How to install a Consent Management Platform via Google Tag Manager (the right way)
Step-by-step: GTM Consent Mode template, default deny, listener tag, per-tag consent gating, and the three traps that silence half your tags forever.
Most engineers paste the CMP's <script> tag directly into their site head and call it a day. That works — but if you're already using Google Tag Manager, doing it through GTM is significantly cleaner: you get tag-by-tag consent gating, easy debugging, and a single source of truth for your tracking stack. Here's how to do it correctly.
Step 1 — Make GTM aware of Consent Mode
Open GTM → Container Settings → enable Consent Overview. This unlocks the per-tag “Consent settings” section that we'll need in step 4.
Step 2 — Install the CMP's GTM template
Most CMPs (CookieGuard, Cookiebot, Iubenda) publish a free GTM Community Template. Add it from the Tag → New → Template Gallery. The template will:
- Push
gtag('consent', 'default', …)with everything denied. - Inject the CMP loader script.
- Listen for the CMP's update event and push
gtag('consent', 'update', …).
Set the trigger to Consent Initialization — All Pages (not the regular page-view trigger). Consent Initialization fires before everything else, which is critical.
Step 3 — Configure your CMP-specific variables
You'll usually need to fill in three template fields:
- Domain ID — the identifier the CMP issued you.
- Consent version — bump this whenever you change the banner or vendor list.
- Region behavior — strict EEA, opt-out California, soft elsewhere.
Step 4 — Gate every tag
Open each existing tag (GA4, Floodlight, Meta Pixel, etc.) and set its consent settings:
| Tag | Required consent |
|---|---|
| GA4 Configuration | analytics_storage |
| GA4 Event | analytics_storage |
| Google Ads Conversion | ad_storage, ad_user_data |
| Google Ads Remarketing | ad_storage, ad_personalization |
| Meta Pixel | ad_storage, ad_user_data, ad_personalization |
| LinkedIn Insight | ad_storage, ad_user_data |
| Hotjar / FullStory | analytics_storage |
With consent gating set, GTM will queue these tags until consent is granted, then fire them — automatically and without you writing custom triggers.
Step 5 — Verify with Tag Assistant
Open tagassistant.google.com, connect to your dev URL, and watch:
- The Consent panel should show defaults loaded BEFORE the first GA4 hit.
- GA4 hits before consent should be cookieless (no
_gain the request). - After clicking Accept, you should see a Consent update event and subsequent GA4 hits with the full payload.
The three traps
Trap 1: GTM loaded before Consent Initialization
If your CMS injects gtm.js in <head> but your CMP loader comes from another script down the page, you've created a race. The fix: put the CMP's default-consent block before the GTM snippet, even if the rest of the CMP loads later. CookieGuard solves this with its tiny loader stub that we recommend pasting right above the GTM snippet.
Trap 2: Forgetting wait_for_update
Without wait_for_update: 500 in your default consent call, Google's infrastructure assumes the user already had time to decide and the denied state is final. That kills consent modeling. Always include it.
Trap 3: Treating Consent Mode as a substitute for tag gating
Consent Mode tells Google what consent you have. It does not stop your othertags (Meta, LinkedIn, TikTok) from firing. You must still gate those tags via GTM's per-tag consent settings or a built-in trigger condition. Forgetting this is what tripped up the German Federal Court in early 2024.
The shortcut
CookieGuard's GTM template ships with all the gating presets above. Install it, drop in your domain ID, and you're done.