Compliant with GDPR, CCPA, COPPA, LGPD, PECR, PDPA, PIPEDA, and more.
Google Tag Gateway (GTG) is a Google infrastructure feature that serves Google tags, including gtag.js, Google Tag Manager, and Google Analytics, from a first-party domain rather than from Google's servers. Instead of the browser fetching scripts from googletagmanager.com or google-analytics.com, requests go to a first-party path on your domain such as your-domain.com/gtg/js. A CDN (Cloudflare, Akamai, or Fastly) or load balancer proxies these requests to Google transparently.
For the official documentation, see Google Tag Gateway documentation.
There are two deployment methods:
The CDN provider (e.g. Cloudflare) injects measurement tags directly into the head element of the page via the CDN. This removes your control over the load order. The CDN decides when and how Google tag URLs are rewritten, and you cannot control the position of these scripts relative to the CMP snippet.
Because GTG tags load as first-party scripts (from your own domain rather than from Google's domain), basic consent mode blocking that looks for scripts loading from Google Tag Manager's domain becomes ineffective. The tags appear as first-party resources and are not caught by domain-based blocking rules.
You add the first-party script path manually in the page source and control where it appears relative to other scripts. This gives full control over load order. Manual setup is the recommended deployment when consent timing is critical.
For setup instructions, see Set up Google Tag Gateway.
When GTG is not active, Google tags load from third-party domains. The consent flow is predictable: your CMP loads first, sets consent defaults, and Google tags respect those defaults when they execute.
When GTG is active, especially via one-click CDN injection, Google tags may load faster because they are served from a first-party domain. If the CMP has not yet set consent defaults by the time the Google tag executes, the tag runs without consent signals. This is called a "late" consent signal.
denied) are not applied during initial tag executionTo ensure measurements are maintained without violating consent, you should set a default denied block so that Google tags start in a denied state. The CMP then loads and explicitly regrants consent for areas where the user has already accepted it. Events are queued and replayed once consent is granted.
If you use Google Tag Manager, you can set a default denied state directly in GTM:
This injects a default denied code block before the Google tags load via the CDN. You can also use Data Transmission Controls to prevent behavioral measurement and configuration data from being sent to Google when consent is denied.
For more on consent implementation and troubleshooting, see Google's Consent Mode documentation.
You can verify whether a tag is enrolled in Google Tag Gateway through your Google tag settings. See Access your Google tag settings for step-by-step instructions on checking GTG enrollment status.
To check if a tag is enrolled in GTG, use https://tagassistant.google.com/ to find the Container ID (GTM-XXXXX) or Tag ID on the page. Go to https://tagassistant.google.com/, click "Add domain", and enter your website's URL. You will then see Google tag IDs such as GTM-XXXXX, AW-XXXXX, or G-XXXXXXXX.
Click Summary, then check the "Container Details" or "Tag Details" of each container or tag ID. Under "Container Details" or "Tag Details" there is a "source" label. If there is an icon, mouse over it — it displays "Tag was loaded by Google tag gateway" if the tag is enrolled in GTG.
These tags are loaded from www.googletagmanager.com by default if GTG is not enrolled.
When GTG is enrolled, they are instead loaded from a first-party URL (/xxxxx/) and load tags from a first-party path (/xxxxx/yyyyyy) on your own domain.
| Prefix | Product | Data sent to |
|---|---|---|
| G- | Google Analytics 4 (GA4) | www.google-analytics.com (+ region1.google-analytics.com, *.analytics.google.com) |
| GT- | Google tag (gtag.js) | The unified "Google tag" — one tag, multiple destinations |
| AW- | Google Ads (formerly AdWords) | www.googleadservices.com, googleads.g.doubleclick.net, www.google.com (+ each country TLD) |
| DC- | Floodlight (Campaign Manager 360 / Display & Video 360) | *.fls.doubleclick.net, ad.doubleclick.net |
| GTM- | Google Tag Manager | None of its own — it is a dispatcher that fires the tags inside it |
G-XXXXXXXXX)./RANDOM_STRING/ or similar first-party paths that load scripts from /RANDOM_STRING/LONG_RANDOM_STRING and send data to Google product domains mentioned above or to Google product paths like pagead/conversion, /collect, etc. If you see these patterns, the tag could be enrolled in GTG.See Google Tag Gateway setup guide for details on enrollment and configuration.
If Google tags are receiving consent signals late (after initial execution) and GTG enrollment is verified, then:
If you can set up GTG manually where you control the script load order, place the Consent Mode Default Status Tag before the GTG script reference in your page source. Advanced Consent Mode is the recommended mechanism for GTG-enabled tags since it is compatible with manual GTG.
