A new data protection ruling from the Administrative Court of Hannover is causing a stir in the online marketing world: the court decided that simply loading Google Tag Manager (GTM) on a website constitutes a data processing activity involving personal data and, under the GDPR and TTDSG (E-Privacy), requires prior user consent.
Until now, Google Tag Manager was considered a “neutral container” as long as no tracking tags were loaded with it. The court in Hannover sees it differently: according to the ruling, simply initializing Google Tag Manager transmits technical data such as IP addresses to Google servers, which are usually located outside the EU. For this reason, the practice is not GDPR-compliant without user consent and is therefore not permissible.
What was the specific issue in the Hannover court case?
The company involved loaded Google Tag Manager without user consent, because the consent management platform itself was loaded via GTM, the same platform that collects the user’s consent. This setup is common practice and, until now, had not led to any objections.
The court in Hannover noted that Google Tag Manager is not technically necessary to collect user consent, since the script for the consent management platform can be loaded independently of GTM. According to the ruling, integrating the consent management platform via GTM is just as non-compliant as loading the GTM container itself without consent.
In this particular case, the company was not fined but only issued a warning. It had to bear the legal costs and implement the necessary technical changes.
Should you now adjust your Google Tag Manager setup?
This comes down to a risk assessment that each company must make for itself.
Arguments for keeping the current setup:
- You can only use Google’s Advanced Consent Mode if the consent management platform is loaded via GTM. Without it, you’d lose valuable marketing data for campaign optimization.
- Most consent management platforms can be integrated directly via a separate script in the website code, but that does not prevent GTM from loading.
- Large cookie consent solution providers like OneTrust or Cookiebot currently cannot block GTM. Meeting the court’s requirements will require new technical standards.
- The transfer of personal data via GTM that the court criticized refers to IP addresses. These are sent as raw data with every website request and are part of the basic functioning of the internet. Not only GTM works this way, millions of plugins would also be banned under this logic.
- In case of proceedings, the risk of a fine is low. You would likely only be required to adapt your setup.
Arguments for changing the setup:
- Your website would comply with the strictest data protection requirements at the EU level.
Conclusion
As the arguments above show, based on our risk assessment we recommend a pragmatic approach and do not believe it is currently necessary to change your Google Tag Manager setup.
It is important, however, to regularly review your consent management platform implementation, keep all processes well documented, and of course only set tracking and marketing tags or cookies after obtaining user consent.
