How to integrate Cookie Management with Google Tag Manager? 

Why Cookie Management and GTM must work together

Google Tag Manager (GTM) is a powerful tool for deploying scripts and tracking technologies across your website. However, GTM does not manage user consent by default. If tags are fired before a user explicitly agrees, you may be violating privacy regulations like GDPR and the ePrivacy Directive. 

A landmark 2023 German court ruling confirmed this: loading GTM before obtaining consent is unlawful. Why? Because GTM can load third-party trackers that require prior consent. This ruling reflects a broader trend across Europe and beyond. 

So, what does a compliant, user-respecting integration look like? 

Jump to:

• Step-by-step: Best practices for GTM and Cookie Management integration
• Legal insights: What courts and regulators expect
• Common cookie mistakes to avoid

Step-by-step: Best practices for GTM and Cookie Management integration

Step 1: Load your cookie banner before GTM

This might sound obvious, but it’s often overlooked. Your cookie banner should be the first thing that loads on your site, before GTM, before analytics, before anything else. 

Why? Because users need to make a choice before any tracking begins, as part of this you should make sure: 

• The banner is jurisdiction-aware (GDPR, CCPA, etc.) 
• Users can accept, reject, or customise their preferences 
• It’s accessible and doesn’t rely on dark patterns. 

Top tip: If you’re deploying the banner via GTM, use a high-priority trigger to ensure it loads immediately. 

Step 2: Use Google’s Consent Mode

Google introduced Consent Mode to help bridge the gap between privacy and performance, allowing GTM to adjust how tags behave based on the user’s consent status. 

For example: 

• If a user declines analytics cookies, Google Analytics can still send anonymised data 
• If marketing consent isn’t given, ad tags won’t fire. 

To implement: 

• Set default consent states in GTM 
• Update those states dynamically based on user interaction with your banner 
• Configure each tag to respect those states (Google’s setup guide) 

It’s not a silver bullet, but it’s a solid foundation. 

Step 3: Control tag firing with triggers and variables

This is where GTM’s flexibility really helps. You can create custom triggers that only fire tags when specific consent categories are accepted. 

For example: 

• Fire Meta Pixel only if “Marketing” consent is true 
• Load Hotjar only if “Performance” consent is accepted. 

To do this: 

• Create consent variables in GTM 
• Build triggers that check those variables before firing 
• Apply these triggers to each tag individually. 

It takes some setup, but once it’s in place, it gives you full control over what runs and when. 

Step 4: Audit your tags and cookies regularly

Even with a solid setup, things change. New campaigns, new tools, new scripts and this is why regular audits are essential. Use a scanner like the Syrenis Cookie Audit to: 

• Identify all cookies and scripts running on your site 
• Categorise them by purpose (essential, performance, marketing) 
• Check if any are firing before consent is given. 

This isn’t just about compliance – it’s about knowing what’s happening on your site, and compliantly being able to review your site’s activity.  

Step 5: Keep a consent log

If regulators ask how consent was obtained, you need to show them, that means logging: 

• Timestamped consent decisions 
• Banner interactions 
• Consent status at the time each tag fired. 

Most CMPs including Cassie offer this natively. Ensure GTM supports it via DataLayer events like: 

Many consent platforms offer this out of the box, but make sure your GTM setup supports it too, it’s your safety net. 

Legal insights: What courts and regulators expect

• Consent must be explicit and freely given – no pre-ticked boxes or vague language
• Rejecting cookies must be as easy as accepting them
• GTM is not exempt – it must not load before consent unless strictly necessary
• International data transfers and withdrawal rights must be disclosed upfront.

Common cookie mistakes to avoid

 Don’t: 

• Load GTM before consent 
• Assume Consent Mode alone ensures compliance 
• Use vague or misleading banner language 
• Overlook third-party scripts that silently track.