Integrate Google Tag Manager GDPR-compliant into WordPress!

Google’s Tag Manager service is a real asset for marketers, because they no longer have to rely on the help of IT specialists to integrate tracking tools into websites or apps. Sounds great in itself, if it weren’t for the problem of data protection.

In this article, we’ll tell you how you can still implement Google Tag Manager in your WordPress website in compliance with the GDPR!

Attention: This article is not legal advice! We as developers of WordPress plugins and contractors of website projects have dealt intensively with this topic, as it is essential in our daily work. However, we are neither lawyers, nor can we guarantee the completeness, timeliness and accuracy of the following information. In case of doubt, always consult a lawyer.

What is Google Tag Manager?

What is the Google Manager? The Google Tag Manager (GTM) is a free tag management system that helps you to integrate numerous web analysis tools (e.g. Google Analytics), HTML codes and Java scripts into your website or mobile app. In short, you can easily integrate web tracking into your website. 

You can excellently identify the behaviour or interactions of your visitors with the help of certain interactions (clicks, scrolling, submitting forms, etc.) and evaluate them in corresponding tools such as Google Analytics. You can then use the knowledge gained to optimise your website.

Basically, the GTM works with the following components:

  • Tags: A code snippet by means of which data is sent to systems such as Google Analytics. As a rule, tags send tracking information to third-party services.
  • Trigger: A trigger is a trigger. It checks the occurrence of specific events (e.g. clicks, page views, form submissions).
  • Variables: Placeholder for a changing value (e.g. date, price, name of a product).
  • Data layer: This is where data is temporarily stored so that it can be moved into triggers, tags and variables by the GTM and retrieved from variables.

Advantages of using Google Tag Manager

Probably the biggest advantage of Google Tag Manager (GTM): You don’t have to be a developer owl, because you don’t have to constantly venture into the code of your website (where you can damage a lot without knowledge). In addition, your source code also remains clear, as you are spared the implementation of tracking codes from various service providers 😉

The main code (container tag) only needs to be created once and integrated into the website. All tags for a GTM account are created in this container. You can then make changes centrally in the Google Tag Manager interface. Easy!

Further advantages of the Google Tag Manager:

  • You only need a code for the integrations of numerous tracking codes
  • Automatic verification of embedded tags
  • Free of charge
  • Intuitive interface

Is Google Tag Manager compliant with the GDPR?

Since Google Tag Manager is obviously a Google offshoot, the first thing to be careful about when using it is data protection. Why? Google is a US company.

Since the overturning of the Privacy Shield – a data protection agreement between the USA and the EU – the ECJ has classified the USA as an unsafe third country with a poor level of data protection. Consequently, the transfer of personal data may only take place, if at all, after the consent of the website visitor.

According to its own statement, Google Tag Manager does not store IP addresses.

In order to monitor system stability and performance, Google Tag Manager may collect some aggregated data about tag firing. This data does not include user IP addresses or any user-specific identifiers that could be associated with a particular individual.

Nevertheless, the IP address is inevitably transmitted when Google Tag Manager is loaded. Which brings us back to the topic of data transfer to the USA…

If you do not comply with the requirement to obtain consent for the transfer of, for example, the IP address, you, as a website operator, may have to pay a lot of money. An example of just such a case, in which the website operator concerned got off relatively lightly, occurred in January 2022.

The website operator had integrated the Google service Google Fonts into her website. In doing so, the IP address of the plaintiff was transmitted to Google in the USA without his consent, just like with Google Tag Manager.

The Munich Regional Court upheld the action. As a result, the defendant had to pay damages in the amount of €100, since the unauthorised disclosure violated the defendant’s general right of personality in the form of the right of informational self-determination. An appeal to a legitimate interest on the part of the website operator did not help either. The reason for the ruling was the plaintiff’s “discomfort” due to the loss of control over the data.

What do we learn from this? It is better to obtain too much consent than too little 😉

Google Fonts can also be used in a GDPR-compliant way (without the connection to the Google server) by simply embedding it locally. You can read more about how to do this in our blog article on hosting Google Fonts locally.

Google Tag Manager and Cookie Consent

But there is also one good thing, because unlike many other services, Google Tag Manager in its “naked form” (without playing out/reloading other tools) does not usually set cookies. The only cookie that may be set is one to enable GTM’s preview and debug mode. Accordingly, you are at least spared the tiresome topic of cookie consent for the use of Google Tag Manager 😉

But: It is very likely that tools that are reloaded using GTM set cookies. In this case, you need consent in any case, unless they are considered essential – which is the case with tracking tools.

This is why Google Tag Manager is not an essential service

If GTM was an essential service, the whole consent issue would be a little different. In other words, you wouldn’t need consent to use the service.

But what actually is an essential service? Roughly summarised, such services and cookies are technically necessary services that are indispensable for the basic functionality of a website.

Example: Login area cookies

❌ No example: YouTube, Google Analytics, Google Fonts, Facebook Pixel

After this explanation, you will certainly be able to answer the question of the technical necessity of Google Tag Manager yourself. Correct, it is not an essential service! Your website also works without the integration of the scripts via GTM.

Conversely, this means that you need opt-in consent at least for the transfer of personal data to Google Tag Manager.

Integrating Google Tag Manager into a WordPress website in a privacy-compliant way

The issue of data transfer to the USA still remains. In order to be able to integrate Google Tag Manager into your WordPress website in compliance with the GDPR, you need consent (as already mentioned). But how can you best obtain this consent? Quite simply: with the help of the Cookie Consent Plugin Real Cookie Banner.

What exactly does this look like in practice?

USA GDPR WordPress

In Real Cookie Banner, a corresponding function is available to you – both in the global settings and in individual templates – by means of which you can obtain the consent of your website visitors to the transfer of data to the USA. After activation, a corresponding text will be displayed in your cookie banner.

By default, this is always deactivated, as such a transmission does not take place on all websites.

Google Tag Manager Opt-in with Real Cookie Banner

How exactly you can easily set up the Google Tag Manager service in your Cookie Banner is explained in detail in a separate article in our knowledge base.

You can find a tutorial on how to use Google Tag Manager to integrate the Google Analytics tracking code in our blog article Integrating Google Analytics Tracking Code.

Mention Google Tag Manager in the privacy policy

Last but not least, to complete the GDPR-compliant implementation of Google Tag Manager, you should also remember to list Google Tag Manager in your privacy policy in order to comply with the information obligation pursuant to GDPR Art. 13.