Abstract
Tag Management Systems (TMS) were developed in order to support website Publishers in installing multiple third-party JavaScript scripts (Tags) on their websites. Google has proposed its own TMS called "Google Tag Manager"(GTM) that is currently present on 52% of the top 1 million most popular websites. However, GTM has not yet been thoroughly evaluated by the academic research community. In this work, we study, for the first time, the Tags provided within the GTM system. Our methodology consists in installing Tags in isolation to analyze the types of data that Tags collect and contrast them to the legal and technical documentation, in collaboration with a legal expert. Across three studies - in-depth analysis of 6 Tags, automated analysis of 718 Tags, and analysis of Google "Consent Mode"- we discover multiple hidden data leaks, incomplete and diverging declarations, undisclosed third- parties and cookies, personal data sharing without consent and we further identify potential legal violations within EU Data Protection law.
| Original language | English |
|---|---|
| Title of host publication | Proceedings - IEEE 10th European Symposium on Security and Privacy, Euro S and P 2025 |
| Publisher | IEEE |
| Pages | 93-112 |
| Number of pages | 20 |
| ISBN (Electronic) | 9798331594930 |
| DOIs | |
| Publication status | Published - 26 Aug 2025 |
| Event | 10th IEEE European Symposium on Security and Privacy, Euro S and P 2025 - Venice, Italy Duration: 30 Jun 2025 → 4 Jul 2025 |
Publication series
| Name | Proceedings - IEEE 10th European Symposium on Security and Privacy, Euro S and P 2025 |
|---|
Conference
| Conference | 10th IEEE European Symposium on Security and Privacy, Euro S and P 2025 |
|---|---|
| Country/Territory | Italy |
| City | Venice |
| Period | 30/06/25 → 4/07/25 |
Bibliographical note
Publisher Copyright:© 2025 IEEE.
Keywords
- consent
- GDPR compliance
- Google Tag Manager
- GTM
- online tracking
- privacy
- website Publishers