Many privacy policies claim that Google Tag Manager is a cookie-free domain. Others suggest that no consent is required to use the Tag Manager. Both are untenable. Even Google itself provides arguments against this claim.
The Google Tag Manager is a tool with which the deployment of other tools can be controlled. Instead of deploying, one could also speak of reloading other tools. Often the abbreviation GTM for the Google Tag Manager is used.
Is the Google Tag Manager a cookieless domain?
The Google Tag Manager is embedded via a Script and an alternative for systems with disabled JavaScript. Often, code like this can be found:
<script>
(function(w, d, s, l, i) {
w[l] = w[l] || [];
w[l].push({ 'gtm.start': new Date().getTime(), event: 'gtm.js' });
var f = d.getElementsByTagName(s)[0],j = d.createElement(s),
dl = l != 'dataLayer' ? '&l=' + l : '';
j.async = true;
The JavaScript code is setting a variable named src to a string that includes a URL from Google Tag Manager, with an ID appended to it. The ID appears to be a placeholder for some value (i) and a delimiter (dl);
f.parentNode.insertBefore(j, f);
})(window, document, 'script', 'dataLayer', 'GTM-XXXXXXXX');
An iframe element with a source URL, set to zero height and width, and styled to be invisible;
The script part is the logic to load the gtm.js script named Tag Manager. Some parameters are set here. Below follows in a IFRAME-tag a logic to fire the Tag Manager, if JavaScript is disabled in the user's browser.
Before the misunderstandings are clarified, here is the very first misunderstanding. Many think that Google does not receive any personal data via GTM at all. That's wrong. Correctly: For Google, your and my IP address is potentially always personal. The GTM receives your and my IP address every time we visit websites that integrate the GTM. Unfortunately, Google's explanations are formulated in such a way that Google almost admits that it uses data received for its own purposes. So, the GTM would already be consent-obligatory on this account alone.
Common misconceptions about the Tag Manager
As can be seen, the Tag Manager is loaded from the domain googletagmanager.com. A domain can theoretically be cookieless. Labelling a tool as a domain is inherently wrong.
Declaring a domain as cookieless is a very bold statement. This statement can only be true if it's interpreted in a benevolent manner. A domain itself is not a cookie manager. Rather, all web pages hosted on this domain and external files loaded from third-party websites are potential cookie managers. Whoever dares to claim knowledge of all these web pages and files must be extremely well-informed.
A domain itself cannot manage cookies. Only files located on this domain can do that. Leaving aside server-side configurations, only files that execute program logic can manage cookies. By managing we mean here creating, reading, modifying and deleting cookies.
The Google Tag Manager is not a cookieless domain. To say it correctly:
Cookies are being loaded from the domain googletagmanager.com!
Investigation of Google Tag Manager on websites that use it (source: dr-dsgvo.de) and statement from Google (July 2021).
The Google Tag Manager loads cookies directly
Yes, you've read it correctly. Don't believe what others claim! This section shows why cookies are loaded when the Google Tag Manager is embedded on a website.
Cookies exist within a domain (depending on configuration also in subdomains). In order for Google Tag Manager cookies to be transferred when retrieving them, a cookie must first exist in the domain googletagmanager.com or be newly generated by Google Tag Manager.
It is therefore sufficient if a single website exists worldwide in the domain or subdomain in question and sets a cookie. We are only talking about persistent cookies here. Session cookies are rather uncritical (but can still cause problems under certain conditions).
Here's the proof that cookies are loaded when integrating the Google Tag Manager:
The video shows how the "naked" Tag Manager is loaded, without further tools being reloaded by the Tag Manager (which would otherwise be responsible for subsequent data processing). Nevertheless, a cookie is transferred when the Tag Manager is accessed. Because the cookie was already sent with the loading of the GTM, it is actually irrelevant whether the GTM loads additional tools or not, since the cookie was already there when the GTM was accessed!
Noted, all of this was shown in the video without consent. There isn't even a consent query on the shown website. The shown website was randomly selected. There are numerous other websites that use Tag Manager where the same behavior is verifiable.
To reproduce the behavior shown in the video, do the following in Mozilla Firefox:
- Visit a website on the domain googletagmanager.com or one of its subdomains and create a cookie
- To track network traffic in the browser press the F12 key to open the developer console. There click on the Network Analysis folder.
- Visit a website that uses the Google Tag Manager.
