Many privacy policies claim that Google Tag Manager is a cookie-free domain. Others suggest that no consent is required to use the Tag Manager. Both are untenable. Even Google itself provides arguments against this claim.
The Google Tag Manager is a tool with which the deployment of other tools can be controlled. Instead of deploying, one could also speak of reloading other tools. Often the abbreviation GTM for the Google Tag Manager is used.
Is the Google Tag Manager a cookieless domain?
The Google Tag Manager is embedded via a Script and an alternative for systems with disabled JavaScript. Often, code like this can be found:
<script>
(function(w, d, s, l, i) {
w[l] = w[l] || [];
w[l].push({ 'gtm.start': new Date().getTime(), event: 'gtm.js' });
var f = d.getElementsByTagName(s)[0],j = d.createElement(s),
dl = l != 'dataLayer' ? '&l=' + l : '';
j.async = true;
The JavaScript code is setting a variable named src to a string that includes a URL from Google Tag Manager, with an ID appended to it. The ID appears to be a placeholder for some value (i) and a delimiter (dl);
f.parentNode.insertBefore(j, f);
})(window, document, 'script', 'dataLayer', 'GTM-XXXXXXXX');
An iframe element with a source URL, set to zero height and width, and styled to be invisible;
The script part is the logic to load the gtm.js script named Tag Manager. Some parameters are set here. Below follows in a IFRAME-tag a logic to fire the Tag Manager, if JavaScript is disabled in the user's browser.
Before the misunderstandings are clarified, here is the very first misunderstanding. Many think that Google does not receive any personal data via GTM at all. That's wrong. Correctly: For Google, your and my IP address is potentially always personal. The GTM receives your and my IP address every time we visit websites that integrate the GTM. Unfortunately, Google's explanations are formulated in such a way that Google almost admits that it uses data received for its own purposes. So, the GTM would already be consent-obligatory on this account alone.
Common misconceptions about the Tag Manager
As can be seen, the Tag Manager is loaded from the domain googletagmanager.com. A domain can theoretically be cookieless. Labelling a tool as a domain is inherently wrong.
Declaring a domain as cookieless is a very bold statement. This statement can only be true if it's interpreted in a benevolent manner. A domain itself is not a cookie manager. Rather, all web pages hosted on this domain and external files loaded from third-party websites are potential cookie managers. Whoever dares to claim knowledge of all these web pages and files must be extremely well-informed.
A domain itself cannot manage cookies. Only files located on this domain can do that. Leaving aside server-side configurations, only files that execute program logic can manage cookies. By managing we mean here creating, reading, modifying and deleting cookies.
The Google Tag Manager is not a cookieless domain. To say it correctly:
Cookies are being loaded from the domain googletagmanager.com!
Investigation of Google Tag Manager on websites that use it (source: dr-dsgvo.de) and statement from Google (July 2021).
The Google Tag Manager loads cookies directly
Yes, you've read it correctly. Don't believe what others claim! This section shows why cookies are loaded when the Google Tag Manager is embedded on a website.
Cookies exist within a domain (depending on configuration also in subdomains). In order for Google Tag Manager cookies to be transferred when retrieving them, a cookie must first exist in the domain googletagmanager.com or be newly generated by Google Tag Manager.
It is therefore sufficient if a single website exists worldwide in the domain or subdomain in question and sets a cookie. We are only talking about persistent cookies here. Session cookies are rather uncritical (but can still cause problems under certain conditions).
Here's the proof that cookies are loaded when integrating the Google Tag Manager:
The video shows how the "naked" Tag Manager is loaded, without further tools being reloaded by the Tag Manager (which would otherwise be responsible for subsequent data processing). Nevertheless, a cookie is transferred when the Tag Manager is accessed. Because the cookie was already sent with the loading of the GTM, it is actually irrelevant whether the GTM loads additional tools or not, since the cookie was already there when the GTM was accessed!
Noted, all of this was shown in the video without consent. There isn't even a consent query on the shown website. The shown website was randomly selected. There are numerous other websites that use Tag Manager where the same behavior is verifiable.
To reproduce the behavior shown in the video, do the following in Mozilla Firefox:
- Visit a website on the domain googletagmanager.com or one of its subdomains and create a cookie
- To track network traffic in the browser press the F12 key to open the developer console. There click on the Network Analysis folder.Read full article now via free Dr. GDPR newsletter.Already a subscriber? Click on the link in the newsletter & refresh this page.↓Subscribe to Newsletter
My name is Klaus Meffert. I have a doctorate in computer science and have been working professionally and practically with information technology for over 30 years. I also work as an expert in IT & data protection. I achieve my results by looking at technology and law. This seems absolutely essential to me when it comes to digital data protection. My company, IT Logic GmbH, also offers consulting and development of optimized and secure AI solutions.
