Google Tag Manager: Hidden Data Leaks and its Potential Violations under EU Data Protection Law

Tag Management Systems were developed in order to support website publishers in installing multiple third-party JavaScript scripts (Tags) on their websites. In 2012, Google developed its own TMS called "Google Tag Manager" (GTM) that is currently present on 28 million live websites. In 2020, a new "Server-side" GTM was introduced, allowing publishers to include Tags directly on the server. However, neither version of GTM has yet been thoroughly evaluated by the academic research community. In this work, we study, for the first time, the two versions of the Google Tag Management (GTM) architectures: Client- and Server-side GTM. By analyzing these systems with 78 Client-side Tags, 8 Server-side Tags and two Consent Management Platforms (CMPs) from the inside, we discover multiple hidden data leaks, Tags bypassing GTM permission system to inject scripts, and consent enabled by default. With a legal expert, we perform an in-depth legal analysis of GTM and its actors to identify potential legal violations and their liabilities. We provide recommendations and propose numerous improvements for GTM to facilitate legal compliance.