# How to Manage Consent in Google Tag Manager

Cookiebot in conjunction with Google Tag Manager makes consent management incredibly easy. Instructions to get started with Cookiebot and GTM linked [here](https://support.cookiebot.com/hc/en-us/articles/360003793854-Google-Tag-Manager-deployment).

In this article I want to specifically cover nuances with the Cookiebot GTM template and how to control opt-in vs. opt-out strategies.

### Opt-in vs. Opt-out

**Opt-in** indicates consent is not granted by default upfront. That is, until a user opts-in to tracking, they are not being tracked. In a real word opt-in configuration, a user visits a webpage for the first time, their consent settings are **not** initially granted by default. They are shown a consent banner and refuse to interact with the consent banner as they navigate the site. During this time, they are **not** tracked given the opt-in configuration.

**Opt-out** indicates consent is granted by default upfront. That is, until a user opts-out of tracking, they are being tracked. In a real world opt-out configuration, a user visits a webpage for the first time, their consent settings are initially granted by default. They are shown a consent banner and refuse to interact with the consent banner as they navigate the site. During this time, they are being tracked given the opt-out configuration.

| **Type** | **Default Consent** | **Implication** |
| --- | --- | --- |
| Opt-in | Denied ❌ | Not tracked until action |
| Opt-out | Granted ✔️ | Tracked until action |

[*Further Cookie Consent Documentation*](https://www.cookiebot.com/en/cookie-consent/)

### Controlling Opt-in vs. Opt-out in GTM

Within the GTM Cookiebot template, there are options to control opt-in vs. opt-out strategies by taking advantage of the Regions parameter. This parameters allow a change in the default consent settings by region. If a region is not listed, all default consent settings are set to Denied.

In the example below, I’ve added US and changed all of the default consent states to Granted. In this instance, US users will be configured to an opt-out policy given they are initially tracked until taking action to opt-out and change their consent settings.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1734036608430/81ea2df6-b497-43b8-bbbb-eacee1abf880.png align="center")

This configuration, or any configuration can be tested and viewed within the GTM debugger. My physical location is the US, in the debugger, the on-page defaults are all granted as modified by the Region parameter.

**US IP Example - Initial Site Load:**

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1734047109537/0c04dcca-6930-49a9-8e95-860762ae193c.png align="center")

I connected to a IP via a VPN to a location in Denmark, an EU country. Now, the on-page defaults are Denied and continues to be Denied because I have not taken any action on the consent banner…yet.

**Denmark IP Example - Initial Site Load:**

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1734047122234/563e5fff-270f-4767-8d87-e33a2ffe3f87.png align="center")

**Denmark IP Example - NO - Interaction with Consent Banner:**

*The current state gets populated a few milliseconds after the on-page defaults propagate, specifically for the event below, the* `gtm.load` *event. At this stage, the consent banner has been displayed to the user.*

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1734047084302/3b51c4e7-89e4-4455-9c6f-8ec0295021a9.png align="center")

**Denmark IP Example - Allow All Cookies - Interaction with Consent Banner:**

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1734047072862/84a113fa-6286-4aca-9e96-81764b56fef7.png align="center")

After allowing all cookies via the consent banner, Cookiebot pushes a custom event `cookie_consent_update` that changes the consent settings all to Granted. This is the dataLayer push event in the above screenshot. Point-forward the consent settings are saved in the user’s browser. This is an important step to understand because this is why all tags that fire would normally fire on page load need to be changed to fire on the custom event of `cookie_consent_update`

Otherwise in this Denmark scenario, the Gtag or any other tags that fire upon page load/page view would not fire because they would initially be blocked by the default consent settings. Once the user takes action to change settings (via consent banner), the custom event `cookie_consent_update` is pushed to the dataLayer and appropriate tags can trigger off of that custom event. On subsequent page loads after consent action has been taken, Cookiebot continues to fire a `cookie_consent_update` which applies the saved settings of the user. This ensures the Gtag continues to fire on subsequent page loads (even when the consent banner ceases to be shown).

### More Examples

* **US** user visits *datatribute.com* for the first time -&gt; Piwik Pro, GA4 etc **is** initially triggered and data captured -&gt; User **DENYS** tracking via consent banner -&gt; User navigates to another page -&gt; Piwik, GA4 etc is **NOT** triggered.
    
* **US** user visits *datatribute.com* for the first time-&gt; Piwik, GA4 etc **is** initially triggered and data captured -&gt; User **ACCEPTS** all tracking via consent banner -&gt; User navigates to another page -&gt; Piwik, GA4 etc **is** triggered.
    
* **Denmark** user visits *datatribute.com* for the first time -&gt; Piwik, GA4 etc is **NOT** triggered -&gt; Consent banner is shown -&gt; User **ACCEPTS** all tracking via banner -&gt; Consent Update event is triggered -&gt; Piwik, GA4 etc is triggered for initial page -&gt; User navigates to another page -&gt; Piwik, GA4 etc is triggered.
    

These examples behave this way because of the opt-in vs. opt-out policies controlled by the Region parameter.

### Other Notes

* Region codes are ISO-3166 A-2 codes. Full list [here](https://en.wikipedia.org/wiki/List_of_ISO_3166_country_codes).
    
* Regions that share the same settings can be combined to a comma separated string like `US,CA,UK,IT`
    
* In the context of regions, Cookiebot checks for the users physical location via IP origination
