Google Tag Gateway (GTG) and consent

1. What Google Tag Gateway is, and why it matters for consent

Google Tag Gateway (GTG) lets a website serve Google tags, the Google tag (gtag.js) or a Google Tag Manager (GTM) container, from the customer's own first-party domain instead of from a Google domain such as www.googletagmanager.com. The Google tag is loaded from your domain, and measurement requests are sent to your domain, which forwards them to Google. The goal is improved measurement durability and first-party data handling. On Shopify stores, GTG is most commonly activated through a CDN integration or a third-party performance app, often without the merchant realizing it.

Impact on consent, the load-order problem. GTG can be enabled in two broad ways:

• One-click CDN injection (for example, the integrations offered through Cloudflare, Akamai, or Fastly). In this mode, GTG injects the Google Tag or GTM container at the very top of the page, before all other scripts run.
• Manual setup, where you place the GTG script reference yourself, in a position you choose within your page source.

With one-click CDN injection, the customer typically loses control over load order. Because GTG forces the Google tag to load first, the Google tag can fire before pandectes-rules.js , the Pandectes script that sets the default consent state on page load, has had a chance to run. When a tag reads or fires before a consent default has been set, Google's tooling reports this as a "late" consent signal ("a tag read consent state before a default was set"). The practical consequences are measurement loss, diagnostic warnings, and, in opt-in regions such as the EEA, UK, and Switzerland, a potential compliance gap, because the tag may have acted before the user's consent state was known.

This is the core interaction to understand: GTG changes when Google tags load relative to your consent banner, and one-click CDN injection often makes that timing something you can no longer control from your page source.

2. Relevant Google documentation

For the authoritative Google references behind this article:

• Google Tag Gateway for Advertisers Overview: https://developers.google.com/tag-platform/tag-manager/gateway
• Set up Google Tag Gateway (including manual/self-service setup where you control script order): https://developers.google.com/tag-platform/tag-manager/gateway/setup-guide
• Set up Google Tag Gateway in Google Tag Manager with Cloudflare (Tag Manager Help): https://support.google.com/tagmanager/answer/16061641
• Consent mode overview: https://developers.google.com/tag-platform/security/concepts/consent-mode
• About consent mode (Tag Manager Help): https://support.google.com/tagmanager/answer/10000067
• Data transmission controls (Tag Manager Help): https://support.google.com/tagmanager/answer/16054531
• Set up consent mode on websites (advanced consent mode for self-maintained banners): https://developers.google.com/tag-platform/security/guides/consent
• Verify your Google tag (Tag Manager Help): https://support.google.com/tagmanager/answer/15756111

Relevant Pandectes documentation

For Pandectes-specific references mentioned in this article:

• Using Google Consent Mode integration (setup guide): https://help.pandectes.io/en/article/using-google-consent-mode-integration-1xkfv6o/
• Pandectes GDPR Compliance tag template for Google Tag Manager: https://pandectes.io/pandectes-gdpr-compliance-tag-template-for-the-google-tag-manager/
• Integrations setup guide (pandectes-rules.js manual setup): https://help.pandectes.io/en/article/integrations-setup-guide-2ovcos/
• Debug console for Google Consent Mode: https://help.pandectes.io/en/article/gcm-debug

3. How to verify whether a tag is enrolled in GTG

There are two reliable ways to confirm GTG enrollment. Pandectes GDPR Compliance does not auto-detect GTG enrollment, so please verify it yourself using one of the methods below.

Method A: Check the GTG status in Google Tag Manager.

This method applies if you are using Google Tag Manager. In your GTM container, go to Admin → Google tag gateway. Each of your domains is listed with a status:

• First-party: Google tag gateway is active for that domain.
• Not started: GTG has not been activated.
• Paused: GTG is activated but currently paused.
• Pending: GTG is enabled, but no diagnostic information has been received yet.

A status of First-party confirms the domain is enrolled in GTG.

Method B: Check where the script is served from, using Tag Assistant.

Open Google Tag Assistant (https://tagassistant.google.com), enter your website URL, and connect. Navigate your site so tags fire, then inspect the detected tags. If a Google script is served from your own domain (for example, yoursite.com/...) rather than from www.googletagmanager.com or www.google-analytics.com, your site is using GTG.

