Notice
View and sign up for upcoming Cookie Consent Office Hours here.
Watch previously recorded Cookie Consent Office Hours here.
Google Tag Manager (GTM) is a tool that allows you to manage and deploy tags (snippets of code or tracking pixels) on your website without having to modify your site code.
If you use Google Tag Manager (GTM) to inject cookies on your website and manage site content, you can configure GTM so that the scripts are controlled by visitors' consent preferences.
This section of the guide explains how to set up GTM to take advantage of these changes.
Note
This article is not a complete guide to Google Tag Manager. Consult official Google Tag Manager documentation for more detailed information about setting up and using GTM.
Key Terms
-
OptanonConsent: the OneTrust first party cookie that fires when implementing a Cookie Consent Banner script.
For more information, see OneTrust Cookies.
-
OnetrustActiveGroups: the OneTrust data layer variable that stores users' consent preferences.
-
OneTrustGroupsUpdated: the OneTrust event that fires when users' consent preferences are updated.
How it Works
To pass user consent data to Google Tag Manager, the Cookie Consent tool uses variables. Cookie Consent supports JavaScript variables and data layer variables. OneTrust recommends using the GTM data layer and data layer variables.
Cookie Consent uses the existing dataLayer object or creates a new one if it does not already exist. If your site creates a dataLayer object, ensure that this does not overwrite the one Cookie Consent creates.
Cookie Consent stores user consent data in two places. You can implement this integration using one of two methods outlined below:
-
Implement with OnetrustActiveGroups: this stores the user consent data in a comma delimited string and repopulates on every page load once the script is executed and when the user updates their consent preferences.
For example, the data contained in the datalayer variable value might be ,C0001,C0002,C0003,C0004, which means all the cookies associated with these IDs have been given consent to fire on the user's browser.
For more information on the data layer variable, see OnetrustActiveGroups – Using the Data Layer Object.
-
Implement with OptanonConsent: Similar to the OnetrustActiveGroups data layer variable setup, firing and blocking triggers can be created using the OptanonConsent cookie. This is a OneTrust first-party cookie set on the browser when the banner CDN script is integrated that allows you to trigger client tags.
Along with other values, the cookie includes a groups attribute. The value of the groups attribute includes all the category IDs with a binary value of 0, meaning the group is inactive, or 1, meaning the group is active. Because this attribute is updated every time a user makes updates to their consent preferences, you can leverage the OptanonConsent cookie to set up triggers in GTM.
For more information, see OneTrust Cookies.
Note
For both methods, it is required to set up OneTrust triggers and assign them to appropriate tags.
When a user updates their consent preferences or on page load, the dataLayer event OneTrustGroupsUpdated is triggered. You can use this event when creating triggers to apply to your tags.
By creating a GTM Custom Variable and triggers, you can configure GTM tags to trigger only when specific consent groups within OnetrustActiveGroups are present.
You can implement this integration in one of two ways: uploading and merging a provided container file or by manually establishing triggers for each tag.
Warning
If any technology, such as an ad blocker, prevents GTM from firing, the OT cookie script will not fire, which could lead to noncompliance.
Important Notes about Google Tag Manager Integration
-
The Google Tag Manager rule operator and value fields can be customized if a different behavior is required than contained in the examples in this section.
-
Auto-Blocking is capable of blocking Google Tag Manager. If this occurs, use one of the follow methods to unblock Google Tag Manager:
j.setAttributeNode(d.createAttribute('data-ot-ignore'));
j.setAttribute('class','optanon-category-C0001');
Example:
<!-- Google Tag Manager -->
<script>(function (w, d, s, l, i) { w[l] = w[l] || []; w[l].push({ 'gtm.start': new Date().getTime(), event: 'gtm.js' });
var f = d.getElementsByTagName(s)[0], j = d.createElement(s), dl = l != 'dataLayer' ? '&l=' + l : ''; j.setAttributeNode(d.createAttribute('data-ot-ignore'));
j.async = true;j.src = 'https://www.googletagmanager.com/gtm.js?id=' + i + dl;
f.parentNode.insertBefore(j, f); })(window, document, 'script', 'dataLayer', 'GTM-XXXXXXX');
</script>
<!-- End Google Tag Manager -->
To deploy OneTrust scripts from Google Tag Manager
The first step of this integration is to determine if you want to add OneTrust CDN scripts in the HTML header section of your site or deploy scripts from Google Tag Manager.
