Global Privacy Control in Google Tag Manager

Global Privacy Control, or GPC, is a new specification for letting users set their default privacy preferences in their browsers and indicate them to the websites they browse on the web without needing to do anything else.

GPC is already available in the Firefox, Brave, and DuckDuckGo browsers, and, for privacy-conscious Chrome and Safari users, is supported by the Disconnect as well as EFF’s Privacy Badger extensions. It gives users a simpler way to exercise their rights, and introduces new compliance requirements for web publishers and brands with an online presence who prioritize privacy by design.

We’ve already helped a number of customers implement support for the Global Privacy Control on their websites. This typically requires changes to the tag management system, analytics tools, and, for organization that have one, customer data platform (CDP).

This guide will show you how to add support for the Global Privacy Control in the most popular tag management system of them all, Google Tag Manager (GTM).

Implementing Global Privacy Control in Google Tag Manager

There are two ways to determine if a user has opted out of tracking through the Global Privacy Control:

  1. Their HTTP requests will contain the Sec-GPC header (with the syntax Sec-GPC: 1), useful for server-side compliance;
  2. The Navigator interface will contain a navigator.globalPrivacyControl read-only property with a value of 1, useful for client-side compliance.

Here’s how to implement client-side compliance with the Global Privacy Control in a Google Tag Manager web container:

Step 1: Open Google Chrome, then download and install the Global Privacy Control (GPC) Inspector plugin from the Chrome Web Store.

Step 2: Once you’ve installed the plugin, click on the shield icon and, under “Settings,” toggle “Enable Global Privacy Control (GPC)” to on.

Step 3: In your Google Tag Manager container’s workspace, go to the “Variables” tab and add a new “JavaScript Variable.”

Step 4: Name it however you want. We use “JSV – globalPrivacyControl” unless the customer’s GTM naming convention prescribes otherwise.

Step 5: Enter navigator.globalPrivacyControl under “Global Variable Name” and set “Convert undefined” to 0 under “Format Value.”

This will ingest the value of the GPC so that, in the case that the user has opted out of tracking, it will be set to 1. It will also convert the value to 0 in the case that no such property exists, which indicates to us that the user hasn’t explicitly opted out of tracking.

Step 6: Go to the “Triggers” tab in your GTM container’s workspace. Create a new trigger and give it the name “Exception Trigger – Global Privacy Control.”

Step 7: We want the trigger to fire as early as possible, before any other tags in your GTM container, so set the type to “Consent Initialization.”

Step 8: Configure it to fire on some pages, only when the “JSV – globalPrivacyControl” variable equals 1.

Step 9: Add this trigger as an exception to all tags that must respect the user’s GPC signal.

This technique assumes that you don’t want to make any changes to your existing triggers.

However, you could change your Page View or Data Layer Event triggers to fire only when “JSV – globalPrivacyControl” does not equal 1 and save yourself the extra work.

Signaling Support for the Global Privacy Control

Now that you’ve implemented support for GPC in GTM, you need to signal that support both technically and legally.

Upload a gpc.json File to Your Website’s /.well-known/ Folder

The GPC specification requires websites that support the Global Privacy Control to signal their support by uploading a gpc.json file to their .well-known folder with the following contents:

{
    "gpc": true,
    "lastUpdate": "2022-12-31"
}

Where "gpc": true is for signaling support and "lastUpdate": "YYYY-MM-DD" is for the date of last update. (That date is either the day you implemented support for the GPC or the date you last updated the GTM configuration in support of it.)

Once again, you can use the Chrome Global Privacy Control (GPC) Inspector plugin to validate that your JSON file is accessible and formatted correctly.

Update Your Website’s Privacy Policy

Work with your DPO or legal counsel to update your website’s privacy policy with the fact that your organization respects users’ Global Privacy Control (GPC) choices, and specifics about what exactly that support means in terms of processing and collection of personal data/information.