Polaris Audit

Case #007 · 24 Apr 2026 · 6 min read

How to Read a GTM Container Audit for GDPR Leaks

A GTM container shows you what tags are configured. It doesn’t show you what fires before consent. Here’s how to close that gap.

TL;DR

  • GTM containers don't self-report consent violations — you read triggers and firing rules manually
  • Any tag with an "All Pages" trigger and no consent check is a violation risk
  • Consent Mode configuration (Basic vs. Advanced) determines what fires before the click
  • A static container audit identifies candidates — only a live scan confirms what actually fires

Verdict

Reading a GTM container tells you what should happen. A live scan tells you what does happen. Run both.

Why the GTM Interface Misleads You

GTM is built for marketers, not compliance officers. Tags are organised by name, not risk level. There’s no column that says “fires before consent.” The interface shows configuration — not runtime behavior.

Two tags with identical configurations can behave differently depending on how your CMP is integrated with GTM, the order in which scripts load, and what mechanism your CMP uses to block tags.

A container audit is hypothesis generation. You’re identifying candidates for live verification — not writing the compliance report yet.

The Three Things That Determine When a Tag Fires

Most pre-consent violations come down to three factors. Most auditors only check one of them.

Triggers

  • All Pages (Page View): Fires the moment the GTM container loads — before any banner click. Any tag with this trigger and no consent check fires pre-consent by default.
  • DOM Ready / Window Loaded: Still fires pre-consent in most configurations. Later in the page lifecycle, but still before any user interaction.
  • Custom Event: Depends entirely on what fires the event. Some CMPs fire a custom event on consent grant — if your tag listens for that, it’s properly gated.

Tag type

  • Custom HTML: No built-in consent awareness. Fires on trigger regardless of consent state unless the CMP blocks the entire container.
  • Native Google tags (GA4, Ads): Can receive Consent Mode signals and adjust behavior based on analytics_storage and ad_storage states.
  • Third-party pixels (Meta, TikTok, LinkedIn): No native Consent Mode support. They fire or they don’t.

Consent settings in GTM

GTM has a built-in Consent Overview panel. Tags can require analytics_storage, ad_storage, or other consent types before firing. If configured correctly, GTM blocks a tag when the relevant type is denied.

The catch: this only works if your CMP writes consent state to the dataLayer before the GTM container loads. If your CMP initialises after GTM, none of the Consent Overview blocking applies.

The Audit Checklist

Step 1 — Export the container JSON

Admin → Export Container. Working from the JSON lets you search across all tags without clicking through the UI one by one.

Step 2 — Find every tag with an All Pages trigger

In the exported JSON, each trigger has a type field. Search for "type": "pageview"to find All Pages triggers, then note their trigger IDs. List every tag that references those IDs — these are your first candidates.

Step 3 — Check each tag for consent requirements

Open each candidate tag in the GTM UI. Look for the “Consent Settings” section. If it reads “No additional consent required,” the tag fires regardless of consent state.

Flag immediately: Meta Pixel, TikTok Pixel, LinkedIn Insight Tag, Bing UET, and any Custom HTML tag loading a third-party script.

Step 4 — Check Consent Mode configuration

Open Tags → Google Tag (or GA4 Configuration). If Consent Mode is enabled, determine whether it’s Basic or Advanced. See GTM Consent Mode v2 Explained for what that distinction means legally.

Step 5 — Check for CMP integration

Go to Templates → Search Gallery. Look for your CMP’s name. If it’s not there, your CMP may be controlling GTM through a different mechanism — or not at all.

Your site is leaking data before consent.

Free headless-browser scan. Catches GA4, Meta Pixel, TikTok and more firing before the click. Results in 10 seconds.

Run a free scan

Confirm With a Live Scan

After the checklist you have a list of candidates. Open DevTools → Network tab. Load the page without touching the banner. Filter for the domains of each flagged tag — facebook.net, analytics.google.com, tiktok.com. A request appearing before any click confirms pre-consent firing.

For a method that covers all known tracker domains at once without manual filtering, see How to Test If Your Cookie Banner Is GDPR Compliant.

What a Container Audit Won’t Catch

  • Tags injected directly into page HTML, bypassing GTM entirely
  • Trackers loaded by third-party scripts (chat widgets, embedded forms)
  • Cookies set by your hosting provider or CDN
  • Server-side tracking configurations

Pair every container audit with a live network scan. The container tells you what GTM intends to do. The network trace tells you what the browser actually does.

For a full agency-side workflow — including what to check before touching the container — see the CMP Setup Checklist for Agencies.

Further Reading

← All posts