Server-side Tagging with Stape: Consent Setup in GTM

Overview

This article explains how to configure Stape tags in Google Tag Manager when using the Pandectes GDPR Compliance app for Shopify and Google Consent Mode.

It is intended for merchants and developers who use:

Google Tag Manager
Stape server-side tagging
Google Consent Mode v2
Marketing or analytics tags such as Meta, TikTok, Pinterest, Google Ads, or GA4

The goal is to make sure that Stape-related tags respect the visitor’s consent choices before they fire or send tracking data.

Pandectes can send Google Consent Mode signals to Google Tag Manager. These consent signals tell GTM and supported tags whether specific types of storage or data use are allowed.

Common consent types include:

analytics_storage
ad_storage
ad_user_data
ad_personalization
functionality_storage
personalization_storage
security_storage

In Pandectes, these consent types are mapped to consent categories such as Performance, Targeting, Functionality, and Strictly necessary.

Google Tag Manager has two different consent-related areas that are often confused:

Built-in Consent Checks

These show which consent signals a tag template understands.
For supported Google tags, the tag can adjust behavior based on consent state.

Additional Consent Checks

These can be used to prevent a tag from firing unless selected consent types are granted.
This is especially important for third-party or custom tags that do not automatically adjust their behavior based on Consent Mode.

For Stape tags, do not assume that Consent Mode alone blocks every tag. If a Stape, Meta, TikTok, Pinterest, or custom data tag is set to No additional consent required, it may still fire when its trigger conditions are met.

Important Requirement

The Pandectes CMP tag itself must not be blocked by consent.

If you use the Pandectes CMP template in Google Tag Manager, it should fire on:

Consent Initialization - All Pages

Do not add Additional Consent Checks to the Pandectes CMP tag. This tag needs to run before other tags so it can set or update the visitor’s consent state.

Use the following guidance when configuring Advanced Settings > Consent Settings in GTM.

For each tracking or marketing tag:

Open the tag in Google Tag Manager.
Go to Advanced Settings.
Open Consent Settings.
Select Require additional consent for tag to fire.
Add the relevant consent types listed below.
Save and publish the GTM container after testing.

Stape Data Tags

Use these settings for Stape Data Tags that send analytics or ecommerce event data.

If the tag is used only for analytics measurement, require:

analytics_storage

If the same data is also forwarded to advertising, remarketing, or attribution destinations, also require:

ad_storage
ad_user_data
ad_personalization

How to Test the Setup

After updating the GTM tags, test the container before publishing.

Use GTM Preview Mode or Google Tag Assistant and check:

The Pandectes CMP tag fires on Consent Initialization - All Pages.
Consent defaults are available before other tags fire.
Before consent, marketing tags do not fire if they require advertising consent.
After accepting Performance cookies, analytics-related tags can fire.
After accepting Targeting cookies, advertising-related tags can fire.
After rejecting consent, tags requiring denied consent types remain blocked.
No duplicate Google, Meta, TikTok, Pinterest, or Stape tags are loaded from other apps or theme code.

Summary

When using Stape with Pandectes and Google Tag Manager, keep the Pandectes CMP tag unrestricted on Consent Initialization, and review every Stape-related tag separately. Analytics tags should require analytics_storage. Advertising and marketing tags should require ad_storage, ad_user_data, and ad_personalization. Tags using plain custom event triggers are the most important to review because they may fire before consent if no additional consent requirements are configured.

Updated on: 04/06/2026

Was this article helpful?

Thank you!