Does Google Tag Manager require disclosure in a privacy policy?

Yes. While Google Tag Manager itself is a deployment platform rather than a data collector, it must be disclosed because it loads tracking tags that collect personal data. You must disclose the specific tags loaded through GTM (such as Google Analytics or Facebook Pixel) along with their individual data collection practices, as these determine what information is actually collected from your visitors.

What specific data does Google Tag Manager collect?

Google Tag Manager itself collects no data directly. However, the individual tracking tags you configure within GTM will collect data based on their specific purposes—such as analytics tags collecting page views and user interactions, or conversion tags collecting purchase information. You must review and disclose the data practices of each tag loaded through your GTM container.

Does Google Tag Manager require a cookie consent banner?

Whether a consent banner is required depends on the tags loaded through GTM, not GTM itself. If your GTM container loads tags that set cookies or process personal data (Google Analytics 4, Facebook Pixel, etc.), you must obtain user consent before these tags fire in jurisdictions like the EU and California. GTM supports consent mode to delay tag firing until consent is obtained.

Who processes data collected through Google Tag Manager, and where is it transferred?

Google Tag Manager is provided by Google LLC, a United States-based processor. Data collected by individual tags loaded through GTM is transferred to their respective processors—for example, Google Analytics data goes to Google, while Facebook Pixel data goes to Meta. Each tag has its own data processing terms and transfer mechanisms that you should review separately.

Tag Manager

Privacy policy clauses for Google Tag Manager

Google Tag Manager is a container system that allows websites to deploy and manage tracking scripts without direct code modifications. It simplifies the process of adding analytics, advertising, and measurement tags to a website by centralizing their management in a single interface.

Scan my site free →Copy sample clause ↓

Free scan · No signup · Results in 60 seconds

What data Google Tag Manager collects

Your privacy policy must disclose each of the following data types when you use Google Tag Manager.

GTM itself does not collect data, but it loads other tags that may collect data. All tags loaded via GTM must be individually disclosed.

When does Google Tag Manager trigger privacy obligations?

When Google Tag Manager Triggers Compliance Obligations

Google Tag Manager itself does not collect data—it is a container that *loads and fires other tracking tags*. However, installing GTM on your site or app immediately triggers obligations because:

### The Moment of Obligation

The instant GTM fires, it begins executing third-party scripts (analytics, advertising pixels, heatmaps, etc.) that *do* collect data. This is a trackable event under GDPR Article 6 (lawful basis), GDPR Article 13 (transparency), and CCPA Section 1798.100 (consumer right to know).

### Jurisdictional Thresholds

–GDPR: Applies if your site/app is accessible to EU residents OR you process personal data of EU subjects. No revenue threshold. Installing GTM with Google Analytics 4 (a common pairing) creates a U.S.–EU data transfer, triggering GDPR Articles 44–49 (adequacy, SCCs, or other safeguards).
–CCPA: Applies if you collect personal information from California residents and meet any threshold: $25M+ annual revenue, buy/sell data of 100k+ residents, or derive 50%+ revenue from selling consumer data. GTM + advertising tags often trigger the "sale" definition (CCPA Section 1798.140(ag)).

Common compliance pitfalls

Common Compliance Mistakes with Google Tag Manager

### Pitfall 1: Treating GTM as a Tag Rather Than a Container

The Mistake: Operators assume GTM itself is "the tracking tool" and disclose it as if it were Google Analytics or Facebook Pixel. They update their privacy policy to say "we use Google Tag Manager" without listing the specific tags (Analytics, Ads, custom events) GTM actually fires.

Why It Happens: GTM's UI is clean and appears to be a single tool. Teams don't realize GTM is merely the delivery mechanism, not the data processor.

Consequence: Your privacy policy becomes legally inaccurate. Under GDPR Article 13 and CCPA Section 1798.100, consumers have a right to know *specifically* what data is collected—vague references to GTM fail that standard. Regulators and auditors will cite insufficient transparency. If a tag fires that you didn't disclose (e.g., a developer added a new conversion pixel), you're now processing data without lawful basis.

### Pitfall 2: Forgetting Consent for Non-Google Tags Loaded via GTM

The Mistake: Teams implement GTM with a consent banner that only covers Google's products. Then they add third-party tags (e.g., Hotjar, Intercom, Drift) to GTM without updating the consent configuration or banner.

Why It Happens: GTM makes it easy to add new tags in the UI without code changes. Operators assume the original consent setup covers new additions.

Consequence: Non-Google third parties fire *without valid consent*. Under GDPR Article 6(1)(a) (ePrivacy Directive Article 5(3) for cookies), and CCPA Section 1798.140(w) (opt-in requirement in California), this is a direct violation. Each tag has its own data retention and sharing practices; bundling consent is insufficient.

### Pitfall 3: Missing Data Processing Agreements (DPAs) with Google LLC

The Mistake: Operators deploy GTM + Google Analytics 4 or Google Ads without a signed Data Processing Agreement with Google LLC, or assume Google's standard terms cover it.

Why It Happens: GTM is free and appears lightweight; teams don't realize it creates a controller–processor relationship when it loads Google's own services.

Consequence: GDPR Article 28(3) requires a written DPA for any processor. Google offers a standard DPA (part of the Google Ads Data Processing Terms), but it must be actively accepted. Absence of a DPA is a direct breach flagged in ~80% of GDPR audits involving Google services. Fines under GDPR Article 83 can follow.

Privacy policy clauses for Google Tag Manager

What data Google Tag Manager collects

When does Google Tag Manager trigger privacy obligations?

When Google Tag Manager Triggers Compliance Obligations

Where data goes

Common compliance pitfalls

Common Compliance Mistakes with Google Tag Manager

Legal note

Sample privacy policy clause

What regulators look for

What Data Protection Regulators Flag in Google Tag Manager Audits

Frequently asked questions

Does Google Tag Manager require disclosure in a privacy policy?

What specific data does Google Tag Manager collect?

Does Google Tag Manager require a cookie consent banner?

Who processes data collected through Google Tag Manager, and where is it transferred?

Don't ship without Bandit.