Google Tag Manager and Data Protection – What Website Operators Need to Know

If a website operator uses Google Tag Manager (GTM), it processes user and interaction data via the tags connected to GTM for the purposes of website optimization, marketing and analytics on the basis of consent and/or legitimate interests. Google Tag Manager itself is a container system without independent tracking; the actual data processing is carried out by the individual tags configured in GTM (such as Google Analytics, Facebook Pixel, LinkedIn Insight Tag). This guide deals with GTM as a central integration and management platform as well as the requirements for the privacy policy when it is used. As of: 2026-04-22.

A. Purpose and Function of Google Tag Manager

Google Tag Manager is a tag container system from Google Ireland Limited. It enables website operators to centrally manage, configure and activate tracking codes and pixel implementations (tags) – without having to change the website code directly. A tag is typically a code snippet that transmits user data to a service (e.g. Google Analytics, Facebook Pixel, LinkedIn Insight Tag, Bing Ads, Adobe Analytics).

Central functions:

• Central management of tracking codes and pixels
• Conditional triggering of tags based on user behavior
• Data layer management to prepare data before sending to target services
• Version control and audit functions

Important: Google Tag Manager itself does NOT collect its own cookies or usage data. It is purely a management tool (container). The actual data processing is done by the individual tags configured in GTM. Therefore, the data protection obligations for GTM are downstream: the website operator must disclose WHICH tags it uses and what data THESE tags transmit to their target services.

This guide focuses on GTM as container infrastructure. Additional, separate data protection requirements apply to the individual tags (Analytics, Ads, Pixel).

B. Mandatory Disclosures in the Privacy Policy regarding Google Tag Manager

According to GDPR Art. 13(1) and Art. 14, website operators that collect user data must provide the following information in their privacy policy:

• Purposes of the processing (Art. 13(1)(c))
• Legal bases (Art. 13(1)(d))
• Legitimate interests, where Art. 6(1)(f) GDPR is the basis (Art. 13(1)(d))
• Categories of recipients (Art. 13(1)(e))
• Third-country transfers and safeguards (Art. 13(1)(f))
• Retention period or criteria for determining it (Art. 13(2)(a))
• Special data categories (Art. 14(1)(d)), if processed

This information must be detailed in the privacy policy for Google Tag Manager. However, a problematic convention has become established in practice: many privacy policies contain tool-specific text blocks (e.g. an entire paragraph just for Google Analytics, another just for Facebook Pixel, etc.). This leads to bloated, confusing privacy policies and violates Art. 12(1) GDPR (requirement of intelligibility).

Better approach: A topic-oriented structure in which purposes, legal bases and data types are explained centrally and the recipients are listed in a structured manner in an annex (recipient table). This way GTM and its downstream tags become transparent without impairing readability.

C. Provider of Google Tag Manager: Google Ireland Limited

Legal basis:

• Full name: Google Ireland Limited
• Address: Gordon House, Barrow Street, Dublin 4, D04 E5W5, Ireland
• Country of registered office: Ireland (European Economic Area)
• Parent company: Google LLC (USA) – however, for GTM itself, Google Ireland Limited is the European contracting party

Data Privacy Framework (DPF): Google LLC and its US subsidiaries have committed to and are certified under the EU-US Data Privacy Framework. This means that data transfers to the USA are permissible on the basis of Art. 45 GDPR (adequacy decision of the EU Commission).

Privacy policy: https://policies.google.com/privacy?hl=de

Data Processing Agreement (DPA): Google Ireland Limited provides a standard data processing agreement. This is available in the Google account under Administration > Account Settings > Data Processing Amendment. The DPA governs Google's technical and organizational measures as a processor. However, it should be noted that some legal experts argue that Google – as in the Google Analytics saga – may also be involved in its own processing purposes when GTM is used, especially if Google uses usage data from GTM for optimization or marketing purposes. A case-by-case examination by the website operator is therefore recommended.

D. Data Processing by Google Tag Manager – Process

E. Data Collected when Using Google Tag Manager

Google Tag Manager itself is a container and does not collect its own data. However, data is embedded into the website and forwarded via GTM. Depending on the configuration of the individual tags, the following data categories may be processed:

This data can be classified into the following standardized data type categories:

• Web server log data: With every HTTP request: IP address, date/time/time zone, requested URL, referrer URL, browser type/operating system/device type, technical header metadata
• Click paths: Visited pages including referrer, clicked links and buttons with date and time
• End-device data: Device type, operating system, screen resolution/size, device orientation, touch support, available storage capacity
• Browser information: Browser name, browser version, installed browser extensions
• Conversion events: Registration, cart creation, product purchase, appointment booking, contact request, download, video view, visit to specific pages
• Interaction data: Scrolling movements, mouse movements, keystrokes, mouse pointer position, touch movements, click duration
• Technical telemetry data: Error messages, JavaScript errors, loading times, data volume, network latency

Note: The data actually collected depends on the respective tag configuration. The website operator should keep a register of the tags configured in GTM and know their respective privacy policies.