- Click on a network request that loads the Google Tag Manager, so look for entries with googletagmanager.com.
- Click on the folder Cookies in the console on the right. The cookies shown there were transferred when loading the Tag Manager.
The Google Tag Manager sets cookies directly
Here is the translation: I am referring here to an official statement from Google from late July 2021. Google itself says that cookies are set over the so-called Preview and Debug Mode of the Tag Manager.
Used now by an administrator the Preview Mode, so three Tag Manager cookies are transmitted to Google, which are associated with googletagmanager.com, on their device. Later visited by the administrator any arbitrary website that incorporates the Tag Manager, the Preview Mode cookies will be transmitted to Google.
Google itself confirms that in certain cases cookies are used by Google Tag Manager, which are associated with googletagmanager.com.
Letter I received from Google in July 2021.
This does not apply to all website visitors, but only to "Tag Managers" administrators who use preview and debug mode. However, it is made more difficult by the fact that with the aforementioned cookies a concrete, exact inference about the person is possible. Because the aforementioned cookies contain information that allows an inference back to a Google account. The Google account in turn allows for precise inferences about a single person.
Google Tag Manager tags can set cookies
If one takes it exactly, and lawyers like to do that when they criticize data protection notices, then this is also relevant for the question of whether the Google Tag Manager is a cookieless domain.
With a Custom Html Tag, that is a tag created by yourself, the Tag Manager can be put in a position to set cookies. Here an example:
In the given source, further descriptions can be found. The Tag Manager can therefore set cookies itself.
It should be noted that the code shown creates a cookie on the domain of the website currently being visited. Nevertheless, this alone shows that the Tag Manager is not a cookie-free domain, because the Tag Manager is a service and this is not cookie-free, as has been shown here several times.
Common Tag Manager errors
On numerous websites, the Google Tag Manager is used, but not a single word is mentioned in the Data Protection Declaration. Often it is named in an opt-in window, although it allegedly does not use cookies. This mention would be bad enough, but welcome. However, so-called Consent Management Platforms focus on cookies, which is wrong in itself.
When a tool is used, it must be explained according to Article 13 GDPR as to what it does. This at least has to happen in the data protection declaration. If a cookie inquiry takes place, which should actually be called consent inquiry, the explanation for the tool must also take place there, at least in sufficient form. The overall explanation can then take place in the data protection notes.
Not declaring a tool at all is wrong in itself, unless it is a technically necessary service for which no further regulations need to be observed (which must be checked on a case-by-case basis). It is also wrong to use the term "Google" as the provider of a tool. What does "Google" mean? What is the full address of "Google" and what is the legal form of "Google"?
Websites often ask for consent for certain tools. Yet, a loading process already takes place before consent is given, which sometimes involves the Google Tag Manager.
Since the Tag Manager loads other tools, many Consent Tools get mixed up. Yet another reason not to use them! For example, if the Tag Manager loads the service Google Analytics, cookies from Google Analytics are set via the data channel opened by the Tag Manager.
Here is a practical example of a consent request from a website of a well-known German company:
There are several obvious defects in this small picture:
- The cookies _ga and _gat are assigned to the Tag Manager, although they belong to Google Analytics. The privacy policy contradicts this statement: "The Google Tag Manager service itself (which implements the tags) is a cookie-free domain and does not collect any personal data." As can be seen, there is at least one gross false statement here.
- As provider it is called "Google Tag Manager". Anyone who knows the regulations of the Telemedia Act for provider notifications will admit that there is no legally compliant provider notification here (also outside of TMG).
- The term "drain" sounds more like a sink. It is not generally understood.
- The specification "Type: HTTP Cookie" is not generally understandable.
- The purpose statement for the cookie _gat is nonsense and generally unclear.
If one were to further investigate the consent popup, the website, and the data protection statement, one would probably find at least twice as many flaws. Why I claim this can be read in my investigation Cookiegeddon – the failure of all (?) Consent Tools.
Lack of legitimate interest
Of course, I say there is no legitimate interest in loading the Google Tag Manager without consent. Reasons:
- When the GTM is loaded to load further consentable tools, a consent is required in any case. This allows the GTM to be loaded after a user has given their consent.
- Loading only GTM without loading other services has no functional benefit.
- Of course, any x-tool can also be loaded without the GTM. This requires only a JavaScript logic that need not be more complicated than the one stored in the GTM.
