A German Court Rules That GTM Requires Consent

The Hanover court ruled that loading GTM transmits data to Google and requires GDPR consent. Practical implications.

The Hanover Court Decision

The administrative court of Hanover issued a ruling that directly concerns all European businesses using Google Tag Manager. The reasoning is straightforward: when a browser loads the gtm.js file from Google’s servers, it automatically transmits the user’s IP address, user-agent, and other technical metadata. This transfer of personal data to Google occurs before a single tag even fires.

The court concluded that this initial loading constitutes personal data processing under GDPR and therefore requires the user’s prior consent.

A common misconception is that Consent Mode protects against this type of issue. That is incorrect. Consent Mode controls the behavior of tags that execute within the GTM container. It can block cookies, limit data sent, or enable modeling. But it does not prevent the initial loading of the gtm.js script itself.

In other words, even with Consent Mode correctly configured, the browser sends an HTTP request to Google’s servers to download the JavaScript file. This request contains the IP address and browser headers. Data processing occurs before Consent Mode comes into play.

The Compliant Implementation

The technical solution is clear, even if it requires rethinking the loading order of your scripts. The principle: the CMP (Consent Management Platform) must load first, without any dependency on GTM. The GTM script is only injected into the page after the user has given consent.

In practice, this means the GTM snippet should no longer appear unconditionally in the <head> of your HTML page. It must be loaded dynamically by the CMP, only after consent is collected. Most CMPs on the market (Cookiebot, OneTrust, Didomi, Axeptio) offer this functionality, but it is not always enabled by default.

For a compliant CMP implementation, it is essential to test the full flow: verify that no request to googletagmanager.com fires before consent.

Impact on Existing Implementations

The vast majority of European sites load GTM unconditionally. Google’s standard snippet executes on page load, before any user interaction. All these implementations are potentially non-compliant under the Hanover court’s interpretation.

The practical consequences depend on jurisdiction. The German decision is not binding in other countries, but it creates a precedent that other data protection authorities could follow. Businesses subject to GDPR should anticipate.

Alternatives to Consider

Server-side GTM offers an elegant solution: the script is served from your own domain, with no client-side request to Google. Data passes through your server before being relayed. This architecture eliminates the problem identified by the court, since the browser never communicates directly with Google’s servers.

Need help with this topic?

I can help you implement or optimize your tracking setup.

Book a call