All Vendors
tag_manager

GoogleTagManager

Google Tag Manager is the most deployed container on the web — and the single largest force multiplier for uncontrolled third-party code execution on your site.

23 IOCs594 detections3% pre-consent371 sites
90
Vendor Risk Score

How This Briefing Works

This report opens with key findings, then maps the gaps between what GoogleTagManager discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection data and evidence underneath.

Key Findings

Key Findings

594 detections across 371 sites3% pre-consent activity
MEDIUM

Pre-Consent Activity

GoogleTagManager was observed loading and executing before user consent was obtained on 3% of sites where it was detected.

GDPRePrivacy
HIGH

Pending Analysis

8 BTI behavioral codes detected across GTM-loaded payloads. Full claims extraction required for gap analysis.

Disclosure Gaps

Claims vs. Observed Behavior

1 gaps
1 HIGH

Pending Analysis

HIGH
They Claim

Claims analysis pending

Observed Behavior

8 BTI behavioral codes detected across GTM-loaded payloads. Full claims extraction required for gap analysis.

Customer Impact

What This Means For You

If GTM is on your site, every vendor loaded through it operates with the same page-level access — reading your DOM, intercepting form submissions, and setting persistent identifiers. Your marketing team can deploy new tracking scripts without engineering review, meaning your attack surface expands with every tag added. Consent management gaps between GTM and loaded vendors mean you may be generating per-visitor GDPR and ePrivacy violations at scale without visibility. The governance gap between who deploys tags and who is liable for their behavior is your primary organizational risk.
Recommended Actions

What To Do About It

Role-specific actions based on observed behavior

If You Use GoogleTagManager

  • Audit all tags currently deployed through GTM — enumerate every vendor and its data access scope
  • Implement tag governance requiring engineering sign-off before new tags go live
  • Deploy consent-aware GTM triggers that block tag firing until valid consent is confirmed
  • Enable GTM's built-in consent mode and verify propagation to all loaded tags
  • Establish quarterly tag audits comparing deployed tags against approved vendor list

If You're Evaluating GoogleTagManager

  • Request GTM server-side deployment to reduce client-side exposure surface
  • Evaluate tag management alternatives with built-in consent enforcement
  • Require vendors to document exactly what data their GTM tags collect and where it is sent
  • Assess whether GTM custom templates can restrict tag capabilities to minimum required access

Negotiation Leverage

  • GTM is free infrastructure — but the liability from uncontrolled tag deployment is not. Frame governance investment as risk reduction.
  • 8 BTI behavioral codes detected across GTM-loaded payloads — each represents a distinct compliance exposure that your legal team should evaluate.
  • 3% pre-consent firing rate understates risk because GTM's loaded vendors fire independently — total pre-consent exposure is the sum of all loaded vendor rates.
  • 594 detections across 371 sites in our corpus demonstrates GTM's ubiquity — regulators are increasingly scrutinizing tag manager deployments as consent enforcement points.
  • Server-side GTM (sGTM) migration can reduce client-side exposure but shifts liability to your infrastructure — ensure your DPA coverage extends to server-side data flows.
Runtime Detections

Runtime Detections

9 BTI-C CODES

BLACKOUT observed this vendor's JavaScript executing in a live browser and classified each hostile behavior using our BTI-C (Behavioral Threat Intelligence — Capability) taxonomy. These are not theoretical risks — each code below was triggered by something we watched this vendor's code actually do.

BTI-C01Defeat Device

Evasion infrastructure, auditor bypass

Impact: GTM-loaded scripts exhibit evasion behaviors including auditor bypass patterns, meaning compliance audits may not see the same code your visitors execute.

BTI-C06Behavioral Biometrics

Keystroke/mouse tracking

Impact: Vendors loaded through GTM capture keystroke timing and mouse movement data, creating behavioral profiles of your visitors without explicit disclosure.

BTI-C07Session Recording

Full session replay

Impact: Session replay vendors deployed via GTM record full user sessions including form inputs, scrolling behavior, and page interactions — often capturing sensitive data.

BTI-C08Cross-Domain Sync

Identity stitching

BTI-C09Consent Bypass

Ignoring CMP signals

Impact: Tags loaded through GTM may fire before or independent of consent management signals, creating per-visitor consent violations at scale.

BTI-C10Fingerprinting

Device identification

Impact: Device fingerprinting scripts loaded via GTM collect browser, hardware, and configuration data to create persistent identifiers that survive cookie deletion.

BTI-C13Persistence Mechanisms

Long-lived identifiers

Impact: GTM-loaded vendors deploy long-lived identifiers through cookies and storage APIs that persist across sessions and resist user clearing attempts.

BTI-C14Identity Resolution

PII deanonymization

Impact: Identity resolution vendors loaded through GTM attempt to deanonymize your visitors by correlating behavioral data with PII databases — creating liability for your organization.

BTI-C15Tag Manager

Container/loader (neutral)

Impact: GTM is container infrastructure — it enables rapid deployment of third-party code without engineering gatekeeping, creating an ungoverned execution pipeline on your pages.

IOC Manifest

IOC Manifest

19 INDICATORS

Indicators of compromise across 5 categories. Use for detection rules, CSP policies, or Pi-hole blocklists.

TRACK
googletagmanager.com/gtm.js
Tracking script
TRACK
googletagmanager.com/gtag/js
Tracking script
Ecosystem

Ecosystem & Supply Chain

Google Tag Manager is part of Google's marketing infrastructure stack alongside Google Analytics 4, Google Marketing Platform (DoubleClick/DV360), and Google Ads. It serves as the primary deployment mechanism for the broader Google advertising ecosystem and is frequently paired with third-party vendors including Meta Pixel, LinkedIn Insight Tag, HubSpot, and Hotjar. GTM's server-side variant (sGTM) is increasingly deployed to obscure client-side vendor activity from browser-based auditing tools. The container's ubiquity makes it the most common vector through which unreviewed third-party code reaches production websites.
Loaded By (1)
Segment
Evidence

Evidence Artifacts

Artifacts collected during analysis, available with evidence-tier access.

HAR Capture

Complete network capture with all requests and responses

IOC Manifest

23 detection signatures across scripts, domains, cookies, and network endpoints

Vendor Details