How to use Google Tag Manager GDPR compliant

In this blog post, we want to explain how you can use the Google Tag Manager in a data protection compliant manner, i.e. compatible with the General Data Protection Regulation (GDPR). We also answer basic questions, such as what it is, why its use and self-hosting are worthwhile, and how it works.

What is the Google Tag Manager?

With the Google Tag Manager (GTM), code snippets can be implemented more easily in websites or apps. With the GTM, tracking and marketing tools, the so-called tags, can be easily managed via a web-based user interface and it is no longer necessary to intervene in the source code. In addition to standard web analysis tools, user-defined HTML codes or Java scripts can also be used. The functions of the tags are diverse; they are often used, for example, to analyse the online behaviour of users (in general or on the page), to optimise marketing campaigns or to play out suitable advertising.

Why do we use the Google Tag Manager?

In addition to the simple time and effort savings that the use of a tag management system brings, a tag management system can also be used for the consent-controlled playout of tags. Using the loading rules (also called “triggers”) available in the GTM, tags can only be played out specifically if a consent management platform (such as Usercentrics) provides the corresponding consent. Compared to other tag management systems, GTM impresses with a simple user interface, a very comprehensive free version without limitations and better performance than the competition.

Does the Google Tag Manager set cookies and does its use require consent?

The GTM itself does not set cookies, but it can transmit cookies because the tags used can set cookies. In addition, when the GTM is called up, the IP address and the browser fingerprint are transmitted to Google. This constitutes data collection and is considered data processing according to Art. 4 No. 2 GDPR. At the moment, it is still legally unclear whether this data collection requires consent or whether it is within the scope of the so-called “legitimate interest” (Art. 6 No. 1 f GDPR).  In particular, however, due to the recently published ruling of the Wiesbaden Administrative Court, we recommend obtaining consent for the use of the GTM or hosting it yourself, so that the Google Tag Manager can be used in a data protection-compliant manner.

Why does it make sense to host the Google Tag Manager yourself?

If you host the GTM yourself, the personal data is no longer transferred to Google in the USA, as described above. Accordingly, you can waive consent and thus ensure that tags may be played out to all your visitors. In addition, ad blockers and Intelligent Tracking Preventions, used for example in browsers such as Safari or Firefox, will no longer be able to block the GTM. Furthermore, the number of third-party requests is reduced, which in turn leads to a faster loading time and an improved Google Pagespeed/Core-Web-Vital-Score. Self-hosting therefore not only allows you to use the Google Tag Manager in a privacy compliant way, but it also allows you to use more features and create a better user experience.

How does the self-hosting of the Google Tag Manager work?

In order to host the “normal” client Google Tag Manager yourself in compliance with data protection regulations, you also need a so-called server tag manager. This server tag manager is used as an interface to the users and delivers the client tag manager script from your server instead of the Google server. This means that users will only communicate with your own system and no longer directly with Google. The following steps are required for the setup: 

1. Set up a server GTM container at tagmanager.google.com.

2. Set up a tagging server and install the server GTM container.

3. Creation of a “client” (interface in the server-GTM that delivers the client-GTM script)

4. Integration of the new, customised GTM snippet into the source code of the website or app.