If you can't control the script load order with a One-Click CDN Injection setup, you can migrate all tags into a Google Tag Manager container and deploy GTM via GTG, which centralizes load-order control so that GTM's built-in consent checks apply to all tags within the container.
You can also enable Data Transmission Controls to restrict what data Google tags can transmit based on consent state according to your needs.
Sets consent defaults before any tag fires. The UniConsent consent initialization snippet runs synchronously in the page <head>, setting all consent types to denied by default before Google tags execute, regardless of whether they load from Google's servers or through GTG.
Compatible with manual GTG. When you control script load order (manual GTG), placing the UniConsent snippet before the GTG script path ensures consent defaults are always set first.
Enables conversion modeling. When consent is denied, Google tags still send cookieless pings that feed conversion modeling, recovering a significant portion of conversion data.
Place the Consent Mode Default Status Tag in the page <head>. It must appear before any Google tag scripts, including GTG paths. Example order:
<head>
<!-- 1. Consent mode defaults, same as stubgcm.min.js -->
<script src="https://cmp.uniconsent.com/v2/stubgcm.min.js"></script>
<!-- Or: Consent mode defaults inline on page, same content as stubgcm.min.js -->
<script>
(function() {
if(!window['gtag']) {
window['dataLayer'] = window['dataLayer'] || [];
window['gtag'] = function(){window['dataLayer'].push(arguments);}
}
window['gtag']('set', 'developer_id.dZTcxZD', true);
window['gtag']('consent', 'default', {
ad_storage: 'denied',
functionality_storage: 'denied',
personalization_storage: 'denied',
analytics_storage: 'denied',
ad_user_data: 'denied',
ad_personalization: 'denied',
security_storage: 'granted',
wait_for_update: 1000
});
window['gtag']("set", "ads_data_redaction", true);
window['gtag']("set", "url_passthrough", false);
})();
</script>
<!-- 2. UniConsent CMP tag -->
<script async src="https://cmp.uniconsent.com/v2/YOUR_LICENSE_ID/cmp.js"></script>
<!-- 3. Google tags / GTG script path (loads after consent defaults are set) -->
<script async src="https://www.googletagmanager.com/gtag/js?id=YOUR_ID"></script>
</head>
Verify consent timing using the UniConsent Consent Mode Checker to confirm that consent defaults are set before Google tags execute and that there are no errors.
Monitor in your UniConsent dashboard. The implementation audit report flags late consent signals and missing consent defaults.
Google's Data Transmission Controls restrict what data Google tags send based on the user's consent state. Combined with UniConsent's consent signals, this creates a layered approach:
| Control | What It Does | When to Use |
|---|---|---|
| Global Consent Defaults | Sets the initial consent state for all consent types before user interaction | Always, ensures tags have a consent baseline on first page load |
| Data Transmission Controls | Restricts specific data fields from being sent to Google | When you need granular control beyond consent type toggles |
| Region-specific defaults | Sets different defaults by geographic region | When you serve users in both EEA/UK and other regions |
While you can technically set consent defaults to denied only in specific regions (such as the EEA), Google highly recommends setting a global default deny. A global denial prevents late consent issues if you decide to change your banner's regional behavior at a later date. For instances where Google tags cannot be moved after CMP scripts, Google specifically recommends using the Global Consent Defaults UI in Tag Manager admin to set default consent states.
UniConsent automatically updates consent status based on the detected user region:
denied. The user must interact with the consent banner before any consent is granted.This region-aware behavior is fully configurable in the UniConsent dashboard, allowing you to define which regions require explicit consent and which regions can proceed with automatic consent grants.
GTG and server-side Google Tag Manager (sGTM) are different solutions that can work together:
| Google Tag Gateway | Server-Side GTM | |
|---|---|---|
| What it does | Serves Google tag scripts from a first-party domain | Routes tag requests through a server-side container |
| Deployment | CDN-level (Cloudflare, Akamai, Fastly) or manual | Requires a server-side GTM container (Cloud Run, App Engine, etc.) |
| Consent impact | Changes script load order; may cause late consent signals | Consent check happens server-side before data is forwarded |
| Cost | No additional Google cost; requires existing CDN or load balancer | Server hosting costs apply |
| Best for | Improving tag delivery rates, reducing ad blocker impact | Full control over data flow, server-side consent enforcement |
Both can be used together: GTG serves the client-side tag from a first-party domain, while sGTM processes the resulting events server-side with consent checks applied before forwarding to Google.