Google Tag Manager and GDPR: What a Recent German Court Decision Means

On March 19, 2025, the German Administrative Court of Hanover (VG Hannover) issued a decision that has big implications for anyone using Google Tag Manager (GTM). The court ruled that GTM requires explicit user consent before it can load — even if GTM itself doesn’t use cookies.

This ruling has caused understandable concern for website owners and marketers across the EU. Let’s break down what the court decided, what it means in practice, and how iubenda is approaching this development.

What the court decided

The court looked at how GTM works in practice and concluded that it is not just a neutral tool. Here’s why:

• Connection to Google servers: GTM contacts Google servers as soon as a page loads.
• Personal data transfer: IP addresses, device details, and referrer URLs are sent to Google automatically.
• Local storage: The GTM script (gtm.js) is stored on the user’s device.
• Hidden execution: GTM enables other third-party scripts to run, often before consent.

Because this happens before a user can give consent, the court found it violates both the GDPR and the German Telemedia Act (TTDSG).

The ruling also criticized invalid consent banners — for example, banners that make “Reject All” harder to find or use misleading symbols like “X” to imply consent. According to the court, these designs don’t count as genuine consent.

What this means for website owners

The main takeaway is simple:

• GTM requires explicit consent before loading.
• Consent must be informed and easy to refuse — no dark patterns.
• A Consent Management Platform (CMP) is not enough if GTM runs before the user makes a choice.
• Google’s Consent Mode 2.0 may not fully solve the compliance issue.

In short, GTM is not “just technical.” It’s a data processing tool, and that means it falls under EU consent rules.

iubenda’s approach

At iubenda, our Privacy Controls and Cookie Solution already give you two clear options for managing GTM in line with consent requirements:

1. Block tags inside GTM (granular approach)
   • In GTM, you can configure triggers to fire only after iubenda’s consent signals are received.
   • This means you can decide which tags are allowed for each consented purpose (e.g., analytics, marketing).
2. Block the GTM script itself (non-granular approach)
   • You can assign GTM to a specific purpose in iubenda.
   • With this setup, the entire GTM container will only load once a user gives consent for that purpose.

By default, our generator currently categorizes GTM as a strictly necessary service, which means it is not blocked automatically. This choice was made because blocking GTM at the script level can cause technical issues for many websites.

However, if you prefer to apply the strictest interpretation of the German court ruling, you can switch to one of the two blocking methods above to ensure GTM only runs after user consent is collected.

Will iubenda block GTM automatically?

Not at this time. Here’s why:

• The VG Hannover decision is regional and not yet binding across the entire EU.
• Automatically blocking GTM would disrupt many websites, and it’s not yet clear whether this will become the EU-wide standard.
• Our users already have the tools to choose stricter compliance and manage GTM accordingly.

We’re closely monitoring the situation, and we’ll update our recommendations if the legal landscape changes.

What you can do today

If you want to apply the strictest standard immediately, you have two options with iubenda’s Privacy Controls and Cookie Solution:

1. Block the GTM script until consent is given
   • Assign GTM to a specific purpose in iubenda (for example, “Marketing”).
   • The GTM container will only load after the user consents to that purpose.
   • This option is simpler but less flexible, because all tags wait for consent together.

   

2. Control tags inside GTM (granular consent)
   • Set up GTM triggers to listen for iubenda’s consent signals.
   • Allow or block each tag depending on the purposes the user has agreed to (e.g., Analytics, Remarketing).
   • This option takes a bit more configuration, but it gives you full control and aligns closely with GDPR requirements.

Both methods are supported by iubenda. Which one you choose depends on your compliance strategy and the level of risk tolerance you want to adopt.

💡 The German court’s decision is a reminder that even tools considered “technical” — like Google Tag Manager — can have significant data protection implications. For now, we are not enforcing automatic GTM blocking in our products, but we give you the flexibility to decide how to configure GTM for your business.

As always, we recommend keeping a close eye on legal developments and ensuring your consent banner offers users a real, transparent choice.