through the loading rules available in GTM (also called "triggers"), tags can be specifically deployed only when a consent management platform (like Usercentrics) provides the corresponding consent. In comparison to other tag management systems, GTM stands out with a user-friendly interface, a very comprehensive free version without limitations, and better performance than its competitors.

Google Analytics 4 (GA4) & the Google Server Tag Manager

The GTM itself does not set cookies, but it can transmit cookies because the tags used can set cookies. In addition, when the GTM is called up, the IP address and browser fingerprint are transmitted to Google. This represents data collection, and this is considered data processing under Art. 4 No. 2 GDPR. Currently, it is legally unclear whether this data collection requires consent or whether it falls within the so-called "legitimate interest" (Art. 6 No. 1 f GDPR). However, particularly due to the judgment of the Administrative Court of Wiesbaden which became public recently, we recommend obtaining consent for the use of GTM or hosting it yourself, making it possible to use the Google Tag Manager in a GDPR-compliant manner.

Why does it make sense to host the Google Tag Manager Yourself?

If you host the GTM yourself, the personal data will no longer be transferred to Google in the USA, as previously described. You can therefore do without consent and ensure that tags can be played out to all your visitors. Furthermore, ad blockers and Intelligent Tracking Preventions, used in browsers such as Safari or Firefox, can no longer block the GTM. Additionally, the number of third-party requests is reduced, which in turn leads to faster loading times and an improved Google PageSpeed/Core Web Vitals score. By self-hosting, you can not only use the Google Tag Manager in compliance with data protection regulations but also use more functions and bring about a better user experience.

"If you host the GTM yourself, the personal data will no longer be transferred to Google in the USA, as described earlier. As a result, you can do it without consent."

How does the self-hosting of the Google Tag Manager work?

To self-host the "normal" client Google Tag Manager in a GDPR-compliant way, you need an additional so-called server tag manager. This server tag manager is used as an interface to the users and delivers the client tag manager script from your server instead of Google's. The users therefore only communicate with your system and no longer directly with Google. The following steps are required for the setup:

  1. Setting up a server GTM container at tagmanager.google.com

  2. Setting up a tagging server and installation of the server GTM container

  3. Creating a "Client" (Interface in the server GTM that delivers the client GTM script)

  4. Integration of the new, customized GTM snippets into the source code of the website or app

Do not hesitate to arrange a non-binding initial consultation with us. We check whether your website complies with data protection requirements and configure it accordingly. In addition, we optimize your tracking measures for you.