Gate Google Tag Manager behind consent
Google Tag Manager is a loader: it can inject analytics, ad and pixel tags. If GTM fires those tags on page load, every one of them runs before consent — even the ones you forgot were there.
Why it matters
GTM itself is low-risk, but it is the delivery mechanism for the tags that are not. Regulators look at what actually fired in the browser, not your intentions. A single un-gated container can put a dozen third parties on the page pre-consent.
How to fix it
Do not let tags fire on the default page-view trigger. Use Consent Mode v2 (defaults denied) so Google tags respect consent, and for non-Google tags add a consent trigger: fire them only on a custom "consent_granted" event you push from your banner’s accept callback.
<!-- Fire tags only after this event -->
// In your consent banner Accept handler:
window.dataLayer.push({ event: 'consent_granted' });
// In GTM: set each non-essential tag's trigger to the
// custom event 'consent_granted' instead of 'All Pages'.
Official sources
- KVKK — Law No. 6698 (official full text, mevzuat.gov.tr)
- KVKK — Kişisel Verileri Koruma Kurumu (Turkish DPA)
- GDPR — full regulation, article by article
- ePrivacy Directive 2002/58/EC — cookies, Art. 5(3)
- EDPB — guidelines on consent & cookies
Links to primary legislation for reference. PrivaScan is not affiliated with these bodies; this is information, not legal advice.
Related guides
- Stop Google Analytics from loading before consent (KVKK/GDPR) KVKK m.5 · GDPR Art. 6 · ePrivacy Art. 5(3)
- Load the Meta (Facebook) Pixel only after consent KVKK m.5 · GDPR Art. 6 · Art. 26 (joint controller)
- Session recording (Hotjar, Clarity, Yandex) needs explicit consent KVKK m.5 · GDPR Art. 6 · Art. 9 risk
- Self-host Google Fonts to stop leaking visitor IPs KVKK m.9 · GDPR Chapter V (transfers)
These guides cover automated checks for trackers, cookies and data flows. A full privacy review also needs legal input.