A court in Hanover, Germany, has ruled that the use of Google Tag Manager (GTM) violates the GDPR. This decision caught my attention because it does not concern a measurement or marketing platform, but GTM, which is supposed to be an “impartial trigger” for marketing codes.
What exactly was the issue? And what impact will this have on measurement?
The full text of the ruling is available on the Lower Saxony website. I am not a lawyer and I used Google Translate for the translation (I don’t speak German). Please do not take this article as legal advice, but as my view of the situation.
How the website measurement was set up
The exact solution is unknown, but it can be deduced from the defense:
- The website used Google Tag Manager, which loaded immediately after the page was launched.
GTM was set up to support Consent Mode 2. The default setting for all tags was “denied.” - A functional cookie bar was launched.
I am not sure if it met the GDPR’s visual requirements for appearance (presence of all buttons, their size), but that is not the subject of this article. - Marketing and measurement codes were always triggered after consent was given.
I would describe this as the “standard setting” according to Consent Mode 2.0 and Google’s recommendations. This is how most standard websites are set up.
Between the lines…
The ruling includes a relatively extensive argument as to why the current solution is unsatisfactory. Here I have selected a few key points (I have taken the liberty of shortening them and editing them slightly for readability). I have also added my own interpretation.
Judgment: GTM is not a service expressly requested by website users, nor does it provide added value or functionality for the use of the website.
GTM cannot therefore be considered technically necessary for the functionality of the website.
Judgment: …GTM is necessary for economic reasons…, but this does not outweigh the rights of users…
GTM cannot be loaded in the legitimate interest. The question is how the court would assess this if we were not talking about Google’s tag manager, but one from another provider.
Judgment: Google Tag Manager is loaded from the domain www.googletagmanager.com
Whenever you load anything from anywhere on the internet, you always transfer your IP address, cookies, and information about your device. This is part of the technology on which the internet is built, and it cannot be changed. In other words, if you load GTM from the domain www.googletagmanager.com, you are always providing personal data to Google. What’s more, you are sending data outside the EU. And you are doing so even before giving your consent.
Judgment: The plaintiff uses the service for these purposes and claims that Google Tag Manager itself does not set or read cookies, but only the services managed by this tool.
In my opinion, the plaintiff may be right in principle; GTM should not read cookies without consent. However, you cannot see its code and cannot say with certainty whether it actually does so or not.
When GTM is loaded, IP addresses, cookies, etc. are definitely transferred.
How to set up GTM
Use Server-Side GTM (SGTM) or Google Tag Gateway? Another tool? What is the right way to do it?
Unfortunately, the ruling does not specify this.
Simply inserting GTM is not GDPR compliant, regardless of whether you have Consent Mode 2.0 set up or not.
Let’s take a look at other options.
Google Tag Manager
We know that GTM is not technically necessary. We need a technical solution that will respect consent (first solution) or defend it as a legitimate interest (others).
You have several options for working with GTM:
- Load GTM from the www.googletagmanager.com domain only after consent has been given.
Block the script completely before consent is given. Some cookie bars allow this themselves. Or a programmer would have to help you with this.
We respect the user’s consent to measurement.
OK for me. - Use of Google Tag Gateway
GTG was created as a project by Google and Cloudflare. Technically, requests go from the browser through Cloudflare, where they are redirected to the Google endpoint. However, I have not found anywhere that Cloudflare removes the original IP address, cookies, etc.
In the event of a dispute, I think this is rather indefensible, i.e., for me, rather NO. - Using SGTM on Google Cloud
If you host SGTM on Google Cloud Run, user data still goes to Google’s servers when GTM is loaded, even if it is your paid service.
I’m not sure how the law would view this, but for me, it’s more of a NO. - Using SGTM hosted outside the Google ecosystem
Here, I assume that you are able to wrap SGTM with a firewall and have control over exactly what you send where.
For me, it’s more of an OK. - Use a proxy for GTM (or SGTM) and GTAG
You can create your own “box” through which the request will flow, clean it up, and then pass the data on.
OK with me. - Use an alternative to GTM on your own hosting
There are several alternatives to GTM, such as european-alternatives.eu or omr.com. If I use an alternative tool, ideally on my own hosting, I believe this may be in my legitimate interest.
OK with me.
Google Analytics 4 and Google Ads
Without consent, GA4 and GAds send “anonymous pings” to Google servers in Consent Mode 2.0 by default. They do not place cookies. However, as mentioned above, whenever you send anything over the internet, the user’s IP address and other cookies valid for that domain are always transferred. As a result, anonymous pings are not anonymous.
What to do next
Google Tag Manager is not technically necessary for a website. And with the default settings, you won’t be able to play it off as a legitimate interest either.
If you are a web analyst, keep in mind that Consent Mode 2.0 is no guarantee that everything is in order. And if you rely solely on this setting, then it may be time to rethink your approach. Especially if you manage measurements in Germany.
If you are a website owner, check how exactly you have your measurements set up. Can you really defend the configuration if you receive a letter from the authorities?
Need help with this?