CookieScan & Google Tag Manager

What is Google Tag Manager?

Google Tag Manager is a system that controls what tags (scripts), you want to run on your website and when you want them to run. Instead of having to code and mark-up different events on your website, Google Tag Manager takes care of that.

This can be Google Analytics that through Google Tag Manager can create statistics on user behaviour on your site. This is useful information to website owners, because it lets them update and optimize their website and its content based on real-life user interactions and performance statistics.

What does Google Tag Manager do?

Google Tag Manager, once implemented on your website, manages all kinds of tags. It can be statistical scripts or marketing tags that are meant for advertisement. Such tags and scripts set cookies, which collect data from your users in order to compile the statistics and marketing analytics.

The most common uses of Google Tag Manager include:

  • Tracking of website page view
  • Tracking of button clicks
  • Tracking external links/outbound clicks
  • Tracking of conversions, such as in Google Ads
  • Tracking of how a user scrolls and behaves on a page
  • Collection of user data, such as geolocation, device type and even screen width.

To explain it in an easier way:

You own a football team. The team manager decides on his team for an upcoming game, so what player is on the field and what ones are on the bench.

He also decides what position the players have, so defence, mid field or forward.

So, using this analogy the players are the Tags and the team manager is Google Tag Manager.

How does Google Tag Manager work?

Google Tag Manager works through tags and triggers.

Tags are pieces of code, such as HTML or JavaScript, which are deployed on your website for analytics or marketing purposes. They are also known by names such as tracking pixel, web beacons, ultrasound beacons and many others depending on their functions.

Collections of tags, such as “marketing”, are called tag containers.

What is important for website owners to know, is that almost all “third party tags” will set cookies that, according to EU law (the GDPR), fall into categories that require the explicit consent of your users before the cookie is placed on the user’s device.

Triggers are the conditions under which tags are allowed to fire. This means Google Tag Manager can control when a certain tag is fired.

These rules can be URL-based or event-based, such as when a user scrolls or clicks on some area of your website.

In other words, tags are what happens, while triggers are when what happens.

Google Tag Manager, ePrivacy and GDPR

If you are using Google Tag Manager on your website to deploy analytics and marketing cookies on your domain you can use this function you can measure your users and their behaviour as they navigate your site.

By doing this your website will have several cookies placed on the user’s device that activate and collect users’ data. This means that personal information, such as IP addresses, names and location data can be collected for statistical and marketing purposes.

What is stopping you from just doing this?

Article 5(3) of the ePrivacy Directive states that:

“Member States shall ensure that the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information, in accordance with Directive 95/46/EC, inter alia, about the purposes of the processing. This shall not prevent any technical storage or access for the sole purpose of carrying out the transmission of a communication over an electronic communications network, or as strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service.’

So from this, it is clear that you need to obtain consent from the website user before you place any cookie on their device. You also have to provide clear comprehensive information about the cookies purpose, expiry date, type etc…

The ePrivacy Directive does not define the meaning of consent, so the definition of consent as laid down by the General Data Protection Regulation (GDPR) have been adopted. This definition is:

“any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”

So, what does this mean for Cookies?

To summarise this:

  • Cookie banners are not allowed to have pre-ticked check-boxes. All cookies (except necessary cookies) must be deselected by default.
  • Continued scrolling and browsing on a website does not constitute valid consent. Users must make a clear and affirmative action indicating their choice of consent.
  • Cookie banners with a single button to accept all cookies is not allowed.
  • Cookie walls cannot be used to obtain a valid consent, i.e. making user consent conditional for access to a website and its services is deemed unlawful.

So, if you have any type of cookie or tracking technology on your website, the GDPR states that you must:

  • Obtain clear and unambiguous consent from its users
  • This consent must be provided prior to any processing of personal data
  • All types of cookies and other tracking technology present and operating on its pages must be listed and categorised
  • Information must be provided on the purpose of the data processing, how long the cookie will be active on the user’s device and who provided the cookie
  • It must be as easy to withdraw consent and it was to give it
  • The website owner must document each user consent.

So, the ePrivacy Directive and GDPR have a direct effect on how you use Google Tag Manager. Using the above analogy of the football team, the ePrivacy Directive and GDPR are the rules of the game.

CookieScan and Google Tag Manager

CookieScan is your total cookie management solution. It knows the rules of the game and applies them appropriately, keeping you safe and compliant at all times. Look at CookieScan as the referee in a football match.

When you use CookieScan and open you account, it first asks you for the domain you want it to manage for you. CookieScan scans your website and all of its subpages, identifying all cookies and similar tracking technologies present – without exception (everything from HTTP/JavaScript cookies, HTML5 Local Storage, Flash Local Shared Object, Silverlight Isolated Storage, IndexedDB, ultrasound beacons, pixel tags… and the list goes on).

CookieScan displays a cookie data base of the cookies used on your website, with descriptions of every cookie, the domain that supplies the cookie, the cookie type and the expiry date. This is all available on your account dashboard.

CookieScan categorises the cookies into Necessary, Marketing, Statistics and Preference. You are given the ability to move cookies into a category you feel is more appropriate for your website needs. It is for you as the data controller to justify this move.

In your ‘Manage Domain’ section of your dashboard you can simply select the on/off slider to activate Google Tag Manager. That is all you have to do in CookieScan to tell it to communicate with Google Tag Manager, the rest is done in you GTM account settings, see our FAQ section on how to complete this easy set-up.

CookieScan and Google Tag Manager – How we keep you safe!

Until the consent is given by the user, CookieScan automatically controls all cookies.

Only strictly necessary cookies are allowed to be placed on a device when a user arrives on a website, but you still have to provide information on what cookies are categorised as Necessary, the processing purpose, the expiry dates and provided them.

Necessary cookies have this exemption because without them the basic functions of a website would not work if consent was declined. An example of this would be, an eCommerce website selling socks. A basic function is the shopping basket and the site remembering what the user placed in the shopping basket. Without this function the site would not work, and the site owner would not sell any socks. Cookies placed on the user’s device that control the function of the shopping basket are necessary.

What CookieScan then does is to tell Google Tag Manager what tags (cookies) to run.

If the user decides to not to give consent for marketing cookies to be placed on their devices, CookieScan changes the conditions for which Google Tag Manager runs marketing tags, and so will not run the tags that work with marketing cookies.

By using CookieScan, you can be assured that the cookies that you deploy as tags through Google Tag Manager meet the ePrivacy and GDPR cookie consent requirements, i.e. CookieScan will not allow the collection of personal information on users before they’ve given their consent to it.

Ensure your website is PECR and ePrivacy compliant

Create a FREE CookieScan account today and start managing your cookie consent.

Get Started