Websites using Google Tag Manager (GTM) can deploy Cookiebot by following these step-by-step instructions.
In this guide, we will show you how to:
We assume that you've already created a GTM account, created a website container in GTM, and added the GTM container snippet to your website.
If this isn't the case, you can find instructions here.
First off, we recommend enabling the Consent Overview. This allows you to get an overview of your tags and their respective consent configurations.
You can find the Consent Overview by clicking on the 
icon on the Tags section.
If you don't see this icon, you can enable this function on the Admin tab, under Container Settings.
Check the "Enable consent overview" box under Additonal Settings and save your changes:
1. Implementing the cookie consent banner in GTM
First, obtain the Cookiebot CMP tag template from the Template Gallery.
You can find it by Selecting Templates from the main menu, and clicking the Search Gallery button in the Tag Templates section.
Click the magnification icon and enter "Cookiebot" in the searchfield.
Select the "Cookiebot CMP" item and click the "Add to workspace" button.
Confirm by clicking "Add"
Next, create a new tag by clicking "New" ❯ "Tag Configuration" and select Cookiebot CMP from the list of standard tag types.
In the "Cookiebot ID" field, copy in the Domain Group ID from under your account on cookiebot.com. This will look similar to this: 00000000-0000-0000-0000-000000000000, the zeros will instead be hexadecimals *numbers 0-9 and letters a-f
Choose "Consent initialization - All pages" as trigger and apply a name to your tag at the top of the configuration page, e.g. "Cookiebot". Click "Save" to create the tag.
This is what your tag configuration should look like (except for the value of the Cookiebot ID):
Make sure that you have registered and saved the domain name(s) of your website(s) in Cookiebot.
1.1 Defining the Google Consent Mode default consent state
A default consent state of 'denied' will apply until the user has submitted a consent. You can change this default behavior and add different default consent states for users in different geographical regions by clicking "Add region" under the "Default Consent State" section.
In the example above, a global (blank region value) default consent state of 'denied' is defined for all users along with a specific 'granted'-state for users from California (US-CA).
Please use ISO-3166-1 alpha-2 country codes for region values. For the United States it is also possible to use state-specific regions, e.g. "US-CA" for California. If a specific default consent state applies to multiple regions, you can add a comma-separated string of regions to the Region field.
GTM by default supports 7 different consent types that are automatically mapped by Cookiebot to the 4 categories used in Cookiebot CMP:
| GTM Consent type | Cookiebot type | Description |
| ad_personalization | marketing | Enables the use of personal data for advertising purposes such as remarketing or interest-based targeting. |
| ad_storage | marketing | Enables browser storage (such as cookies) related to advertising. |
| ad_user_data | marketing | Allows the collection of personal data for advertising purposes. |
| analytics_storage | statistics | Enables browser storage (such as cookies) related to analytics e.g. visit duration. |
| functionality_storage | preferences | Enables browser storage that supports the functionality of the website or app e.g. language settings. |
| personalization_storage | preferences | Enables browser storage related to personalization e.g. video recommendations. |
| security_storage | necessary | Enables browser storage related to security such as authentication functionality, fraud prevention, and other user protection. Users will be informed about the specific storage purposes in the cookie declaration, but this type does not require consent from the end user. |
The category ‘necessary’ (mapped to consent type security_storage) is by default set to ‘Allow’ and is not configurable, as it does not require consent.
2. Controlling cookies
Google Tag Manager includes several features that work together with Cookiebot to help you manage how tags behave in response to the end user's consent choices.
Specific tags (such as Google Ads, Analytics, Floodlight and Conversion Linker) have built-in consent checks. This means that these tags include logic that automatically changes the tag's behavior based on the user's consent state. No consent configuration is needed for this type of tags*.
Google refers to this as Advanced Consent Mode.
Tags which do not have built-in consent checks, which do utilize tracking, must be configured with additional consent checks. Opposed to tags with built-in consent checks, which load regardless of consent, tags configured with additional consent checks will not fire unless consent has been given for the corresponding storage category.
Google refers to this as Basic Consent Mode.
