In this guide, we will show you how to:
- Implement the cookie consent banner
- Control cookie-setting tags
- Display the cookie declaration on a subpage
1. Implementing the cookie consent banner in GTM
In the "Cookiebot ID" field, copy in the ID from the 'Your Scripts' tab under your account on cookiebot.com.
Choose "Consent initialization - All pages" as trigger and apply a name to your tag at the top of the configuration page, e.g. "Cookiebot". Click "Save" to create the tag.
This is what your tag configuration should look like (except for the value of the Cookiebot ID):
1.1 Defining the Default Consent State
Under the collapsible configuration group ‘Default Consent State’ you can adjust which categories of cookies should be granted or denied before the end user submits consent.
As most data protection legislations like GDPR require so-called ‘prior consent’, the default setting is ‘Denied’ for all categories. The category ‘necessary’ (mapped to consent type security_storage) is by default set to ‘Allow’ and is not configurable, as it does not require consent.
GTM by default supports 5 different consent types that are automatically mapped by Cookiebot to the 4 categories used in Cookiebot CMP:
| GTM Consent Type | Mapped Cookiebot Type | Description |
| ad_storage | marketing | Enables storage (such as cookies) related to advertising |
| analytics_storage | statistics | Enables storage (such as cookies) related to analytics e.g. visit duration |
| functionality_storage | preferences | Enables storage that supports the functionality of the website or app e.g. language settings |
| personalization_storage | preferences | Enables storage related to personalization e.g. video recommendations |
| security_storage | necessary | Enables storage related to security such as authentication functionality, fraud prevention, and other user protection. Users will be informed about the specific storage purposes in the cookie declaration, but this type does not require consent from the end user. |
2. Controlling cookies
Google Tag Manager includes several features that work together with Cookiebot to help you manage how tags behave in response to the end user's consent choices.
Tags with built-in consent checks (such as Google Ads, Analytics, Floodlight and Conversion Linker) include logic that automatically changes the tag's execution behavior based on the user's consent state. No consent configuration is needed for this type of tags.
If a tag doesn't support built-in consent checks, you can add Additional Consent Checks for the tag as described below. If a user does not give consent to the specific consent types you’ve selected for the tag, the tag will not run.
2.1. Setting up Additional Consent Checks
1. In your GTM container, create the following trigger, to be used in your GTM configuration:
Event Name: cookie_consent_update,
Event Type: Custom Event,
Fires On: All Custom Events
You trigger should look similar to this:
2. Tags that do not support built-in consent checks and set cookies should specify the types of cookies using the Additional Consent setting under Tag Editor > Advanced Settings with the categories that the tag requires (see the scan report from Cookiebot if you are in doubt).
In this example the tag requires consent for ad_storage:
3. To achieve this, update any cookie-setting tags to replace the existing trigger (e.g. “All Pages”) with the new consent update trigger, e.g. for your Facebook Pixel Code tag. This will fire your tag when the user has opted in on the required consent type.
4. For a complete view of the consent settings across all the tags in your container, you can enable the Consent Overview from your container settings:
3. Implementing the cookie declaration
To make available an option for the user to change or withdraw consent, implement Cookiebot's 'Cookie Declaration' on a page of your own choice by embedding the following script tag directly into the source of the page and position within the page where you want the cookie declaration to be displayed (replace 00000000-0000-0000-0000-000000000000 with your own Cookiebot ID):<script id="CookieDeclaration" src="https://consent.cookiebot.com/00000000-0000-0000-0000-000000000000/cd.js" type="text/javascript"></script>Other ressources
Comments
20 comments
Hello,
I maintains many wix website but this I followed the procedure but it does not work.
The cookies content banner does not appear. Why ?
Hello,
I have the same problem with drupal. I'm using manual blocking, is it correct?
Thank you
Hi Speralta
How did you implemented GTM in drupal? I have followed same steps described in this page.
And i could see JS variable "Cookiebot.consent" is set according user accept values and "dataLayer" event also triggering perfectly in all pages.
Does this means its working fine? How can i confirm that GTM works perfectly after user accepts statistics consent and GTM doesnt when user doesn't provide consent?
Hi,
I have been able to solve the problem, thank you very much.
I have followed these instructions, but when I open the website the Cookiebot banner displays and Google Analytics cookies are switched on by default rather than being switched off. What could be wrong?
Hello Peter.
I would advice you to submit a ticket with us with the specific issue, so we can perform some troubleshooting for your situation.
https://support.cookiebot.com/hc/en-us/
Hi,
following this approach and not the one described here https://support.cookiebot.com/hc/en-us/articles/360009192739-Google-Tag-Manager-and-Automatic-cookie-blocking , would you regain access to the Debug & Preview function of GTM?
We implemented Cookiebot by following the Google Tag Manager and Automatic cookie blocking guide, but since then our 3rd party marketing agency isn't able to properly create new tags, since the Debug & Preview function is nonfunctional.
