> For the complete documentation index, see [llms.txt](https://cmp.docs.sirdata.net/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://cmp.docs.sirdata.net/en/consent-transmission-standards/google-consent-mode/google-tag-gateway.md).

# Google Tag Gateway

## What is Google Tag Gateway?

Google Tag Gateway (GTG) is a Google infrastructure that routes Google tag requests through Google's own servers, acting as a proxy. When a website is enrolled in GTG, requests to Google domains (such as `googletagmanager.com` or `google-analytics.com`) are intercepted and redirected through Google's infrastructure.

GTG is designed to improve tag reliability and performance, but it introduces specific considerations for Consent Management Platforms, as it can cause Google tags to load **before the CMP has set consent defaults**.

{% hint style="info" %}
For more information, visit the official Google documentation:

* [Google Tag Gateway overview](https://developers.google.com/tag-platform/tag-manager/gateway)
* [Set up Google tag gateway for advertisers](https://developers.google.com/tag-platform/tag-manager/gateway/setup-guide)
  {% endhint %}

## Impact of GTG on consent

When GTG is enabled on a website, Google tags may fire **before the CMP consent default command is set**. This means that tags can execute without proper consent signals being in place, which is detected as a **"late consent"** issue by the Sirdata CMP.

This situation occurs because GTG can load Google tags at the infrastructure level — independently of the page's script execution order — effectively bypassing the CMP's consent initialization sequence.

In particular, the **one-click CDN injection** method used by Google to enable GTG via Google Ads accounts often prevents the customer from controlling the load order of scripts. Since GTG is injected at the CDN/infrastructure level without any code change on the website, the customer has no way to ensure that consent defaults are set before Google tags fire.

{% hint style="warning" %}
Late consent caused by GTG can result in Google tags firing without proper consent signals. This may compromise compliance with privacy regulations and the effectiveness of Google Consent Mode on your site.
{% endhint %}

{% hint style="info" %}
For more information on how Google Consent Mode works and the difference between basic and advanced (U+C) implementation, refer to:

* [Consent mode overview](https://developers.google.com/tag-platform/security/concepts/consent-mode) — Google for Developers
* [Set up consent mode on websites](https://developers.google.com/tag-platform/security/guides/consent) — Google for Developers
* [About consent mode](https://support.google.com/google-ads/answer/10000067) — Google Ads Help
* [Set up consent mode](https://support.google.com/google-ads/answer/14009635) — Google Ads Help
  {% endhint %}

## How GTG works

GTG operates by intercepting requests to Google domains and routing them through Google's servers:

1. **Request interception** — GTG intercepts HTTP requests sent to Google tag domains (e.g., `googletagmanager.com`, `google-analytics.com`, `googlesyndication.com`).
2. **Proxy routing** — These requests are routed through Google's infrastructure, which can serve tag scripts directly from Google's edge network.
3. **Early tag loading** — Because GTG operates at the DNS/infrastructure level, Google tags may be loaded and executed before the page's JavaScript has a chance to initialize the CMP and set consent defaults.

## Implementation methods

GTG can be enabled through different methods:

### Google Ads account — One-click CDN injection (not recommended)

GTG is frequently enabled through the **Google Ads account** via a **one-click CDN injection** — often without the website owner's explicit knowledge. When a Google Ads campaign is linked to a website, Google may automatically enroll the site in GTG at the CDN/infrastructure level with a single click. This **one-click CDN injection** method is the **most common cause of late consent signals** reported by the Sirdata CMP, because:

* The enrollment happens at the Google Ads level via CDN injection, not on the website itself
* The one-click CDN injection prevents the customer from controlling the load order of scripts
* Website owners may not be aware that GTG has been activated
* GTG loads Google tags before the CMP can set consent defaults
* The CMP has no control over the tag loading order imposed by GTG

{% hint style="warning" %}
If GTG was enabled via your Google Ads account (one-click CDN injection), it is strongly recommended to **disable it there** and **re-enable it via Google Tag Manager** instead, using the ABConsent CMP template. This gives you full control over tag loading order and prevents late consent issues.
{% endhint %}

### DNS-level enrollment (CNAME)

Another method is to configure DNS CNAME records that point Google tag domains to GTG endpoints. For example:

* A CNAME record for `gtm.example.com` pointing to a GTG endpoint
* A CNAME record for `analytics.example.com` pointing to a GTG endpoint

This method operates at the DNS level and is entirely transparent to the website's code.

