Google Tag Manager and GDPR: The Tag Firing Problem

GTM vs GA4: Understanding the Difference

Google Tag Manager is a container — it loads on your page and then fires tags based on rules you define. Google Analytics 4 is one of those tags. The GTM snippet itself sends minimal data (it needs to fetch your tag configuration). The privacy problems come from the tags it fires.

When people say "GTM is causing GDPR issues," they usually mean their GA4 tag, their Meta Pixel tag, or their Hotjar tag is firing before consent — and GTM is how it got on the page.

The Default "All Pages" Trigger Problem

When you install a tag in GTM, the default trigger is "All Pages — Page View." This fires the moment the page loads, before your CMP has had a chance to initialize, before any consent has been collected, and before your banner has displayed.

This is the single most common GTM GDPR error. The GA4 configuration tag is set to fire on All Pages. The result: every visitor gets tracked regardless of their consent choice, because the tracking fires before the choice is presented.

Consent Mode v2: What It Does and Doesn't Do

Google's Consent Mode v2 is a framework that lets your CMP communicate consent signals to Google tags. When analytics_storage is denied, GA4 uses statistical modelling instead of direct measurement. When it's granted, full tracking resumes.

This sounds like it solves the problem. It doesn't, entirely. Even in "denied" mode, Google tags still fire — they send minimal, cookieless pings to Google for modelling purposes. Whether these pings constitute a GDPR-compliant data transfer is still debated.

More importantly: Consent Mode v2 is only meaningful if you have a CMP that actually signals consent. Enabling Consent Mode in GTM without a CMP that communicates state changes is just decorative. You need a CMP (Cookiebot, Axeptio, Usercentrics, Didomi) that integrates with GTM's Data Layer to push consent updates.

Default Consent Mode vs Advanced Consent Mode

Default Consent Mode sets the initial state before your CMP loads — typically all denied. Tags can still fire in a limited way (no cookies, aggregated signals). This is the minimum configuration.

Advanced Consent Mode requires your CMP to update the consent state in real time as users make choices. Tags adjust their behavior based on live consent signals. This provides the best balance of data collection and compliance — but requires your CMP to support it and be configured to push updates to the Data Layer.

How to Configure GTM to Fire Only After Consent

The reliable approach, regardless of Consent Mode:

• 1.Create a Custom Event trigger in GTM that fires when your CMP pushes a consent_granted event to the Data Layer.
• 2.Change your GA4 Configuration tag trigger from "All Pages" to this Custom Event trigger.
• 3.Do the same for your Meta Pixel, LinkedIn Insight Tag, and any other consent-dependent tags.
• 4.Also add a "consent_already_given" path: check for a consent cookie on page load and fire immediately for returning visitors who have previously consented.
• 5.Test using GTM's Preview mode — confirm the GA4 tag shows "Blocked" on page load and only fires after consent is given.