4. If a "late" consent signal is detected and GTG enrollment is verified

First, confirm the "late" consent signal. Use Google's consent debugging tools to check whether a tag is reading consent before a default is set:

• Troubleshoot consent mode with Pandectes GDPR Compliance Debug console for Google Consent Mode: https://help.pandectes.io/en/article/gcm-debug
• Troubleshoot consent mode (Tag Manager Help): https://support.google.com/tagmanager/answer/14522438
• Troubleshoot consent mode with Tag Assistant (developers): https://developers.google.com/tag-platform/security/guides/consent-debugging

A "late" signal usually appears as a warning that a tag read consent state before a default was set, or that defaults were applied too late in the page sequence.

If a "late" consent signal is detected and you have verified GTG enrollment (per §3), choose one of the following remediation paths. Configure each setting according to your own needs, your regions, your privacy policy, and the regulations you operate under.

Not sure which option to pick? If you are not using GTM at all, Option 1 is the fastest path. If you are already using GTM to manage your Google tags, Option 2 gives you the most complete solution. If you want to keep your current setup and only fix the load order, use Option 3.

Option 1 (recommended): Adopt advanced consent mode (U+C)

Turn on Google Consent Mode integration in Pandectes GDPR Compliance at: [Settings → Integrations → Google Consent Mode]. In Advanced consent mode, also referred to as U+C ("Update + Consent"), Google tags are allowed to load and set a default consent state (typically denied in opt-in regions), send only limited, cookieless measurement while consent is denied, and update to full measurement once the user grants consent. Because this removes the dependency on the banner loading before the tag, it is the right fit when GTG controls load order.

Then, in the Google product where the tag is configured (Google Ads, Google Analytics, or Campaign Manager 360 / GTM), set the following according to your need:

• Data Transmission Controls: independently restrict what Google tags transmit while consent is denied (advertising data, behavioural analytics, and diagnostics).
• Global Consent Defaults: define the default consent state (granted or denied) per consent type, ad_storage, ad_user_data, ad_personalization, analytics_storage , and per region. This provides a baseline default even when you cannot guarantee that the CMP stub loads first.

Option 2: Consolidate into a single GTM container and deploy GTM via GTG

Move all of your Google tags into one Google Tag Manager container, then deploy that GTM container through GTG. Centralising your tags in GTM means GTM's built-in consent checks apply to every tag in the container, restoring consistent consent handling under GTG.

To connect Pandectes consent signals to every tag in the container, install the Pandectes GDPR Compliance by Pandectes tag template from the GTM Template Gallery and configure it to fire on the "Consent Initialization – All Pages" trigger. This ensures GTM receives the correct consent state from Pandectes before any tag fires.

Option 3: Set up GTG manually so you control script import order

Instead of one-click CDN injection, configure GTG manually and place the GTG script reference yourself in your theme.liquid , after the pandectes-rules.js script (so consent defaults are set first) and before other Google tags. The pandectes-rules.js script is the Pandectes stub that sets consent defaults on page load; it must appear first so that GTG cannot read consent state before defaults are in place. Manual setup returns load-order control to you.

5. Why advanced consent mode (U+C) is the recommended mechanism for GTG-enabled tags

For tags served through GTG, advanced consent mode (U+C) is the recommended mechanism. Unlike basic consent mode, which depends on the consent signal arriving before the tag fires, advanced consent mode lets the tag load with a default consent state and then update once the user makes a choice. This removes the dependency on script load timing entirely.

That is precisely why U+C is compatible with manual GTG and is the recommended approach for GTG-enabled tags: it works correctly regardless of whether you can control the script import order. Even when GTG injects the Google tag first (as with one-click CDN injection), U+C ensures a default consent state is honoured and measurement remains privacy-safe until the user's choice is captured. Combined with Data Transmission Controls and Global Consent Defaults, this keeps measurement functioning under denied consent without relying on load order.

Recertification requirement mapping

Tag Gateway

Last reviewed: June 2026. Verify the linked Google Help and developer pages for any subsequent changes before each recertification cycle.

Updated on: 14/06/2026