Compliant with GDPR, CCPA, COPPA, LGPD, PECR, PDPA, PIPEDA, and more.
Part of: Google Consent Mode
Google Tag Gateway (GTG) is a Google infrastructure feature that serves Google tags, including gtag.js, Google Tag Manager, and Google Analytics, from a first-party domain rather than from Google's servers. Instead of the browser fetching scripts from googletagmanager.com or google-analytics.com, requests go to a first-party path on your domain such as your-domain.com/gtg/js. A CDN (Cloudflare, Akamai, or Fastly) or load balancer proxies these requests to Google transparently.
For the official documentation, see Google Tag Gateway documentation.
There are two deployment methods:
The CDN provider (e.g. Cloudflare) injects measurement tags directly into the head element of the page via the CDN. This removes your control over the load order. The CDN decides when and how Google tag URLs are rewritten, and you cannot control the position of these scripts relative to the CMP snippet.
Because GTG tags load as first-party scripts (from your own domain rather than from Google's domain), basic consent mode blocking that looks for scripts loading from Google Tag Manager's domain becomes ineffective. The tags appear as first-party resources and are not caught by domain-based blocking rules.
You add the first-party script path manually in the page source and control where it appears relative to other scripts. This gives full control over load order. Manual setup is the recommended deployment when consent timing is critical.
For setup instructions, see Set up Google Tag Gateway.
When GTG is not active, Google tags load from third-party domains. The consent flow is predictable: your CMP loads first, sets consent defaults, and Google tags respect those defaults when they execute.
When GTG is active, especially via one-click CDN injection, Google tags may load faster because they are served from a first-party domain. If the CMP has not yet set consent defaults by the time the Google tag executes, the tag runs without consent signals. This is called a "late" consent signal.
denied) are not applied during initial tag executionTo ensure measurements are maintained without violating consent, you should set a default denied block so that Google tags start in a denied state. The CMP then loads and explicitly regrants consent for areas where the user has already accepted it. Events are queued and replayed once consent is granted.
If you use Google Tag Manager, you can set a default denied state directly in GTM:
This injects a default denied code block before the Google tags load via the CDN. You can also use Data Transmission Controls to prevent behavioral measurement and configuration data from being sent to Google when consent is denied.
For more on consent implementation and troubleshooting, see Google's Consent Mode documentation.
You can verify whether a tag is enrolled in Google Tag Gateway through your Google tag settings. See Access your Google tag settings for step-by-step instructions on checking GTG enrollment status.
/gtg/js or similar first-party paths that return Google tag scriptsgoogletagmanager.com, GTG is activeSee Google Tag Gateway setup guide for details on enrollment and configuration.
UniConsent's Advanced Consent Mode (User + Consent) is the recommended mechanism for GTG-enabled tags. Advanced Consent Mode is specifically recommended because it is compatible with manual GTG deployments where you control script import order.
Sets consent defaults before any tag fires. The UniConsent consent initialization snippet runs synchronously in the page <head>, setting all consent types to denied by default before Google tags execute, regardless of whether they load from Google's servers or through GTG.
Compatible with manual GTG. When you control script import order (manual GTG), placing the UniConsent snippet before the GTG script path ensures consent defaults are always set first.
Enables conversion modeling. When consent is denied, Google tags still send cookieless pings that feed conversion modeling, recovering a significant portion of conversion data.
Step 1: Sign up at app.uniconsent.com and obtain your license ID.
Step 2: Choose Advanced Consent Mode during setup. Select "Advanced Mode" when configuring Google Consent Mode integration.
Step 3: Place the UniConsent snippet in the page <head>. It must appear before any Google tag scripts, including GTG paths. Example order:
<head>
<!-- 1. UniConsent CMP snippet (sets consent defaults) -->
<script src="https://cmp.uniconsent.com/v2/stubgcm.min.js"></script>
<script async src="https://cmp.uniconsent.com/v2/a]YOUR_LICENSE_ID/cmp.js"></script>
<!-- 2. Google consent defaults (if not using GTM) -->
<script>
(function() {
if(!window['gtag']) {
window['dataLayer'] = window['dataLayer'] || [];
window['gtag'] = function(){window['dataLayer'].push(arguments);}
}
window['gtag']('consent', 'default', {
ad_storage: 'denied',
ad_user_data: 'denied',
ad_personalization: 'denied',
analytics_storage: 'denied',
functionality_storage: 'denied',
personalization_storage: 'denied',
security_storage: 'granted',
wait_for_update: 500,
});
})();
</script>
<!-- 3. Google tags / GTG script path (loads after consent defaults are set) -->
<script async src="https://www.googletagmanager.com/gtag/js?id=YOUR_ID"></script>
</head>
Step 4: Verify consent timing using the UniConsent Consent Mode Scanner to confirm consent defaults are set before Google tags execute.
Step 5: Monitor in your UniConsent dashboard. The implementation audit report flags late consent signals and missing consent defaults.
If Google tags are receiving consent signals late (after initial execution) and GTG enrollment is verified, you should:
Adopt Advanced Consent Mode (User + Consent). Enable Advanced Consent Mode in your UniConsent dashboard and ensure the UniConsent snippet loads before GTG scripts. Advanced Consent Mode is the recommended mechanism for GTG-enabled tags since it is compatible with manual GTG.
Enable Data Transmission Controls to restrict what data Google tags can transmit based on consent state according to your need.
Set Global Consent Defaults to define default consent states (granted or denied) for each consent type (ad_storage, ad_user_data, ad_personalization, analytics_storage) according to your need. UniConsent configures these defaults automatically based on the user's region.
Alternatively, you can migrate all tags into a Google Tag Manager container and deploy GTM via GTG, which centralizes load-order control so that GTM's built-in consent checks apply to all tags within the container. Or you can set up GTG manually where you control the script import order, placing the UniConsent CMP snippet before the GTG script reference in your page source.
Google's Data Transmission Controls restrict what data Google tags send based on the user's consent state. Combined with UniConsent's consent signals, this creates a layered approach:
| Control | What It Does | When to Use |
|---|---|---|
| Global Consent Defaults | Sets the initial consent state for all consent types before user interaction | Always, ensures tags have a consent baseline on first page load |
| Data Transmission Controls | Restricts specific data fields from being sent to Google | When you need granular control beyond consent type toggles |
| Region-specific defaults | Sets different defaults by geographic region | When you serve users in both EEA/UK and other regions |
UniConsent automatically configures Global Consent Defaults based on the detected user region. For EEA, UK, and Switzerland, all consent types default to denied. For other regions, defaults follow local regulatory requirements.
GTG and server-side Google Tag Manager (sGTM) are different solutions that can work together:
| Google Tag Gateway | Server-Side GTM | |
|---|---|---|
| What it does | Serves Google tag scripts from a first-party domain | Routes tag requests through a server-side container |
| Deployment | CDN-level (Cloudflare, Akamai, Fastly) or manual | Requires a server-side GTM container (Cloud Run, App Engine, etc.) |
| Consent impact | Changes script load order; may cause late consent signals | Consent check happens server-side before data is forwarded |
| Cost | No additional Google cost; requires existing CDN or load balancer | Server hosting costs apply |
| Best for | Improving tag delivery rates, reducing ad blocker impact | Full control over data flow, server-side consent enforcement |
Both can be used together: GTG serves the client-side tag from a first-party domain, while sGTM processes the resulting events server-side with consent checks applied before forwarding to Google.