GTM implementation - data transfer to Google and GDPR compliance?
Due to the debug pane problem we had to switch from loading Cookiebot from HTML to loading it from GTM. Since Cookiebot is now reliant on GTM to work, the question I would like to ask now is what data is transferred to Google when the banner is loaded (which data is sent to Google servers just due to the GTM implementation (no Analytics etc.) and which cookies are set?) and how this is compliant with GDPR.
And as I see two cases here, how do these two cases differ technically and legally:
1. Cookie banner is loaded for the first time, i.e. no choice has been made yet (necessitating that the banner is loaded from GTM, but legally precluding any traffic to Google)
2. Choice has been made to reject all cookies (not displaying the banner, but necessitating that the Cookiebot logic works and is executed, and also disallowing any traffic to Google).
Thanks!
-
Hi Marketing WBS,
There is no data sent to Google in either scenario.Google Tag Manager doesn't send or receive data, it's more like a system that registers events, and executes scripts according to those events.
When the page loads, Google adds the Cookiebot script to the page, but any interaction with the Cookiebot script is no longer tied to GTM. It was merely the tool to implement the script.
So, regarding your first point, there should not be any data getting sent to consent.cookiebot.com and Google through GTM, when the user opens a page for the first time. Cookiebot does not store anything about the user upon page visit. When the user consents, this users IP-address is stored anonymized (by removing the last three digits) to prove that consent was obtained.
When the page is visited for the first time only the necessary cookies are being set (no other cookies are being set upon page visit). The CookieConsent and GTM cookies will be set without consent in case that they have been classified as a necessary.
About the second point, in case that all cookies categories have been rejected except necessary cookies then the banner would not be displayed anymore and only strictly necessary cookies would be set. That is why its important to classify cookies on you site and implement prior consent.
For example, if a cookie has been set as a "preferences" cookie, it won't be set without consent when the user opens a page for the first time, and it would be set if the user allow only necessary cookies.
Regards,
Spas0 -
Hi Spas,
Thank you very much for your detailed reply and sorry for the late response. I can follow the technical details you give, but as far as I can see there is still traffic to Google servers (the ones used for GTM like googletagmanager.com). I think you acknowledge this in your sentence “When the page loads, Google adds the Cookiebot script to the page”. This cannot be done without a connection to a Google server, can it?
If so, then the question is what user information is transferred. I suppose at the very least an (anonymized?) IP, but probably not much more. And then, since the use of GTM is necessary for the operation of the site, I guess this is legal under GDPR as long as the use of GTM is covered in the privacy declaration and the cookie banner, isn't it?
Unrelated to this: I think there’s a typo in your last sentence: “For example, if a cookie has been set as a "preferences" cookie, it won't be set without consent when the user opens a page for the first time, and it would be set if the user allow only necessary cookies.” I think it should say “and it wouldn’t be set” in the second part of the sentence, no?
Best,
Marketing WBS
0 -
Hi Marketing WBS,
First of all, I am sorry about my typo mistake, you are right. If a cookie has been set as a "preferences" cookie, it won't be set without consent when the user opens a page for the first time, and it would NOT be set if the user allows only necessary cookies.
Regarding the connection to the server and data sent to Google, I would say that there is no data sent to Google. The Cookiebot script is inserted by GTM and as I mentioned before Google Tag Manager doesn't send or receive data, it's more like a system that registers events, and executes scripts according to those events. So when the page loads the Cookiebot script is executed and then there is not other interaction tied to GTM.
Regards,
Spas0
Please sign in to leave a comment.
Comments
3 comments