Respect user’s privacy with Google Tag Manager

Jing Zhang illustration

The General Data Protection Regulation¹, applicable from May 25, 2018, sets global data protection standards aimed at providing citizens with more control over their data. As a consequence of this regulation, online businesses receiving traffic from the European Union must track visitors’ and users’ behavior and collect data about them more carefully, responsibly, and — above all else — with consent.

I’m not going here into the details of what GDPR is and what it says, but I’ll get straight to the practical side trying to explain how to make your Google Tag Manager GDPR compliant.

What is Google Consent Mode?

Google Tag Manager² is a free tag management service provided by Google that allows website managers to create and monitor tags through an interface so that you don’t have to write code any time you need to create a tag.

Tags are bits of code embedded in your website’s script that can extract certain information. This information is usually about your visitors’ behavior: how long they stay on a web page, which links they click on those pages, where they have landed on your page from…

As you may already know, all this data are important to optimize and improve your website, and to offer the best service/experience possible to your visitors. But this also means that you are managing and collecting data from and about your users: you must respect their privacy and be GDPR compliant. Let’s find out how.

Google Tag Manager: privacy and consent

To understand how to make your Google Tag Manager GDPR compliant, you need to understand a couple of things about tag manager and GDPR first:

  • GDPR considers the usage data you collect through tags as personal, so you need a privacy policy.
  • If you are deploying tags and cookies to track your visitors’ behavior and preferences, you need consent to do so. Consent must be given from the users. This implies that you need to make users aware that you are collecting their data, and you need to give them the chance to consent to the collection of that data. Furthermore, you can only collect data and drop your cookies after the user has given their consent.

So, how do you make your Google Tag Manager GDPR compliant? Now we can answer:

  • By providing a privacy policy to your visitors;
  • By making sure that your tags only get into action after the user has given their explicit consent.

Privacy Policy

A Privacy Policy is a document where you state how your website is collecting, processing, and managing data from your users. With GDPR, you must have a privacy policy if your website and/or users are from the EU.

A compliant Privacy Policy needs to state explicitly the use you’re going to make of users’ data: are you collecting it? Are you keeping it confidential? Are you going to use it for marketing and promotional purposes? Are you going to sell it to third parties?

How to provide a privacy policy to your visitors?

You can write a privacy policy as an independent web page on your website and provide links for it in any part of your website you like. It doesn’t matter where you put your privacy policy: what matters is that you need to have one and your users must have easy access to it.

One of the best ways of making your users aware of the existence of your privacy policy and where to find it is by providing a link to it in the form that you utilize to ask for their consent to data collection.

Google Consent Mode

Let’s now move on to an even more practical step. We’ve said that, if you are using tags to track users’ behavior, you need to get consent first. This means that, if a user doesn’t provide their consent, you can’t track their behavior and your tags need to be, in a certain way, disabled.

You need a feature, that is, that allows you to adjust the behavior of Google tags based on user consent preferences: Google Consent Mode³ is a beta feature, introduced — of course — by Google, that allows you to do so. Let’s find out how it works.

Google Consent Mode: What it is (and what it isn’t)

Consent Mode has been introduced by Google to help publishers manage their tags and cookies for advertising and statistical purposes.

Google Consent Mode is a beta feature that does exactly what you need to be GDPR compliant with your tag management as we’ve explained above: it adjusts the behavior of Google tags based on user consent preferences.

Google Consent Mode currently supports the following products:

  • Google Ads
  • Google Analytics
  • Conversion Linker
  • Floodlight

Google Consent Mode isn’t a Consent Management platform. To use Google Consent Mode, you must already have implemented a system to collect and handle personal information (a CMP, Consent Management Platform). Consent Mode doesn’t collect any data: it only taylors the behavior of Google tags to each user’s consent status.

Google Consent Mode: How does it work?

Google Consent Mode is built on two major pillars:

  • User Privacy: tags are consent-aware, respecting user preferences for and storage and analytics storage;
  • Modeling: Google can use those consent signals to model for lost conversions resulting from consent changes.

User Privacy

How does Google Consent Mode respect users’ privacy by adjusting tags’ behavior to their choices? It does so by introducing two new tags settings: analytic_storage and ad_storage.

Analytic Storage

With the analytic_storage tag setting, Consent Mode adjusts the behavior of statistics cookies on your website according to the consent state of users.

  • if the user doesn’t give their consent to the collection of cookies, Google Analytics won’t read or write ads or analytics cookies; furthermore, optional features relying on Google signals will be disabled;
  • if the user gives their consent, Google tags will work normally.

Does it mean that, when the user doesn’t give their consent to statics cookies, you won’t be collecting any analytical information?

No. When consent isn’t given, you’ll still be collecting some information anonymously. Anonymous data that are collected are:

  • timestamps of visits to your website;
  • User-agent: information about the user’s browser and device;
  • Referrer: how users landed on your page;
  • whether the current or prior page in the user’s navigation includes ad-click information in the URL;

Ad Storage

WIth Ad_storage tag setting, Consent Mode adjusts the behavior of marketing cookies on your website based on your user’s consent preferences. If the user doesn’t consent to the use of marketing cookies, marketing-related Google tags will be adjusted and won’t use cookies.

Does it mean that if the user doesn’t give consent to the use of marketing cookies you can’t display advertising on your website? No, it means that — if the user doesn’t give consent — an advertisement will be shown based on anonymous data instead of being targeted and based on personal data tracking.

Conversion Modeling

Sometimes, when consent preferences are changed by the user, it becomes impossible to observe the path between ad interactions and actual conversions.

Google Consent Mode fills this gap using machine learning to analyze data and trends to quantify the relationship between consented and unconsented users and then fill in missing attribution paths.

With Google Consent Mode, therefore, you can recover more than 70% of ad click-conversion paths lost due to users’ consent changes.

Benefits of making your Google Tag Manager GDPR compliant

Respecting your users’ privacy should be one of your priorities, and not only because you must.

Having a transparent Privacy Policy will improve your reliability and perception to the eyes of your users and customers. As you may already know, reliability is key in the digital world, a sector where often buyers and sellers or service providers don’t have direct contact.

The web is also a place where competition is extremely high: to stand out from the crowd, you need to provide not only the best quality service but also the most transparent. You need to gain your users/clients’ trust.

Clear management of personal data is an important aspect of transparency. So, this is why you want to respect your users’ privacy — not only because your website must be GDPR compliant — but also to improve the quality and transparency of your website, online business, e-commerce.

Conclusion

Google Consent Mode is key in making your website GDPR compliant. You can think of it as a bridge between users’ choices in terms of cookies’ consent and your tags’ functions.

Therefore, Google Consent Mode won’t replace Google Tag Manager, but it’s an addition — an improvement — to it. Now, your tags will work according to each user’s specific preferences in terms of data collection, and everything will be automated.

Your website will be GDPR compliant and it will also benefit from an improvement in terms of quality and transparency.


References

[1]: https://eur-lex.europa.eu/content/news/general-data-protection-regulation-GDPR-applies-from-25-May-2018.html

[2]: https://developers.google.com/tag-platform/tag-manager

[3]: https://support.google.com/analytics/answer/9976101?hl=en