### Google Tag Manager (recommended)

GTG can be enabled via **Google Tag Manager** configuration. This is the **recommended method** because it provides full control over tag loading order and ensures the CMP consent defaults are set before any Google tags fire.

When using GTM with the **ABConsent CMP template** from the GTM Community Template Gallery:

1. The CMP tag is loaded on the **"Consent Initialization"** trigger (`gtm.init_consent`) — the earliest possible trigger in GTM
2. Consent defaults are set **before** any other tags can execute
3. GTG enrollment is managed within GTM, giving you visibility and control
4. No additional code is required beyond the CMP template configuration

{% hint style="success" %}
**Recommended setup:** Enable GTG through Google Tag Manager and use the **ABConsent CMP template** from the GTM Community Template Gallery. This ensures consent defaults are set before GTG-loaded tags fire, eliminating late consent issues.
{% endhint %}

### Manual GTG setup (customer-controlled)

GTG can also be set up manually by the customer, typically via [Google Cloud Load Balancer](https://developers.google.com/tag-platform/tag-manager/gateway/setup-guide). When set up manually, the customer retains **full control over the script import order**, ensuring that the CMP consent defaults are set before any Google tags fire.

This method is recommended for advanced users who want to keep GTG enabled while maintaining strict control over the tag loading sequence.

## How to verify GTG enrollment

To determine whether a website is enrolled in Google Tag Gateway, you can use the following methods:

### Check in Google Tag Manager

In Google Tag Manager:

1. Navigate to the **Admin** tab
2. Click **Google Tag Gateway**
3. Check the enrollment status and configuration

### Check in Google Ads

In Google Ads:

1. Navigate to **Tools > Data Manager**
2. In the **Connected Products** tab, locate the **Google Tag Section**
3. Click **Manage** for the relevant tag
4. In the opened section, select the **Admin** tab
5. Click **Google Tag Gateway**
6. Check the enrollment status and configuration

### Check in Google Analytics

In Google Analytics:

1. Navigate to **Admin > Data Streams**
2. Choose a stream and select **Configure Tag Settings**
3. Go to the **Admin** tab
4. Click **Google Tag Gateway**
5. Check the enrollment status and configuration

### Use browser DevTools

Open your browser's Developer Tools (F12) and inspect the network requests:

1. Load the page and open the **Network** tab.
2. Filter requests by Google domains (e.g., `googletagmanager.com`).
3. Check if requests are being routed through GTG endpoints — look for requests that go through your subdomain (e.g., `gtm.example.com`) rather than directly to `googletagmanager.com`.

### Verify via the Sirdata CMP diagnostic

The Sirdata CMP includes built-in GTG enrollment detection. When a late consent signal is detected, the diagnostic tool will report whether GTG is involved and provide a direct link to this documentation.

{% hint style="info" %}
For detailed instructions on verifying GTG enrollment, refer to the [Google Tag Gateway setup guide](https://developers.google.com/tag-platform/tag-manager/gateway/setup-guide).
{% endhint %}

## Late consent detection

Late consent occurs when the **default consent command and/or TCF stub load after Google tags fire**. This is a critical compliance issue because it means Google tags may execute without proper consent signals.

The Sirdata CMP provides **proactive late consent detection**:

* **Standard mode** — Late consent warnings are visible in the CMP diagnostic interface
* **Debug mode** — Detailed diagnostic information is available, including the specific tags that fired before consent defaults were set and whether GTG enrollment is detected

{% hint style="warning" %}
Late consent is particularly likely when GTG is enabled via one-click CDN injection (e.g., through a Google Ads account), because the customer cannot control the load order of scripts in that configuration.
{% endhint %}

For detailed troubleshooting steps, refer to the [Late `default` signal](/en/consent-transmission-standards/google-consent-mode/fix-implementation-errors/late-default-signal.md) page.

## Resolving late consent when GTG is enrolled

If a **late consent signal is detected** (by debug mode and/or the diagnostic tool) and **GTG enrollment is verified**, the following solutions are available, listed in order of recommendation:

### 1. Adopt U+C — Advanced Consent Mode (recommended)

**U+C (Advanced Consent Mode)** is the **recommended mechanism for GTG-enabled tags** because it is fully compatible with manual GTG setups where the script import order is controlled by the customer.

