Nixon Digital

How to comply with cookies using GTM?

Google Tag manager, better known as GTM is an excellent tool for marketeers and developers. It allows you to deploy scripts and tags on your websites and change them at any time, without having to touch any code. Some scripts may use third-party cookies on the browser of your visitors, raising privacy concerns. In this blog post you will learn how Google Tag manager uses cookies and how you can comply with GTM for privacy regulations like GDPR and CCPA for cookies.

What is Google Tag Manager and how does it work?

Google Tag Manager (GTM) is a tag management system that helps you to easily manage tags and trackers on your websites without having to directly modify the code.

Websites have many different types of code running in the background. Sometimes code is used to track how visitors interact with websites, for example by monitoring page time and clicks. GTM helps by allowing you to add and manage these types of tags from a single dashboard.

With Google Tag Manager, you can create new tags, remove old ones, and enable them in your website or applications.

In short, Google Tag Manager lets you;

  • create tags that collect data from website visitors,
  • use these tags to measure how users interact with your website,
  • set up triggers so that certain actions automatically trigger new tags or updates to existing tags.

You can use Google Tag Manager to;

  • track page views on your site,
  • track button/link clicks (sign up for a newsletter, fill out a form, link tracking)
  • track conversions (making a purchase),
  • collect information about users’ devices and browsers,
  • collect information about user behaviour.

Uses Google Tag Manager Cookies?

By default, Google Tag Manager does not use cookies. Nonetheless, it does enable tags for third-party scripts that may set cookies on users’ devices. Google Tag Manager reads the value of first-party cookies set by your website, but it does not read the value of third-party cookies.

Although GTM does not set cookies, there is one case where it does. When you enable its preview and debug mode, it sets first-party cookies on the website being previewed. These first-party cookies are needed for your preview mode to work, to show what is happening on your website and what tags are firing. Only administrators or users using preview mode will receive these cookies; when you are finished previewing, Google Tag Manager will delete these cookies.

GDPR compliance and Google Tag Manager

Google Tag Manager allows you to use tags across 5 related (sub)domains with a single installation in a GDPR-compliant way. It gives you control and insights over the data that is sent to your websites, so you have transparency over what data is being collected.

It can gather data about tags firing to monitor, inform, and improve the quality of GTM. However, GTM does not collect, store, or share any personally identifiable information (PII) about its users, except for HTTP request logs which are deleted after 14 days. It also does not use tracking technologies such as cookies.

But let us say that you are interested in using Google Analytics 4 or other web analytics tools through GTM. You will need to update your privacy policy and get permission if these tools gather personal information from visitors.

Cookies by category

First-party and third-party cookies do have somewhat the same purpose, they track user actions. Cookies can also be categorized. Some of them are vital for your website to function properly, while other categories ensure additional features of websites are accessible.

Did you know that there are cookies that are impossible to opt-out of? These cookies are called necessary cookies, and there is not much a user can do if he does not want them to be active on your website.

Strictly Necessary Cookies

Strictly Necessary cookies are necessary for your website to provide simple functions. Such functions include the ability to sign in, add items to a shopping cart, or buy your favourite items online.

Essential cookies are usually first-party cookies and allow users to move between websites without losing their previous actions.

It is also important to know that necessary cookies do not require consent, most cookie laws, including the GDPR, allow necessary cookies to exempt from colleting consent before performing their actions.

Performance cookies

Performance cookies monitor website performance and follow actions from users but do not collect identifiable information, performance cookies collect data anonymously and use it to improve the website. These cookies can count page visits, examine how much a button is pressed, as well as measuring the loading speed to improve website performance.

Performance cookies are perceived as first-party cookies, but they can also be classified as third-party cookies. Therefore, third parties may place cookies on a user’s device through a website in order to determine the best location to serve personalised ads.

Functional cookies

Functional cookies are used to improve performance of a website without certain functions. Therefore, these cookies are not vital for a website to run, but they allow users to remember preferences and settings.

Consent management in Google Tag Manager

Google Tag Manager has features that help you manage how tags behave in response to user consent. With Google Consent Mode, you can control how tags behave, including which tags are being fired on a webpage and which tags do not, depending on whether the user has given consent for your website.

The Consent Initialisation trigger in Tag Manager ensures that consent settings are executed before tags fire in response to other triggers. This trigger can be used with third-party vendors that integrate with GTM’s consent management capabilities. Each web container includes a Consent Initialisation – All Pages trigger by default, which you can select to fire any tags that require it.

How do I comply with cookie laws when using Google Tag Manager?

When you are using Google Tag Manager on your website to use tags that uses cookies, you can use the following checklist to stay privacy compliant.

  • Keep a list of all third-party scripts/tags used by your GTM.
  • Run a cookie scan to identify cookies set by your site.
  • Check if they use cookies that track user information.
  • If so, add a cookie banner to your site to obtain user consent.
  • Make sure you provide the necessary details about the cookies used and what they do when you ask for consent.
  • Allow users to opt-out of these cookies.
  • Allow users to choose their consent for cookies based on their category.
  • Automatically block all third-party (and non-essential) cookies when the user first arrives at your site, and only unblock cookies for which they have given consent.
  • Give users the option to withdraw consent later.
  • Keep a log of all consents received for use as evidence if requested.
  • Provide a detailed explanation of all cookies in a privacy or cookie policy, and provide a link to it on the cookie banner and other important pages of your site.

Nixon Digital and Cookie management

One of the most important things to consider is to automatically block all third-party and non-essential cookies on a user’s first visit to your website. You can do this using a Consent Management Platform. However, when you are using GTM, tags can fire before the CMP can block these cookies. For this reason, you should use a CMP that allows you to take advantage of all the features of the GTM without compromising the privacy of the user.

It can be difficult to ensure that your Consent Management Platform is correctly implemented across your dynamic digital portfolio. With the OneTrust CMP combined with the Nixon platform, you can be confident that the CMP is implemented correctly. Nixon Digital specialists are experts and can fully implement the OneTrust CMP on your sites. If you choose the full implementation, you will get the following:

  • We ensure you have the necessary cookie compliance licences.
  • We expertly implement the Consent Management Platform (CMP) across all your websites.
  • We block all third-party and non-essential cookies, except those that are strictly necessary.
  • Gain valuable insight into the cookies on your websites.