All German websites (.de) that are currently using GTM require re-tagging.
On 19 March 2025, the Administrative Court of Hanover (VG Hannover), case 10 A 5385/22, held that Google Tag Manager (GTM) requires prior, explicit user consent in Germany.
Even before firing other tags, GTM transmits personal data (IP address, referrer, device info) to Google servers.
Under Article 5(3) of the ePrivacy Directive (via GDPR), this is not considered "strictly necessary", so consent is mandatory.
This ruling has massive implications for all .de domains and any website with significant German traffic.
You have two options at this point:
Option-1: Use a CMP (Consent Management Platform) to ask for explicit GTM consent.
Option 2: Stop using GTM and hard-code all tags.
.
.
Option-2 is a better option for four main reasons:
1) It minimizes compliance issue as GTM is no longer used. So there is no possibility of even accidental load of GTM container without user consent.
2) Hard-coded tags work far better with consent management. When you hard-code tags, you can load scripts conditionally based on the CMP's consent state. With GTM, just fetching gtm.js already sends IP and referrer to Google. With hard-coded tags, nothing goes out until you explicitly allow it via consent logic.
3) If you ask for explicit consent to load GTM itself, most users will decline, and in that case, no GTM request can be made. This means none of the tags inside GTM (analytics, ads, pixels, etc.) will fire, and effectively all tracking will stop for those users.
If you hardcode tags, users are only asked for consent to the individual tracking technologies (Google Analytics, Meta Pixel, Ads, etc.), not to GTM itself. This avoids the double penalty of users saying no to GTM and thereby disabling even tags they might have been willing to allow.
This means you would lose far more data when requesting user consent for loading GTM compared to requesting consent for analytics and marketing cookies.
4) You don't need to ask for user consent twice: once for loading the GTM container and then again for the cookies.
Beware of risky advice floating around:
>> "Host GTM locally" - Still non-compliant, the problem is the data sent, not the hosting.
>> "Use GTM alternative" - Most GTM "alternatives" (Tealium, Segment, Adobe Launch, etc.) also ping their own servers at load. That makes them equally non-compliant under this ruling.
>> "Use server-side GTM" - Same issue, GTM itself triggers before consent.
>> "Just categorize GTM as functional or essential" - Functional or essential categorization cannot bypass legal requirements. If you still disagree, you can argue with the Judge in the court and let us know how it goes.
Therefore, the best approach for German privacy compliance is to hardcode all tags.