We're hoping that implementing Cookiebot via GTM would resolve this problem, but before we go into the effort, we'd need a confirmation that this would actually solve our problem.
Thanks
I have implemented the Cookiebot Tag Manager strategy and all works fine. Here are some things I have learned:
1. De script declaration is not necessary anymore, you can leave that step out of this manual
2. Check all blocking mechanisms when you test; Firefox automatic blocking, VPN's etc.
I have one big question though:
I have tried to use the Consent triggers on stuff like Google Analytics and Hotjar bu the triggers do not fire at all. What could be the possible cause of this? Normally triggers are set to All Pages and that works just fine.
Smaller question: is naming strict? Like Cookie Consent for example. I also noticed that the names of the triggers in text are different than on image.
Wouldn't it be more effective to use the Consent trigger as an exception? So define Cookie Consent Marketing as NOT containing marketing. Then use it as an exception on a trigger so you have options to specify which pages it applies to.
I also noticed this issue that Jaap is talking about:
"I have tried to use the Consent triggers on stuff like Google Analytics and Hotjar but the triggers do not fire at all. What could be the possible cause of this? Normally triggers are set to All Pages and that works just fine."
I think this is a quite recent issue, because I only noticed around the same time that Jaap posted his comment here and I use an import of my GTM settings so the settings are the same as on previous projects (where this still seems to work like it should).
Is there a solution for this issue?
Thanks!
What Jaap and Tycho said is exactly the same question I have. The documentation on this site regarding how to implement Cookiebot with GTM is less than desirable. (There are multiple pages which say different things.)
Most of the documentation assumes a user is trying to comply with GDPR, thus the examples given are for how Cookiebot works when the default behavior is that site visitors are opted out until they opt-in. But many people are now using Cookiebot to handle CCPA, where visitors are opted in until they opt-out.
How about spending some additional time going through past documentation and removing or updating verbiage that no longer applies or is no longer correct?
Did anyone get a response from Cookiebot concerning this matter?
Or did anyone maybe find a solution?
Thanks!
Negative to both questions.
Bumping up this thread. Same problem here - different documentation on different pages with no clarifcation from Cookiebot which one is recommended for specific cases. I also suggest to sort our or refactor the GTM documentation.
Having also the same problem with the tag manager preview function after I implemented a new trigger which checks for links with a specific Click text. . It still shows, but without any content, so completely empty.
Also sent an Email to Support 2 weeks ago without a response. Is there a solution available already?
Having the preview function in the tag manager is quite crucial for us .
This guide is only covering GTM tags that were firing unconditionally on all pages. However, most of our tags already have specific triggers. Since it is not possible to add a second additional trigger, the concept described here does not work for all those tags. What would you recommend in this case (and no, creating trigger groups for every specific trigger we have -200- is not an option)?
One feasible way would be to add exceptions to every trigger, which is possible in GTM. So if I have a specific trigger and want it to fire only if consent is given, I would like add a "Consent not given" exception.
This would require the "Cookie Consent" variable template to not only contain the strings "preferences|statistics|marketing" but also a string that can be used to safely determine if consent is not given.
Among the many things not clear - if you using auto-scan and classifying cookies within the cookiebot control panel, are GTM triggers necessary?
Hello Dave.
Yes, the triggers are indeed still necessary, as GTM is a different platform and will not be blocked by the automatic script. This is because we also have a manual implementation method that uses GTM and therefore GTM as a platform is not directly blocked.
Therefore it is required that you add the triggers and ensure GTM blocks cookies before consent is provided by the visitor.
Hi,
Could someone help me clarify the following:
If I implement Cookiebot through GTM, all cookies set by a specific tag/script will be blocked if the user has deselected the category that the script is placed in (the trigger used) in GTM, I assume?
So if a particular tag in GTM sets, say, three cookies, and two of them are auto-categorized as "Statistics" by Cookiebot, and one is auto-categorized as "Marketing" (for instance, this is approximately the case for LinkedIn Insights) - all three will be blocked if GTM is used?
In other words, when implementing Cookiebot through GTM, there's no way to achieve the fine-grained blocking that is possible with auto-blocking and no GTM, because the GTM-implementation does not assess each cookie individually.
I could make a trigger group in GTM - but this would mean that even if the user had opted in to "statistics" cookies, these would only be set (for the particular tag) if the user had also opted in to the other categories in the trigger group that fires the tag?
Thanks in advance.
Kind regards, Chris
Hi,
Seems it still not be ready.
I can try everything, the Analytics still run, even if I did not give consent.
Then I still use the "cookie_consent_statistics" method.
Currently does a problem on triggering the page view tags, because all of triggers can't be triggered before the event cosent_state_update, but other triggers that occur after it working properly.
Please sign in to leave a comment.