In this blog post, we want to explain how you can use the Google Tag Manager in a data protection-compliant manner, i.e., in accordance with the General Data Protection Regulation (GDPR). We will also answer basic questions, such as what this is, why its use and self-hosting are worthwhile, and how it works.
What is the Google Tag Manager?
With the Google Tag Manager (GTM), code snippets can be implemented more easily in websites or apps. GTM allows tracking and marketing tools, the so-called tags, to be managed simply via a web-based user interface without having to interfere with the source code. In addition to standard web analytics tools, custom HTML codes or JavaScripts can also be used. The functions of the tags are diverse, often they are used, among other things, to analyze the online behavior of users (in general or on the site), to optimize marketing campaigns, or to display suitable advertising.
Why do we use the Google Tag Manager?
In addition to the simple saving of time and effort that comes with using a tag management system, a tag management system can also be used for the consent-controlled delivery of tags. The loading rules (also called "triggers") available in GTM can specifically play tags only when a Consent Management Platform (such as Usercentrics) provides an appropriate consent. Compared to other tag management systems, GTM stands out with an easy-to-use interface, a very comprehensive free version without limitations, and better performance than the competition.
Google Analytics 4 (GA4) & The Google Server Tag Manager
The GTM itself does not set cookies, but it can transmit cookies because the tags used can set cookies. In addition, when the GTM is called up, the IP address and browser fingerprint are transmitted to Google. This represents a data collection, and this is considered data processing under Art. 4 No. 2 GDPR. Currently, it is legally unclear whether this data collection requires consent or whether it falls within the so-called "legitimate interest" (Art. 6 No. 1 f GDPR). However, particularly due to the judgment of the Administrative Court of Wiesbaden which became public recently, we recommend obtaining consent for the use of GTM or to host it yourself, making it possible to use the Google Tag Manager in a GDPR-compliant manner.
Why does it make Sense to host the Google Tag Manager Yourself?
If you host the GTM yourself, the personal data will no longer be transferred to Google in the USA, as previously described. You can therefore do without consent and ensure that tags can be played out to all your visitors. Furthermore, ad blockers and Intelligent Tracking Preventions, used in browsers such as Safari or Firefox, can no longer block the GTM. Additionally, the number of third-party requests is reduced, which in turn leads to faster loading times and an improved Google PageSpeed/Core Web Vitals score. By self-hosting, you can not only use the Google Tag Manager in compliance with data protection regulations but also use more functions and bring about a better user experience.
If you host the GTM yourself, the personal data will no longer be transferred to Google in the USA, as described earlier. As a result, you can do without consent.
How does the self-hosting of the Google Tag Manager work?
To self-host the "normal" client Google Tag Manager in a GDPR-compliant way, you need an additional so-called server tag manager. This server tag manager is used as an interface to the users and delivers the client tag manager script from your server instead of Google's. The users therefore only communicate with your own system and no longer directly with Google. The following steps are required for the setup:
-
1. Setting up a server-GTM container at tagmanager.google.com
-
2. Setting up a tagging server and installing the server-GTM container
-
3. Creation of a "Clients" (interface in the server-GTMs that delivers the client-GTM script)
-
4. Integration of the new, customized GTM snippet into the source code of the website or app
