Google Tag Manager is a container, not a tracker itself. But because it loads and controls every other tag and pixel on your site, how you describe it in your privacy policy matters as much as how you configure it. A policy that accurately describes GTM must also reflect all the third-party tools it fires.
Last reviewed by Lokker Privacy Engineering
Not legal advice
The example language on this page is provided for educational purposes only. It is not legal advice and does not create an attorney-client relationship. Privacy laws vary by jurisdiction, sector, and the specific technologies you deploy. Always have a qualified privacy counsel or attorney review your privacy policy language to ensure it accurately reflects your actual data practices and complies with applicable law. Policy text alone does not make you compliant: your technical controls must match what the policy describes.
Data collection
This is what your privacy policy needs to describe. Be specific: vague references to "usage data" or "technical information" are not sufficient in most jurisdictions.
GTM itself sets a _gtm cookie and loads scripts asynchronously from googletagmanager.com
The data GTM collects on its own is minimal: configuration and debug-mode data
The actual data collection depends entirely on which tags are configured inside the GTM container
GTM has access to the full document including page URLs, form fields, data layer variables, and DOM elements
If GTM is used in server-side tagging mode, it routes tag requests through your own server, changing the data flow for downstream tools
Processing purposes
Privacy laws require you to specify the purpose for each category of data processing. These are the purposes typically associated with Google Tag Manager.
Centralized management and deployment of tracking scripts
Governance of when and how third-party tags fire relative to consent state
Data layer coordination for analytics, advertising, and personalization tools
Version control and rollback for tag configurations
Jurisdiction notes
These are representative notes, not exhaustive legal guidance. Laws continue to evolve and your counsel should review the current requirements for each jurisdiction where your visitors reside.
United States
GTM itself is typically treated as a functional tool in your own infrastructure rather than a third party collecting personal information. However, the tags deployed through GTM may create significant CCPA and CPRA obligations, particularly around sale and sharing of personal information for advertising purposes. The opt-out mechanism in your CMP must technically prevent GTM from firing advertising tags when GPC is detected or when the visitor opts out.
EU and UK (GDPR)
Under the GDPR, GTM loads a script from googletagmanager.com, which involves a connection to Google servers. Many organizations categorize GTM itself under "Strictly Necessary" or "Functional" because it is infrastructure rather than advertising. However, the EDPB has stated that any tool that fires without consent must not itself trigger downstream non-essential processing. GTM Consent Mode v2 integration is required for Google's advertising products to behave lawfully in the EEA.
Example language
The examples below are starting points for discussion with legal counsel. They are not approved or jurisdiction-complete language. Your policy must accurately reflect your actual technical configuration and comply with the laws of the jurisdictions where your visitors reside.
Tag management infrastructure row
Google Tag Manager (Google LLC): A tag management container used to deploy and manage tracking scripts, analytics tools, and advertising pixels on this website. GTM itself does not directly collect personal data beyond a session cookie, but controls the deployment of the third-party tools listed in this notice.
Full infrastructure and tagging disclosure
We use Google Tag Manager, a tag management service provided by Google LLC, to manage and deploy tracking technologies on this website. Google Tag Manager does not directly collect personal information; it is a container that manages when and how other tracking tools load. The third-party services deployed through Google Tag Manager may collect personal information as described elsewhere in this notice. Google Tag Manager uses its own cookie (_gtm) and communicates with Google servers to load the container configuration. We have configured Google Tag Manager to integrate with our consent management platform so that non-essential tags, including analytics and advertising technologies, are only activated after you provide consent where required by applicable law. Consent state is passed to the container through the data layer and enforced through tag firing rules.
Configuration checklist
An accurate policy is only useful if the technical controls behind it work correctly. These are the configuration points to verify for Google Tag Manager.
Configure consent-based triggers in GTM so that advertising and analytics tags are blocked until the relevant consent signal is received from your CMP.
Use GTM's built-in Consent Mode v2 support if deploying Google properties. Ensure the consentGranted and consentDenied triggers are correctly wired to your CMP's consent categories.
Audit the GTM container for tags that fire on "All Pages" without a consent check. These tags may be operating outside the consent framework described in your policy.
Use GTM's debug and preview mode to verify that tags in rejected state do not fire. Consent Validator can automate this at network layer, confirming what GTM actually fires in each consent state.
If using server-side GTM, the consent framework must also apply to server-side tag dispatching. Client-side consent opt-outs do not automatically propagate to server-side sends without explicit implementation.
Policy vs practice
These are common gaps between Google Tag Manager privacy policy language and what actually happens in the browser. Checking only inside each SaaS admin (CMP, tag manager, or vendor console) rarely answers whether the full stack works together. Lokker tests from the outside: consent state, tag firing, and network requests viewed as one system.
What the policy says
Policies describe GTM as consent-gated, with tags only firing after the CMP grants consent for the relevant category.
Policies often treat GTM as invisible infrastructure and do not disclose that GTM itself loads a script from googletagmanager.com on every page.
Policies mention GTM as the tag management tool, but do not enumerate the specific third-party tags deployed through the container.
Policies are updated when the privacy team reviews the consent configuration, assuming the GTM container matches the documented setup.
What Lokker validates
Lokker tests the reject and no-interaction states to confirm which tags inside GTM actually fire. Consent-based triggers must be correctly wired to the CMP; Lokker shows what reaches the network regardless of what the policy claims.
GTM's container request to googletagmanager.com may occur before the CMP script has initialized, depending on script load order. Lokker captures timing data showing whether GTM loads ahead of the consent decision.
Lokker observes every outbound request during a visit and identifies which domains are contacted, exposing tags not listed in the privacy policy. Third-party vendors active in GTM but absent from the policy are a documented compliance risk.
GTM containers can be updated by any publisher-role user without a policy review. Lokker runs recurring scans to detect newly active tags that do not appear in the current policy or CMP vendor list.
Consent Validator tests your site from the outside, not inside each vendor admin. It runs automated flows across accept, reject, no-interaction, and GPC states and checks whether Google Tag Manager loads through your CMP and tag manager, whether consent signals are honored, and whether any call to that vendor still occurs when the visitor has opted out.
Questions
References
Regulatory guidance, enforcement decisions, and legal cases referenced on this page.
Regulatory guidance
European Data Protection Board
Explore further
Validate technical compliance
Verify that tags inside your GTM container actually stop firing in the reject and no-interaction states, not just that the firing rules look correct in the preview mode.