Skip to main content
All guides
Serious KVKK m.5 · GDPR Art. 6 · ePrivacy Art. 5(3) · Tag manager

Gate Google Tag Manager behind consent

Google Tag Manager is a loader: it can inject analytics, ad and pixel tags. If GTM fires those tags on page load, every one of them runs before consent — even the ones you forgot were there.

Why it matters

GTM itself is low-risk, but it is the delivery mechanism for the tags that are not. Regulators look at what actually fired in the browser, not your intentions. A single un-gated container can put a dozen third parties on the page pre-consent.

How to fix it

Do not let tags fire on the default page-view trigger. Use Consent Mode v2 (defaults denied) so Google tags respect consent, and for non-Google tags add a consent trigger: fire them only on a custom "consent_granted" event you push from your banner’s accept callback.

<!-- Fire tags only after this event -->
// In your consent banner Accept handler:
window.dataLayer.push({ event: 'consent_granted' });

// In GTM: set each non-essential tag's trigger to the
// custom event 'consent_granted' instead of 'All Pages'.

Does your site have this issue?

Run a free scan to find out in seconds.

Official sources

Links to primary legislation for reference. PrivaScan is not affiliated with these bodies; this is information, not legal advice.

Related guides

These guides cover automated checks for trackers, cookies and data flows. A full privacy review also needs legal input.