OneTrust recommends deploying the CDN scripts from one location only. If you deploy the CDN scripts from Google Tag Manager, please ensure you place the GTM header script as the first script in your source code to ensure any other scripts on your source code that fire cookies on the website are loaded after OneTrust.
-
Select the Tags tab from the main menu. The Tags screen appears.
-
Click New. The Tag modal appears.
-
Name the tag Cookie Banner Script.
-
Under the Tag Configuration, press the Edit button. The Choose Tag Type modal appears.
-
Select Custom HTML.
-
Paste the published script into the HTML editor with your data domain script ID.
<!-- OneTrust Cookies Consent Notice start -->
<script src="https://cdn.cookielaw.org/scripttemplates/otSDKStub.js"
type="text/javascript" charset="UTF-8" data-domain-script="YOUR DATA DOMAIN SCRIPT ID"></script>
<script type="text/javascript">
function OptanonWrapper()
</script>
<!-- OneTrust Cookies Consent Notice end -->
-
Check the Support document.write box.
Important
This must be checked for OneTrust to load on your website.
-
Click the Triggering icon. The Choose a trigger modal appears.
-
Select All Pages.
-
Click Save.
After the OneTrust CDN script is added, you must create a data layer variable in GTM that saves user preferences if you did not import the variable into your GTM container with the OneTrust triggers.
Once you determine what type of variable you would want to create in your Google Tag Manager container, follow the corresponding steps:
To create a new variable for OnetrustActiveGroups
-
Open your container in Google Tag Manager.
-
Select the Variables tab from the main menu. The Variable screen appears.
-
Create a new User-Defined Variable.
-
Name the variable.
Tip
We suggest naming the variable OnetrustActiveGroups for easy identification.
-
Set the Variable Type to Data Layer Variable under the Page Variables section.
-
Set the Data Layer Variable Name to OnetrustActiveGroups.
Note
The Data Layer Variable Name must be set to OnetrustActiveGroups for the code to work as expected
-
Press the Save button.
Important
Custom data layer variables are only supported by OneTrust 6.29 and up.
To create a new variable for OptanonConsent
-
Open your container in Google Tag Manager.
-
Select the Variables tab from the main menu. The Variable screen appears.
-
Create a new User-Defined Variable.
-
Name the variable.
Tip
We suggest naming the variable OptanonConsent so you know what it refers to.
-
Set the Variable Type to 1st Party Cookie under the Page Variables section.
-
Set the Data Layer Variable Name to OptanonConsent.
Note
The Data Layer Variable Name must be set to OptanonConsent for the code to work as expected.
Additionally, the URI-decode cookie option must be enabled.
-
Press the Save button.
In GTM, triggers prompt tags to fire or not fire based on certain criteria. You may already have a variety of different triggers applied to your tags.
As part of the Cookie Consent integration with GTM you are going to create a trigger associated with each cookie category.
When you apply these triggers to your tags, this will prompt your tags to fire or not fire based on the Cookie Category being active or the consent given by the user.
You will need a separate trigger for each of the Cookie Categories that you will be blocking cookies under. For example, you may have a group called 'Performance Cookies', which has a category id of C0002 and contains the cookies set by your Google Analytics tag.
Each trigger needs to be in line with the category ids that are set in your cookie consent application. You can find the cookie category IDs in the cookie consent application under Categorizations.
We want the OneTrust cookie category id triggers that you create or upload to be applied to your existing tags in such a way that the OneTrust trigger is the limiting factor to the tag firing. This can be done in several different ways. Three different ways are outlined below.
-
Creating a firing trigger (recommended)
-
Using firing triggers on existing tags and creating a trigger group
-
Creating exception triggers
To create a firing trigger
-
Open your container in Google Tag Manager.
-
Select the Triggers tab from the main menu. The Triggers screen appears.
-
Press New. The Trigger Configuration screen appears.
-
Name it accordingly, e.g. Performance Cookies Active.
Note
You will create triggers for all categories on which the user can accept or reject cookies.
-
Press the Trigger Configuration and set the Trigger type to Custom Event.
-
Set the Event name to OneTrustGroupsUpdated. This event is embedded in the script and fires on every page.
