The Administrative Court of Hanover has ruled that the use of Google Tag Manager (GTM) without obtaining prior, informed user consent violates the General Data Protection Regulation (GDPR) and the German Telecommunications-Telemedia Data Protection Act (TTDSG).
The case, registered under VG Hannover 10 A 5385/22, involved a website operator who had implemented GTM on its site. The court examined the behavior of GTM during initial page load and determined that the tool:
- Reached out to Google servers immediately upon the user arriving at the website.
- Disclosed personal data information, including IP address, device data, browser information, and referrer data.
- Stored a JavaScript file (‘gtm.js’) in the user’s browser/device.
- Started to run third party scripts, which could further process more data.
Court addressed that these activities included accessing (and storing) information in the user’s device, as well as processing personal data – all of which required valid user consent under §25(1) TTDSG and Article 6(1)(a) GDPR.
The court clarified that GTM operates in a recognizable way. GTM is not a neutral tool, in that integrated in its operation is a kind of data flow and the storage of data in the browser/device, even if the website operator did not trigger an actual tag. As a result, the court found that consent is paramount before the downloading of GTM.
The ruling also discussed the CMP of the website. While there was a banner in place, the Court found that the banner did not stop GTM from loading/transferring data before consent was provided. The CMP was implemented using the IAB TCF (Version 2.0). The Court held that this implementation did not satisfy the requirements for informed and voluntary consent of users under the GDPR and TTDSG.
The Court also addressed the layout of the cookie banner. The Judge held that the design of the banner made it easier to accept tracking than to reject tracking, therefore the cookie banner did not provide users with a true and fair choice and did not meet the standards for valid consent under the law.
The ruling noted that even in the case where GTM did not store cookies through GTM, the loading of third-party scripts and contacting other servers, especially servers not located within the European Economic Area, triggers obligations under GDPR Article 49(1)(a) on international transfers of data.
This ruling is a reinforcement of the requirement that all tools and scripts that access devices, process data, and/or transfer data internationally must only be activated after a user has explicitly consented.
The court relied on the following statutes to support its decision:
- §25(1) TTDSG (Telecommunications-Telemedia Data Protection Act)
- Article 6(1)(a) GDPR (Lawfulness of processing – consent
- Article 4(11) GDPR (Definition of consent)
- Article 49(1)(a) GDPR (Derogations for data transfers to third countries)
- Article 5(3) of the ePrivacy Directive (2002/58/EC)
Also Read: Apple, Google, Facebook Among Victims in 16 Billion Password Leak