Google Tag Manager

Overview

Google Tag Manager (GTM) is a tag management system that allows marketing and analytics teams to deploy, configure, and update tracking scripts on a website without modifying site code. It is the most widely used tag manager on the web.

What This Script Does

The GTM container script (gtm.js) loads synchronously from googletagmanager.com and acts as a loader for other scripts configured in the GTM container. Key technical details:

What GTM itself does:

• Downloads the container configuration (a JSON payload defining which tags, triggers, and variables are active).
• Evaluates trigger conditions (page URL, click events, custom events, DOM conditions).
• Injects configured tags (script elements) into the page when their triggers fire.
• Manages a data layer (window.dataLayer) that acts as a message bus between the site and configured tags.

What GTM itself does NOT do:

• GTM does not set any cookies of its own.
• GTM does not collect or transmit analytics or personal data.
• GTM does not perform tracking, profiling, or advertising functions.
• GTM is functionally a script loader — comparable to a <script> tag but with a management UI.

What GTM loads (indirect effects):

• The tags configured within a GTM container may include Google Analytics, Google Ads, Facebook Pixel, Hotjar, or any other third-party script. These loaded tags have their own cookies, data collection, and privacy implications.
• GTM's consent-aware features allow tags to be configured with consent checks, so tags only fire when the corresponding consent category has been granted.

Consent Mode integration: GTM natively supports Google Consent Mode v2. When integrated with a consent management platform, GTM reads consent state from the data layer and passes ad_storage, analytics_storage, ad_user_data, and ad_personalization signals to Google tags. Non-Google tags can use GTM's consent-checking triggers.

Server-side GTM: A server-side GTM container runs on your own infrastructure (Cloud Run, App Engine, etc.) and proxies tag requests through a first-party endpoint. This reduces client-side JavaScript, improves page performance, and gives you more control over data flowing to third parties.

Consent & Compliance

Google Tag Manager is classified as essential because it is a tag management tool with no inherent data collection. Its consent categorization depends on what it loads:

Under GDPR and ePrivacy, GTM itself does not require consent because it does not set cookies or process personal data. However, the tags loaded by GTM absolutely require consent based on their individual purposes. Loading GTM without consent is acceptable only if GTM is configured to respect consent signals and block non-essential tags until consent is obtained.

Under CCPA, the same principle applies: GTM is a neutral loader, but the tags it deploys may involve "selling" or "sharing" personal information.

Critical implementation requirement: If you load GTM without consent, you must ensure that the GTM container is configured with consent-aware tag firing. Tags classified as analytics or marketing must have consent-based triggers. Loading GTM pre-consent is only defensible if GTM does not fire any non-essential tags before consent is granted.

Should You Block This Without Consent?

No. GTM itself has no tracking functionality and is classified as essential infrastructure. It can be loaded before consent, provided that the GTM container uses consent-aware triggers (Google Consent Mode or custom consent-checking triggers), no analytics or marketing tags fire before the user grants consent, and only essential tags (e.g., consent banner script, reCAPTCHA) are configured to fire without consent requirements.

If GTM is not configured with consent-aware triggers and fires all tags immediately on page load, blocking GTM before consent effectively blocks all the non-essential tags it would load. In this scenario, blocking GTM is a valid (if blunt) approach.