-
Check the Use Regex Matching box.
For OnetrustActiveGroups integration:
-
Under This trigger fires on, select Some Custom Events and set it to fire when the following is true:
[OnetrustActiveGroups] [matches RegEx] [,C0002,]
Note
The cookie category ID, in this example C0002, must match the IDs you are using in the OneTrust tool.
For OptanonConsent integration:
-
Under This trigger fires on, select Some Custom Events and set it to fire when the following is true:
[OptanonConsent] [contains] [C0002:1]
-
Save the Trigger.
-
Repeat this process for the remaining Cookie Categories to which a user can consent.
-
Apply the OneTrust triggers to all tags that are firing cookies. Ensure you add the OneTrust firing trigger that corresponds to the category of the cookie associated with the tag.
Tip
Because OneTrust fires on all pages, if your existing trigger for a tag is All pages, you can delete that trigger and replace it with the OneTrust category.
Note
If a tag is blocked and then allowed, it'll fire without the need for page reload because of listening for OneTrustGroupsUpdated. If it had been previously allowed and then blocked, the tag would be blocked on subsequent page loads.
Using firing triggers on existing tags and creating a trigger group
Important
OneTrust recommends using this method when you have an existing firing trigger on the tag that contains a condition that needs to be met before the tag can fire.
When using a firing trigger, make sure the OneTrust trigger is the limiting factor to the tag firing.
Only use a trigger group if you already have a firing trigger set up on your tag.
Follow the steps mentioned above to first create the OneTrust category firing trigger and then to add your existing condition trigger to create a trigger group.
Trigger groups utilize “AND” conditions, whereas directly applying multiple triggers to a tag to fire utilizes an “OR” condition.
Firing Triggers directly applied:
Within Trigger Group:
This is another method for setting up the OneTrust triggers and applying them to your tags such that the OneTrust triggers are the limiting factor to the tags firing.
-
Select the Triggers tab from the main menu. The Triggers screen appears.
-
Press New. The Trigger Configuration screen appears.
-
Create a new trigger and name it accordingly, e.g. Example Trigger Group.
-
Press the Trigger Configuration and set the Trigger type to Trigger Group.
-
Select the existing trigger for your tag.
-
Select the OneTrust trigger based on the category to which the tag should be mapped.
To create an exception trigger
You can also set up an exception trigger to fire the script if a category of cookies is not active.
You will only want to use an exception trigger if you already have a different firing trigger set up on your tag.
Note
In Google Tag Manager, Blocking triggers must fire on the same event as the Active triggers.
For example, set a trigger to fire when OnetrustActiveGroups does not contain C0002 (where C0002 is the id for performance cookies). Apply this blocking trigger as an exception to tags in this group.
-
Select the Triggers tab from the main menu. The Triggers screen appears.
-
Press New. The Trigger Configuration screen appears.
-
Create a new trigger and name it accordingly, e.g. Block Performance Cookies.
-
Press the Trigger Configuration and set the Trigger type to Custom Event.
-
Set the Event name to .*. This event applies to all events and will allow the exception trigger to override the event that is in the firing trigger.
-
Set the Trigger to fire on Some Custom Events.
-
For OnetrustActiveGroups integration:
Select Some Page Views and set the Trigger to fire when the following is true:
[OnetrustActiveGroups] [does not match RegEx] [,C0002,]
-
For OptanonConsent integration:
Select Some Custom Events and set the Trigger to fire when the following is true:
[OptanonConsent] [does not contain] [C0002:1]
-
Save the Trigger.
-
Repeat this process for the remaining Cookie Categories.
-
Apply the Trigger to Tags as an Exception.
Using a container to integrate with Google Tag Manager
Important
This adds the triggers mentioned above automatically to your container.
-
Open your container in Google Tag Manager.
-
Go to the Admin tab.
-
Download the container from the link at the end of the article.
-
Click Import Container.
-
Select the downloaded container file.
-
Select Merge and then Overwrite conflicting tags, triggers and variables as the import option.
-
Click the Confirm button.
-
Verify nothing is deleted or overwritten.
To add the triggers to tags in a container
You can review all your tags in your Google Tag Manager containers to verify which tags should connect to OneTrust triggers.
