The General Data Protection Regulation (GDRP) of the European Union has been with us for many years. Data collection with Google Tag Manager is part of the compliance process for most of you. This also means that many GTM4WP users are interested in be GDPR-compliant when using this plugin.
Disclaimer: I am not a lawyer, but I participated in many GDPR-related projects across many small and large companies. Here I will explain the whole GTM+GDPR topic based on what I have learnt from these projects, but you should always discuss it with your own lawyers. What I can tell you below is logical and makes sense if you read the article carefully.
How GTM4WP fits into the GDPR compliance process?
GTM4WP is a plugin that will help you integrate your Google Tag Manager container (GTM) into your website. For the purpose of simplicity, the term “personal data” should always be understood as “data that can identify a specific person directly or indirectly”.
What does ‘indirectly’ mean? It refers to an identifier that does not directly identify someone, but can be used to join this identifier with another data set to make the identification possible. For example, an order ID. If you have access to the list of orders in a webshop, you can use the order ID to see who was the one ordering the products. If you do not have this access, the order ID itself is not enough to see a specific name or email address.
There are two main cases where personal data processing can take place.
1. While collecting data with your tags
This one is obvious. If you add a marketing tag into your GTM container that collects personal data, you need to ask for the consent of your site visitor in order to do so. Here you need to see the process clearly to understand what can be done with GTM4WP and what is not the responsibility of GTM4WP.
Begin with the soup
As you know, by default, this plugin adds the so-called container code of GTM into your website. This ensures that the data collection mechanism in your GTM container can be executed while a user visits your site. However, this GTM container is empty by default. So if you activate this plugin and you ask the plugin to load an empty GTM container, basically nothing happens. Not only technically, but in terms of GDPR as well: no personal data collection, no personal data processing.
Do you need to ask for consent in this case? No!
Do you need to block the loading of the GTM container itself? No!
Add some spicy ingredients
Now add a web analytics tracking tool into your GTM container.
(Side note: there is another misconception among users as to where personal data is collected. For example, if you are using Matomo to collect visitor data into your own server, that does not make the data collection GDPR-compliant, as the question is WHAT data is collected and processed and not WHERE you are storing the data)
Adding a web analytics tracking code means that there is a chance you will start collecting personal data. It is not necessarily the case, but it can happen. For example, if this web analytics tool processes the IP address of your visitor to populate geographic reports, you are likely in a situation where user consent needs to be handled. But there can be more sophisticated techniques like fingerprinting where someone combines individual, innocent data points and identifies an individual using lots of these innocent data points.
Question: In this case, what needs restricted usage if no consent has been given? The whole container or the tracking code that does the data collection? My answer is: the tracking code. Why would you want to block the whole container if you can block the tag with exception triggers?
Now add a second tracking code that will give you the opportunity to retarget previous site visitors. Does this require user consent? As far as I know, yes. Do you want to block the whole container if no consent has been given? My answer is: no! You should block the corresponding trigger.
Finally, add a tag that does not collect any GDPR-related data. For example, a custom HTML tag that replaces some texts on your site while developers are working on the same but that will release it only 2 weeks from now. No consent management is needed. If, in the first 2 cases, you say that you want to block the whole container, you will block this harmless tag as well.
Should GTM4WP have an option to block the loading of the container based on user consent?
I do not think so. If you have a cookie consent solution, most probably it will store the chosen consent level into a cookie or a browser local storage object. This can be read by GTM itself. You can set up your firing and blocking triggers to stop data collection if proper user consent is missing. In some cases, this means that GTM4WP will load your GTM container, but GTM itself (!) will not fire any tag due to the lack of proper consent.
Also, Google’s Consent Mode can also help you to configure proper tag behavior based on user consents.
2. While using specific plugin features
Besides the GTM container, there is another entity that can be really useful while setting up your tracking in GTM. The data layer is a small data storage in the memory of your browser that is created by GTM4WP. It is important to know that the data layer gets created on each page load and gets destroyed while the page is unloaded from the browser. It does not provide persistent data storage..
Some plugin features add personal data into the data layer. For example, the name and email address of the customer in your WooCommerce shop. All features that put such data into the data layer are disabled by default.
How to deal with personal data in the data layer?
The first option is quite obvious: you can choose not to enable those features. You will see a short notice next to each such feature on the admin area so that you are aware of what kind of data is used there.
The second option is more complicated, but should work as well. In my opinion, as long as you do not set up tracking in your GTM container to read these personal data and transmit them to a specific service, I do not see any reason to ask for the user’s consent. If you set up such a tag, you will need to get the consent from the user using a cookie consent banner software. Then read the status of the consent from the appropriate cookie and block this tag or the specific tag parameter if no consent has been given.
Most importantly, you are in charge, you are the one adding personal data processing into your measurement and you have the necessary controls in GTM to make it GDPR-compliant.
And what about cookies stored by GTM4WP?
Specific GTM4WP features store cookies indeed. Remember: GDPR is not about asking for consent to store cookies. It is about asking for consent to store and process personal data. Some cookies can support processes that involve personal data processing, while some do not. Cookies of GTM4WP are harmless and do not involve personal data processing, thus there is no need to ask for user consent to create them.
That is all fine, but I still want to block the GTM container
If the above explanation does not satisfy your needs, there is still a way to block the loading of the container in case of missing user consent. Since there are many cookie consent solutions on the market, there is no way I can provide you a unified way to achieve this. You will need a developer to make this work.
- Select the “Off” container placement option in the plugin options. This will disable the output of the container code, but will keep the data layer intact
- If user consent is present, create a code that will output the GTM container manually
This way, you will have full control over GTM container loading. Based on my standpoint above, I would really encourage you not to do so.