F. Purposes of Use when Using Google Tag Manager

The purposes of data processing through GTM are diverse and result from the configuration. Google Tag Manager itself enables these purposes to be pursued, but does not act as an independent controller. However, GTM supports the following typical purposes:

• Functional provision: Provision and assurance of website functionality, error detection and resolution
• General product improvement: Optimization based on frequently accessed content and functions, business planning
• General marketing: Targeting of advertising campaigns overall, success measurement and reach analysis
• User profile creation: Determination of user interests, demographic characteristics, segments (audience segmentation)
• User-individual marketing: Remarketing, display of interest-based content, personalized advertising in advertising networks, direct marketing
• Security and abuse protection: Detection and prevention of attacks, anti-spam and anti-bot defense, fraud prevention

Note: The specific purpose results from the individual tags, not from GTM itself.

G. Legal Bases for Google Tag Manager

Google Tag Manager as container: Google Tag Manager is primarily a management tool and is often operated on the basis of legitimate interests of the website operator (Art. 6(1)(f) GDPR): efficient management of tracking code, data quality, website optimization.

The tags loaded via GTM are subject to their own legal bases:

• Marketing tracking tags (Meta Pixel, LinkedIn Insight Tag, Microsoft Ads, Google Ads): Typically consent under Art. 6(1)(a) GDPR in conjunction with § 25(1) TDDDG (electronic disclaimer directive). These can also only be loaded AFTER consent (e.g. via cookie consent banner).
• Analytics tags (Google Analytics): Can be carried out on the basis of legitimate interests (Art. 6(1)(f)) or consent, depending on scope and configuration.
• Google Tag Manager container itself: Rather legitimate interests (technical management); the data tags work according to their own legal bases.

Practical tip: The website operator should use a cookie consent banner and list GTM as well as the individual tags (Analytics, Ads, Pixel) individually – not as "Google Tag Manager", but with a clear reference to the underlying services.

H. Special Features and Notes regarding Google Tag Manager

1. Google Tag Manager is not an independent tracking service GTM is a container, not a tracking service. Therefore, privacy policies should not sound as if GTM itself collects data. Communication should make it clear: GTM manages tags through which third-party providers (Google Analytics, Facebook, etc.) collect the data.

2. Consent requirement and Hanover Administrative Court (March 2025) The Hanover Administrative Court has decided that Google Tag Manager may only be loaded AFTER consent if it sets cookies or serves to activate cookie-based tags. This means: a cookie banner should be displayed BEFORE GTM is loaded.

3. Data Processing Agreement (DPA) Google Ireland Limited provides a standard DPA. This can be retrieved in the GTM account. However, the following points should be checked:

• The DPA only covers GTM itself, NOT the downstream tags
• For each tag (Google Analytics, Meta Pixel, etc.), a separate DPA or corresponding data protection addendum should be in place
• The legal force of the DPA is debated by experts, especially in case of Google's own processing purposes

4. Data transfer to the USA Google LLC and subsidiaries are DPF-certified. This enables data transfers on the basis of an adequacy decision (Art. 45 GDPR). An additional safeguard through Standard Contractual Clauses (SCCs) is recommended but not mandatory in case of DPF certification.

5. Opt-out and control Users can block the loading of GTM in their browser (e.g. via script blockers). However, this is a technical and not a legal measure. Real opt-out is only possible through consent (consent can be withdrawn at any time).

I. FAQ regarding Google Tag Manager

J. Conclusion and Recommendation regarding Google Tag Manager

Google Tag Manager is a flexible tag management system used by many website operators. It is not itself a data collector but an administrative management tool. The data protection challenge arises from the multitude of target tags: each tag has its own data processing obligations and legal bases. A privacy policy that addresses GTM in a separate paragraph does not do justice to the system and leads to impractical, confusing texts that violate Art. 12(1) GDPR (intelligibility).

Recommendation: A topic-oriented structure in the privacy policy, in which purposes (website optimization, marketing, analytics) are explained centrally and a structured recipient table lists all services configured in GTM, is more practical and more GDPR-compliant. This promotes transparency and reduces legal risks. The website privacy policy generator suite provided by matterius supports this integrated approach.