With U+C (Advanced Consent Mode):

* Google tags load immediately with **default denied** consent signals
* When the user grants consent, the CMP sends an **update** command that enables data collection
* Conversion modeling is activated for users who do not consent, recovering up to 65% of lost behavioral data
* This approach is compatible with GTG, even when GTG is set up manually, because tags fire with denied defaults and only begin collecting data after the CMP updates consent

{% hint style="success" %}
**U+C (Advanced Consent Mode) is the recommended mechanism for GTG-enabled tags** since it is compatible with manual GTG. It ensures that even if Google tags load before the CMP update command, no data is collected until the user grants consent.
{% endhint %}

To enable U+C (Advanced Consent Mode) with the Sirdata CMP:

1. In the Sirdata CMP configuration, enable **Advanced Consent Mode (U+C)**
2. The CMP will set default denied consent signals before any tags fire
3. Upon user interaction, the CMP will send the consent update command

For more information, refer to:

* [Consent mode overview — Basic vs. Advanced](https://developers.google.com/tag-platform/security/concepts/consent-mode) — Google for Developers
* [Set up consent mode on websites](https://developers.google.com/tag-platform/security/guides/consent) — Google for Developers

### 2. Enable Data Transmission Controls and Global Consent Defaults

When using U+C (Advanced Consent Mode), you should also configure **Data Transmission Controls** and **Global Consent Defaults** according to your needs:

* **Data Transmission Controls** — Allow you to control how data is transmitted to Google, providing additional privacy safeguards on top of Consent Mode. Data Transmission Controls function separately from other consent mode settings, but require Consent Mode to be activated first.
* **Global Consent Defaults** — Allow you to set default consent states that apply globally across your Google Ads and Analytics configurations, ensuring consistent consent behavior regardless of regional banner display rules.

{% hint style="info" %}
Data Transmission Controls and Global Consent Defaults are particularly important when:

* GTG is enabled and your banner does **not** display in certain regions (e.g., outside the EEA/UK/Switzerland), causing consent to be **automatically granted** by default
* You need to ensure that consent defaults are consistently applied across all Google products and regions

For more information, refer to:

* [Updates to Google Analytics Data Controls](https://support.google.com/analytics/answer/17016975) — Analytics Help
* [About consent mode](https://support.google.com/google-ads/answer/10000067) — Google Ads Help
* [Set up consent mode](https://support.google.com/google-ads/answer/14009635) — Google Ads Help
  {% endhint %}

### 3. Migrate to a GTM container and deploy GTM via GTG

If you are not already using Google Tag Manager, migrating all Google tags into a **GTM container** gives you full control over tag firing order:

1. Create a GTM container and add the **ABConsent CMP template** from the Community Template Gallery
2. Configure the CMP template to use the **"Consent Initialization"** trigger (`gtm.init_consent`)
3. Deploy GTM via GTG, ensuring the CMP initializes before any other tags
4. This approach eliminates late consent by guaranteeing the consent initialization sequence

For step-by-step instructions, refer to the [Google Tag Gateway setup guide](https://developers.google.com/tag-platform/tag-manager/gateway/setup-guide).

### 4. Set up GTG manually with controlled script import order

If you prefer to keep GTG enabled but need control over the script loading sequence, you can set up **manual GTG** where the script import order is controlled by you:

1. Disable GTG via your Google Ads account
2. Set up GTG manually via [Google Cloud Load Balancer](https://developers.google.com/tag-platform/tag-manager/gateway/setup-guide)
3. Ensure that the CMP consent default command loads **before** any Google tag scripts in the page's `<head>` section
4. This gives you full visibility and control over when Google tags fire relative to the CMP

{% hint style="success" %}
When GTG is set up manually with a controlled script import order, **U+C (Advanced Consent Mode)** remains the recommended mechanism, as it is fully compatible with this configuration and provides additional conversion modeling benefits.
{% endhint %}

## Other options available in case of late consent

If GTG is causing late consent issues but you are unable to adopt the solutions above immediately, the following mitigations are available:

### Ensure the CMP stub loads before any Google tag

The CMP script must be the **first script** loaded in the `<head>` section of your page, before any Google tag scripts. This ensures that the consent default command is set before GTG-triggered tags can execute.

### Use the `data-cmp-src` attribute on gtag scripts

If you are using gtag directly (without Google Tag Manager), you must condition the gtag script loading using the `data-cmp-src` attribute:

```html
<script data-cmp-src="https://www.googletagmanager.com/gtag/js?id=G-XXXXXXXXXX"></script>
```

This ensures the gtag script only loads after the CMP has obtained the user's consent.

