Recent developments
In March 2025, the German Administrative Court of Hanover (VG Hannover) ruled that loading Google Tag Manager (GTM) requires prior user consent, even if GTM itself does not set cookies. The court highlighted that GTM connects to Google servers on page load, transmitting IP addresses and device details, and storing JavaScript locally on user devices.
This means GTM can no longer be seen as a “neutral container.” Instead, it should be treated as active data processing, requiring explicit consent under the GDPR and TTDSG.
At the same time, Google has introduced Consent Mode v2 (GCM v2), which is designed to respect user choices but still sends certain signals to Google before consent. Regulators are actively reviewing whether this is sufficient for GDPR compliance.
Because of these developments, we recommend configuring GTM so it does not load until after consent is given.
Complianz’s approach
As with our earlier investigations into Google Fonts and reCAPTCHA, we are currently testing what happens when an empty GTM container loads before consent, and how Google processes that data. Our starting point is Google’s own statement that Tag Manager does not collect IP addresses or user-specific identifiers, beyond standard HTTP logs deleted after 14 days.
In order to monitor system stability and performance, Google Tag Manager may collect some aggregated data about tag firing. This data does not include user IP addresses or any user-specific identifiers that could be associated with a particular individual. Other than data in standard HTTP request logs, all of which is deleted within 14 days of being received, Google Tag Manager does not collect, retain, or share any information about visitors to our customers’ properties, including page URLs visited.
Source Tag Manager Help
Still, the German ruling shows that courts may interpret GTM’s initial connection as personal data processing in itself — regardless of whether GTM sets cookies.
Until our investigation concludes (and we will notify you directly in the plugin), we recommend a cautious approach:
-
If your website targets or operates in Germany, load GTM only after consent.
-
In other regions, this stricter setup is optional but may help reduce compliance risks.
If you want to configure GTM so it fires only after consent, please follow the quick guide below.
How to load Google Tag Manager after consent
This will only take 2 minutes. You will need to change an answer in the wizard and add the Tag Manager snippet below:
1. Do not allow Complianz to set Tag Manager
In the wizard, go to Wizard > Consent > Statistics and acknowledge the use of Google Tag Manager by selecting “Yes, and Google Tag Manager fires this script”
Then proceed to Statistics Configuration and answer the following question as shown below:
2. Add the Google Tag Manager snippet
Add the Google Tag Manager snippet with these attributes:
- type=”text/plain” -> This will block Tag Manager prior to consent
- data-category=”statistics” -> This will release Tag Manager
Use the snippet below and place it in the header of your website. (Please replace “GTM-XXXXXX” with your own GTM-ID.)
You can add it directly in your theme’s header.php (child theme recommended), or
Use a plugin like Header Footer Code Manager to insert the code in the header.
Why the header?
GTM should load as early as possible to fire tags correctly.
Placing it in the footer can cause scripts to miss initial page events or delay tracking.
The type=”text/plain” and data-category=”statistics” attributes ensure Complianz blocks the script until the user gives consent.