For a complete overview of the consent settings applied to all tags in your container, you can enable the Consent Overview from your container settings:
In the next section we will provide instructions to configure additional consent checks.
*It is important to note that because tags with built-in load regardless of consent, data will be transmitted to Google without explicit permission from the visitor. If this is of concern to you, it is recommended to configure tags with built-in consent with additional consent as well. That way the tag will not load prior consent.
2.1. Setting up Additional Consent Checks
- In your GTM container, create the following Custom Event trigger, to be used in your GTM configuration:
Event Name: cookie_consent_update
Event Type: Custom Event
Fires On: All Custom Events
Your trigger should look similar to this:
- Edit the consent settings for all tags that need to be configured with additional consent.
You can find these settings in the Tag Editor ❯ Advanced Settings ❯ Consent Settings.
Add all storage categories which the tag requires (see the scan report from Cookiebot if you are in doubt).
In this example the tag requires consent for ad_storage / marketing cookies: - To ensure the tag fires as soon as consent choices have been determined, either from a previous visit or from interaction with the banner the normal "All Pages" trigger will need to be replaced with the trigger which we created in the first step*.
Here is an example with a Facebook Pixel tag, which with this setup only fires if the visitor has opted in on the required consent type:
The updating of Consent Mode settings does not trigger a reevaluation of tags with the "All Pages" trigger. This means that if you don't use the "cookie_consent_update" trigger, and keep the "All Pages" instead, the tag will not fire on the first page if you didn't submit consent during a previous visit.
There are additional methods besides using Consent Mode, to ensure tags cannot load prior consent. Please see Alternative methods for conditionally loading tags for instructions.
3. Implementing the cookie declaration
<script
id="CookieDeclaration"
src="https://consent.cookiebot.com/00000000-0000-0000-0000-000000000000/cd.js"
type="text/javascript"
></script>
Make sure to link to the page that embeds the declaration from all pages on your website, e.g. in the website template footer.
When you implement Cookiebot using Google Tag Manager, Cookiebot can be used to control tags which require consent and do not originate from Google Tag Manager, i.e. scripts, images and iframes inserted directly into your website template.
Such tags need to be marked up for 'prior consent' as described in our manual mark up guide. If you wish to combine the use of Google Tag Manager and automatic blocking, please see Google Tag Manager and Automatic cookie blocking.
Additional resources
For instructions on how to make the cookie banner change language depending on which (language) part of your website a visitor navigates, please see Multilingual support when using GTM.
Consent Mode is enabled by default. If you for any reason want to disable Consent Mode, please untick the checkbox "Enable Google Consent Mode".
See also our blog post: Google tag manager and GDPR
Comments
7 comments
How does section "1.1,Defining the Google Consent Mode default consent state" relate to the GeoTargeting setting (inside CookieBot's Banner setup admin page -https://manage.cookiebot.com/en/manage) where I have selected "Visitors from the EU only".
Do we need to define the EU region inside Google Tag Manager manually in addition? i.e. by setting up many granted rules for all "none-EU" country codes inside Cookiebot's admin plug-in for Google Tag Manage? Or can we just ignore this part, knowing that Cookiebot will set it automatically to Granted for all non-EU visitors?
Hey quick question, what if the Enable Consent Overview is not available in the GTM Container?
Should cookie_consent_update trigger also be used to trigger Google Tag to track pageviews in Google Analytics?
Are you ok for 2000ms (defaut)? or ?
Just wanted to pop in with a quick thought: when you're setting up those default consent states in GTM, especially with that nifty GeoTargeting feature in Cookiebot's settings, it can feel a bit like juggling flaming torches, right?
Hi there
When I set up Cookiebot like described above, I notice on the site where it's active that if a user denies cookies, there's something added to the URL. Like e.g. domain.com/page/?_gl=1*hyhtfo*_up*MQ..*_ga*MTY4Mzc2OTEwMi4xNzE4MzU0Mjkz*_ga_DPYNXPE4YZ*MTcxODM1NDI5M...
Is there a way to prevent this from happening?
Thanks!
@Tycho
The stuff that's added to the URL is caused by the URL passthrough feature. Disabling it will stop this from happening.
Please sign in to leave a comment.