### In Google Tag Manager, ensure proper trigger configuration

If you are using Google Tag Manager:

* Make sure that **only your CMP tag** uses the **"Consent Initialization"** trigger (`gtm.init_consent`)
* Do **not reuse** this trigger in other tags, as this can create conflicts and delay Consent Mode initialization

### Check the Sirdata CMP diagnostic for late consent detection

The Sirdata CMP includes built-in late consent detection. If GTG is causing late consent on your site, the CMP diagnostic will report a **late consent error** with a link to the troubleshooting documentation.

{% hint style="info" %}
The Sirdata CMP provides proactive late consent detection, with detailed diagnostic information visible both in the standard interface and in debug mode.
{% endhint %}

For detailed troubleshooting steps, refer to the [Late `default` signal](/en/consent-transmission-standards/google-consent-mode/fix-implementation-errors/late-default-signal.md) page.

## Not using Google Tag Gateway?

If you are seeing a late consent warning but are **not enrolled in Google Tag Gateway**, the issue may be caused by a different problem:

1. **Late loading of the CMP** — The CMP script is not loaded early enough in the page, allowing Google tags to fire before consent defaults are set.
2. **Early loading of Google tags** — Google tags (gtag.js or GTM) are loaded before or independently of the CMP consent initialization.

In this case, refer to the dedicated troubleshooting page for late default signals:

👉 [Late `default` signal — Fix implementation errors](/en/consent-transmission-standards/google-consent-mode/fix-implementation-errors/late-default-signal.md)

{% hint style="info" %}
For the English documentation, visit: [Late `default` signal](https://cmp.docs.sirdata.net/en/consent-transmission-standards/google-consent-mode/fix-implementation-errors/late-default-signal)
{% endhint %}

## A better alternative: GTM Server-Side by Sirdata

While GTG operates at the client side and can interfere with consent initialization, **GTM Server-Side** provides a more robust and privacy-compliant approach to tag management.

### Why choose GTM Server-Side over GTG?

|                       | Google Tag Gateway (GTG)                    | GTM Server-Side by Sirdata                                                            |
| --------------------- | ------------------------------------------- | ------------------------------------------------------------------------------------- |
| **Architecture**      | Client-side proxy (DNS-level)               | Server-side container                                                                 |
| **Consent control**   | Limited — tags may fire before consent      | Full control — tags only fire after consent validation                                |
| **Late consent risk** | High — GTG can load tags before CMP         | None — consent is enforced server-side                                                |
| **Partner coverage**  | Google tags only                            | **All partners**: Google, Meta (CAPI), TikTok (Events API), LinkedIn, Pinterest, etc. |
| **Data ownership**    | Data routed through Google's infrastructure | Data routed through **your own domain**                                               |
| **Adblock bypass**    | No                                          | Yes — server-side requests bypass ad blockers                                         |
| **Data residency**    | Google-controlled                           | **You control the hosting location** (EU available)                                   |

### Key benefits of GTM Server-Side by Sirdata

1. **Greater control over your data** — Unlike GTG, where data transits through Google's infrastructure, GTM Server-Side routes data through your own domain, giving you full ownership and control.
2. **Consent-first architecture** — Tags only fire after the CMP has validated consent. No more late consent issues caused by client-side tag loading.
3. **Multi-partner support** — Not limited to Google. Server-side integrations are available for **Meta Conversions API**, **TikTok Events API**, **LinkedIn**, **Pinterest**, and more.
4. **Bypass ad blockers** — Server-side requests are sent from your own domain, making them invisible to ad blockers that target known tracking domains.
5. **EU data residency** — Sirdata offers hosting in the European Union, ensuring compliance with GDPR data transfer requirements.
6. **Seamless CMP integration** — Sirdata's GTM Server-Side is fully integrated with the Sirdata CMP, providing a unified consent and tag management experience.

{% hint style="success" %}
**GTM Server-Side by Sirdata** eliminates the late consent risk introduced by GTG while providing benefits for all your advertising partners — not just Google.

👉 Discover [GTM Server-Side by Sirdata](https://sgtm.sirdata.io) and take full control of your data.
{% endhint %}

{% hint style="info" %}
For detailed documentation on GTM Server-Side setup and configuration, refer to the [Sirdata Server-Side documentation](https://sgtm.sirdata.io).
{% endhint %}


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://cmp.docs.sirdata.net/en/consent-transmission-standards/google-consent-mode/google-tag-gateway.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.