Whoever thinks they should lead with the fact that it would be less work to design a loading process for other services with GTM than without, may have been right. If one as a driver looks for a decent parking spot, however, it is more effort than wrong to park. Nevertheless, no one should ad hoc park wrongly, although it is less effort.
I claim, and can prove this by programming if necessary, that using the Google Tag Manager is usually more involved than just programming the desired behavior through direct JavaScript instructions. Even running a Consent Tool together with the G_oogle Tag Manager_ is easier without the Tag Manager. One should only think of the data-src Directive here.
Who actually accounts for the extra work it takes to create a proper privacy policy for Tag Manager and figure out who provides the service and what they do with the data received? In addition, there is the effort of answering inquiries from concerned individuals like me because many people believe that many others don't take privacy seriously. A fairly unattackable privacy policy for Tag Manager can be found rarely anyway. Also, considering the numerous legal conditions for GTM leads to more work that seems hardly manageable. A future contribution by me will shed light on this aspect.
Conclusion
This article was written by me to refute the statement that GTM is a cookieless domain multiple times. As shown, cookies can be transferred when loading the Tag Manager. If this process occurs, the Tag Manager is subject to consent requirements, before it may be loaded. This follows from §15 Abs. 3 TMG and Art. 5 Abs. of the ePrivacy Directive. A more detailed derivation can be found on my website in several other articles.
The legitimate interest can be excluded because the use of the Tag Manager without reloading tools is obviously unnecessary, and tools that are not consent-based can also be loaded without the Tag Manager. The GTM, on the other hand, requires a considerable amount of extra work if the legal terms of Google and from other binding data protection regulations are to be complied with.
Consent must be obtained from the website visitor before using the Google Tag Manager
Reason: see article
Furthermore, a consent obligation can also be derived from the fact that IP addresses are transferred as personal data to "Google". "Google" is a term that describes a globally operating conglomerate that apparently has its headquarters in the USA. The USA is an insecure third country (see Privacy Shield ruling). Statements by Google on Google Analytics suggest that using the Google Tag Manager always results in data collection in the USA.
Update: When using Google Tag Manager, the company Google LLC is responsible for data processing. This can be seen in the "Terms of Processing Personal Data for Google Advertising Products" (see https://privacy.google.com/businesses/processorterms/), which apply to Google Tag Manager (see the Google Tag Manager usage terms under https://marketingplatform.google.com/about/analytics/tag-manager/use-policy/, which must be accepted when creating a GTM account). Therefore, there is legally a access from the USA.
The requirement for consent for Google Tag Manager can be derived from various reasons. In the related article, I also address data transfer over Google LLC as well as data transfer to the USA due to Google's terms of use.
A valid AVV with Google cannot be completed in my opinion , also because Google uses hundreds of subcontractors from dozens of countries worldwide with questionable data protection standards (see https://privacy.google.com/businesses/subprocessors/. This address is linked to the aforementioned AVV conditions). Furthermore, the applicable data protection declaration for GTM states that Google uses the collected data for its own purposes (technically not necessary), which contradicts an AVV.
Related articles:
- Bullshit Basics: Cookies are not text files
- Cookiegeddon – the failure of all (?) Consent Tools
- Cookies: basics and GDPR relevance
- Untagmanager: Privacy-friendly alternative to Tag Manager
- Server Side Tracking
More information and a discussion about Google Tag Manager in the Privacy Deluxe Podcast:
Key messages
Google Tag Manager is not a cookie-free domain and can collect personal data like your IP address, making consent necessary for its use.
Google Tag Manager can set cookies and track users, even if websites claim it doesn't use cookies.
Using Google Tag Manager (GTM) often makes website privacy practices more complicated and less transparent, even when using consent tools.
Using Google Tag Manager (GTM) likely requires user consent because it involves transferring personal data, including IP addresses, to Google, a company based in the USA, which is considered an insecure third country.
Cookies are not text files but they are datasets.
There are better ways to track website activity while respecting user privacy.
My name is Klaus Meffert. I have a doctorate in computer science and have been working professionally and practically with information technology for over 30 years. I also work as an expert in IT & data protection. I achieve my results by looking at technology and law. This seems absolutely essential to me when it comes to digital data protection. My company, IT Logic GmbH, also offers consulting and development of optimized and secure AI solutions.
