Tags that fire without a consent condition
Tags published without a consent-check trigger fire on every page view for every visitor, including those who have rejected non-essential cookies.
Tag Management
Google Tag Manager is powerful. Without governance, it becomes a privacy liability.
Google Tag Manager is deployed on millions of sites and used by marketing, analytics, and engineering teams simultaneously. That breadth is also its risk: when anyone can publish a tag, consent controls depend entirely on governance discipline, not technical restrictions. Lokker scans what GTM actually fires, not what the workspace configuration says it should.
Tag Management
Google Tag Manager
Google Tag Manager is a free tag management system that allows organizations to deploy and manage marketing tags, analytics scripts, and tracking pixels without direct code changes, using a web-based interface.
Trademark
Google Tag Manager is a trademark of Google LLC. Lokker is not affiliated with or endorsed by Google LLC.
Quick answer
Google Tag Manager (GTM) is a free tag management system that lets marketers deploy tracking scripts, pixels, and analytics tools without direct code changes. GTM itself does not collect user data, but it acts as a deployment channel for tools that do. The privacy risk from GTM comes from what tags it deploys, not from GTM itself. If a tag fires before consent is given, or if a rejected consent state does not actually prevent the tag from loading, the organization bears the compliance exposure. Common issues include tags configured to fire on "All Pages" regardless of consent state, missing trigger conditions that should block tags in GPC or reject states, and tags added by marketing teams that bypass privacy review.
Risk and failure modes
GTM governance gaps create consent and data privacy risk
Google Tag Manager removes the engineering bottleneck for deploying new tags. It also removes the privacy review bottleneck, unless your team explicitly builds governance into the publishing workflow.
Marketing-owned containers without security review
Many organizations have multiple GTM containers, some controlled by marketing teams who lack privacy training. Tags added in those containers often have no consent condition at all.
Preview and debug container leaks
GTM preview mode is designed for testing, but developers sometimes leave debug containers active in production environments, causing tags to fire regardless of standard container publishing.
dataLayer push order and consent initialization
Consent Mode v2 requires a specific dataLayer initialization order. Tags that push data before the consent signal is available may operate in a default mode that still sends modeling data to Google.
Consent and configuration
Consent Mode configuration needs network verification
Google Consent Mode v2 allows tags to operate in modeling mode when consent is denied, sending anonymized signals instead of personal data. Whether your implementation handles this correctly, and whether it applies to all relevant Google tags, requires testing beyond the GTM workspace.
Each Google tag in your GTM container needs to be verified against its Consent Mode v2 mapping.
Non-Google tags in the same container need separate consent trigger conditions that align with your CMP configuration.
Variables and dataLayer lookups used in consent conditions need to be tested across browser environments, not just desktop Chrome.
GTM server-side containers introduce a different set of consent validation requirements than browser-side containers.
Regional compliance
GTM consent configuration must handle opt-in and opt-out markets differently
European visitors require opt-in consent before any non-essential Google tags fire. US visitors may have GPC signals or opt-out rights under California law as amended by the CPRA, which covers both sale and sharing for cross-context behavioral advertising. A single GTM container serving both markets needs geo-aware trigger conditions and a consent layer that handles each path correctly. The most common misconfiguration is a container built for one market that gets deployed globally without adjustment.
How Lokker helps
How Lokker validates what GTM actually fires
Lokker inspects the network layer, not the GTM workspace configuration. That distinction is the critical one: GTM can be configured to respect consent while still firing tags that bypass it. Only network-level scanning confirms which tags actually run in each consent state.
Network-layer tag inventory
Privacy Edge scans your pages as a real browser would and inventories every outbound request, including tags loaded through GTM that may not be visible in the workspace configuration.
Explore Privacy EdgeGTM behavior across consent states
Consent Validator runs automated flows across no-interaction, accept, reject, and GPC states and reports which GTM-managed tags fire in each, with P1-P3 remediation priorities.
Explore Consent ValidatorRuntime tag enforcement
Guardian intercepts outbound requests at the network layer and can block tags that fire through GTM but fall outside approved trust rules, adding a runtime safety net to governance processes.
Explore GuardianPrivacy and consent governance training
Privacy Academy teaches marketing and engineering teams how GTM deployment intersects with consent requirements, reducing the governance gaps that create most GTM privacy risk.
Explore Privacy AcademyExplore Lokker
Products that address Google Tag Manager privacy risk
Each product links to its full details so you can explore features, view a demo, and understand how it applies to your Google Tag Manager deployment.
Intelligence
Privacy Edge
Scans what GTM actually fires at the network layer, independent of workspace configuration.
Explore Privacy EdgeValidation
Consent Validator
Validates GTM tag behavior across accept, reject, and GPC consent states.
Explore Consent ValidatorEnforcement
Guardian
Blocks GTM-managed tags that fire outside approved trust rules at runtime.
Explore GuardianTraining
Privacy Academy
Trains teams on GTM governance and consent configuration best practices.
Explore Privacy AcademyTag Management
Other tag management tools
Side-by-side comparisons
Compare Google Tag Manager against alternatives
Evaluating Google Tag Manager alongside other options? Our comparison guides score each tool on privacy defaults, HIPAA BAA availability, GDPR data residency, GPC support, and consent compliance posture.
Privacy policy guidance
How to disclose Google Tag Manager in your privacy policy
Our privacy policy disclosure guide explains what data Google Tag Manager collects, how to describe it in a cookie notice or privacy policy, jurisdiction notes, and example language for discussion with counsel.
Frequently Asked Questions
Common questions about Google Tag Manager
Is Google Tag Manager a privacy risk?
Google Tag Manager itself does not collect user data. The privacy risk comes from the tags it deploys. If GTM is used to deploy advertising pixels, session replay tools, or analytics scripts that fire before or regardless of user consent, the organization is exposed to GDPR, CCPA, and CPRA violations. GTM governance, consent trigger conditions, and independent verification of what actually fires in each consent state are the controls that matter.
Does Google Tag Manager work with consent management platforms?
Yes. GTM supports consent mode variables and trigger conditions that can pause or activate tags based on the user's consent state from a CMP like OneTrust or Cookiebot. However, the CMP and GTM must be configured correctly together, and the integration must be independently verified. Misconfigured trigger conditions frequently allow tags to fire in reject states even when the configuration appears correct in the GTM workspace.
What are the main Google Tag Manager security risks?
The main security risks from GTM include injection of unauthorized scripts (if GTM container access is compromised or shared too broadly), third-party tags that load additional scripts not visible in the GTM workspace, and tags that exfiltrate form data or session information to external servers. From a privacy standpoint, the largest risk is deployment of tracking technologies that fire outside the scope of user consent.
How do I audit what Google Tag Manager is actually sending?
GTM's built-in preview mode shows which tags fired on a page load, but it does not show the full network payload each tag sent. A network-layer audit using browser developer tools, a HAR file capture, or a platform like Privacy Edge captures every outbound request including the data each tag transmitted, which third-party domains received the request, and whether the request occurred before or after a consent event.
Next step
Validate Google Tag Manager consent behavior across your portfolio
Lokker runs automated browser-level consent flows and scans the network layer to confirm whether Google Tag Manager fires in states where it should not.