The general recommendation is to review the categorizations in your OneTrust tenant to determine which cookies are added from Google Tag Manager. You can then add the respective categorization trigger to the tag that fires a cookie.
If there is an existing trigger on a tag that is firing a cookie, follow the steps above to create a trigger group. Add the trigger group with your existing condition and the OneTrust cookie category trigger to the tag firing the cookie.
Note
If you have a tag that fires a cookie with the All Pages trigger added to it, delete the trigger and replace it with the OneTrust cookie category trigger as the Firing trigger.
Before OneTrust is integrated, the triggers appear as follows:
After replacement, the trigger displays as follows:
-
On the main navigation menu in Google Tag Manager, select .
-
Select a tag to which you want to apply the appropriate OneTrust Cookie Category Trigger.
-
Apply the appropriate Firing Trigger, Trigger Group, or Exception Trigger that you have created.
-
Click the Save button.
To test your Google Tag Manager configuration
After you have reviewed all your tags, created onetrust category triggers and added the triggers to all the tags firing cookies by following the steps listed above you should be ready to test your website
Note
To test your setup, you will need preview access on Google Tag Manager. If you Preview is not present in your GTM container, please reach out to your GTM admin.
-
In GTM, click Preview. A new Tag Assistant tab appears.
-
Add the website URL with the GTM container added. A new tab with your website appears.
-
In the Tag Assistant tab, locate the following three events to determine OneTrust data is passed into the Google Tag Manager container:
-
OneTrustGroupsUpdated
-
OptanonLoaded
-
OneTrustLoaded
-
In your website tab, go to your Preference Center and confirm the consent model by reviewing which categories are allowed or rejected.
In this example, all the tags mapped to OneTrust categories are firing since the consent model is opt-out and all the categories are allowed.
-
To test your setup, go back to the Tag Assistant tab and click on OneTrustGroupsUpdated event, since this was used to create the OneTrust category triggers.
The tags highlighted above are the tags fired from OneTrustGroupUpdated.
Tip
You can also click on the tags to review how the conditions added to a tag were passed, which allowed the tag to fire on your website.
-
Go to your Preference Center and reconfigure (allow/reject) categories.
In this example, Performance Cookies is rejected on the Preference Center and choices are confirmed by clicking Confirm my Choices.
-
Navigate to the Tag Assistant tab and refresh. All the tags mapped to the Performance Trigger in this example display as Tags Not Fired within the OneTrustGroupsUpdated event.
Tip
You can also click on the Variables tab in this event and look for OnetrustActiveGroups you created in your container to view the categories available/active
To leverage dataLayer attributes
Using the following dataLayer attributes, you can prevent the OneTrust CDN from pushing to window.dataLayer or create a new dataLayer so that you have control over how messages are sent to GTM.
To disable CDN pushes to window.dataLayer
-
Insert the data-dLayer-ignore attribute into your script.
Example:
<script src="https:/cdn.cookielaw.org/scripttemplates/otSDKStub.js"
type="text/javascript" charset="UTF-8" data-domain-script="XXXXX"
data-dLayer-ignore="true"></script>
To enable CDN pushes to a new dataLayer
-
Insert the data-dLayer-name attribute into your script.
Example:
<script src="https://cdn.cookielaw.org/scripttemplates/otSDKStub.js"
type="text/javascript" charset="UTF-8" data-domain-script="XXXXXX"
data-dLayer-name="dataLayerOneTrust"></script>
This allows CDN pushes to your defined dataLayer only. Pushes to window.dataLayer are disabled.
Note
This is supported for script versions OneTrust 6.28 and onwards. Please publish to a newer script version if you are using an older script version than OneTrust 6.28.
OneTrust cannot send events or updates to multiple datalayer variables
Troubleshooting: Support Document.Write
If you are using Google Tag Manager and have more than one tag or container with the ‘Support Document.Write’ checkbox checked, it may prevent the script from firing properly.
In order to confirm, block the request URL of the container that does not contain the CookiePro/OneTrust tag.
To resolve this issue, set the tag causing the conflict to fire after the CookiePro/OneTrust script has loaded completely.
This can be accomplished by setting the tag in question to use a firing trigger that is dependent on the OnetrustGroupsUpdated event that pushes within the dataLayer once the script completes. This fix is similar to the method used to ensure cookies are not dropped for users based on consent preferences.
