Skip to content
Last updated: 2026-04-02
Concept

Consent enforcement

Tag Manager enforces consent rules at the server level. When a visitor interacts with your site, Tag Manager checks their consent status before processing or forwarding any event data. Events that require consent categories the visitor has not granted are blocked automatically — they never reach third-party destinations.

This server-side enforcement means consent compliance does not depend on client-side JavaScript running correctly. Even if a browser extension, script error, or network issue disrupts the client, Tag Manager's server-side checks ensure non-consented data is never forwarded.

Tag Manager integrates with Dxtra's consent management system. When a visitor loads a page with the Tag Manager script, the following sequence occurs:

  1. Tag Manager captures the event (page view, click, form submission, etc.)
  2. The event is sent to the Tag Manager edge (tagmanager-edge.dxtra.ai) for server-side processing
  3. Tag Manager checks the visitor's consent status against the consent categories configured in Dxtra
  4. If consent is in place for the required categories, the event is processed and forwarded to authorized destinations
  5. If consent is not in place, the event is blocked and not forwarded — it is logged as a blocked event in the Processing Activity Log

This happens on every event, in real time. Consent changes (granted or withdrawn) take effect immediately for subsequent events.

Tag Manager uses the same consent categories you configure in Dxtra's consent management:

Strictly Necessary — Required for the website to function. No consent needed. Tag Manager always processes strictly necessary events regardless of the visitor's consent choices.

Performance / Analytics — Measures how visitors use your site (page views, session duration, bounce rate). Requires consent before Tag Manager forwards this data to analytics platforms.

Functional — Enables enhanced functionality like personalization, language preferences, or embedded content. Requires consent.

Targeting / Marketing — Used for advertising, retargeting, and cross-platform attribution. Requires explicit consent before any data is shared with advertising platforms (Google Ads, Meta, etc.).

Custom categories — Any additional consent categories you define in Dxtra. Tag Manager respects these in the same way as the standard categories.

Tip

Configure your consent categories in Dxtra's consent management before setting up Tag Manager. The categories you define there are what Tag Manager enforces.

Each event that Tag Manager captures is mapped to one or more consent categories. This mapping determines which consent is required before the event data is forwarded.

The mapping works at two levels:

Destination-level mapping — When you configure a third-party destination (e.g. Google Analytics, Meta Pixel), you assign it to a consent category. All events forwarded to that destination require the assigned consent.

Event-level mapping — Individual events can be mapped to specific consent categories. For example, a "purchase completed" event might require both Analytics and Marketing consent if it feeds into both your analytics dashboard and your advertising attribution.

Default behavior

If no specific mapping is configured, Tag Manager applies conservative defaults:

  • Page views and basic site analytics → Performance / Analytics consent required
  • Advertising and conversion events → Targeting / Marketing consent required
  • Functional events (language, preferences) → Functional consent required
  • Core site functionality events → Strictly Necessary (no consent required)

Global Privacy Control (GPC)

Tag Manager integrates with Dxtra's Global Privacy Control detection. When GPC detection is enabled in the Dxtra dashboard and a visitor's browser sends the GPC signal (Sec-GPC: 1), Tag Manager treats this as an objection to non-essential processing.

With GPC detected, Tag Manager:

  • Blocks all non-strictly-necessary event forwarding
  • Logs the GPC signal in the Processing Activity Log
  • Treats the visitor as having opted out of Targeting / Marketing and Performance / Analytics categories

When a visitor withdraws consent (through the Transparency Center, a consent banner, or by updating their preferences), Tag Manager responds immediately:

  • Subsequent events are checked against the updated consent status
  • Events for withdrawn categories are blocked from that point forward
  • Previously forwarded data is not retroactively deleted by Tag Manager (data deletion requests should be handled through data subject rights management)

What gets logged

Tag Manager logs all consent enforcement decisions in the Processing Activity Log:

  • Forwarded events — Which events were sent to which destinations, with the consent basis
  • Blocked events — Which events were blocked due to missing consent, including the category that was not consented to
  • Consent status changes — When a visitor's consent status changed and how it affected subsequent event processing

This audit trail provides evidence of consent compliance for auditors and regulators.

Compliance by regulation

Tag Manager's consent enforcement supports the requirements of multiple privacy frameworks:

GDPR (EU/EEA) — Consent must be obtained before non-essential tracking begins. Tag Manager blocks all non-strictly-necessary events until consent is given. This satisfies GDPR's requirement for prior consent under Article 6(1)(a) and the ePrivacy Directive's cookie consent rules.

CCPA/CPRA (California) — Supports the right to opt out of the sale or sharing of personal information. When a visitor opts out (via GPC or the Transparency Center), Tag Manager blocks forwarding to third-party advertising destinations.

PECR (UK) — Complies with the Privacy and Electronic Communications Regulations requirement for consent before setting non-essential cookies or similar tracking. Since Tag Manager operates server-side without cookies by default, PECR compliance is built into the architecture.

LGPD (Brazil) — Supports consent as a legal basis under Article 7. Tag Manager's category-based enforcement maps to LGPD's consent requirements for data processing.

Before going live, test that consent enforcement is working correctly:

  1. Visit your site without consenting — Verify that only Strictly Necessary events appear in Tag Manager's analytics. Check that third-party destinations (Google Analytics, Meta, etc.) show no new data.

  2. Grant specific consent categories — Verify that events for the consented categories begin appearing in the relevant destinations, while events for non-consented categories remain blocked.

  3. Withdraw consent — Verify that subsequent events for the withdrawn category are blocked immediately.

  4. Enable GPC in your browser — Verify that Tag Manager blocks non-essential event forwarding when the GPC signal is present.

  5. Check the Processing Activity Log — Verify that blocked events are logged with the reason (missing consent category) and that forwarded events show the consent basis.

Warning

Test consent enforcement in a staging environment before deploying to production. Misconfigured consent rules could either block legitimate analytics or forward data without proper consent — both carry compliance risk.

Not legal advice

This documentation provides guidance on configuring consent enforcement in Dxtra Tag Manager. AI-generated content does not constitute legal advice. Consult a qualified legal professional for advice specific to your jurisdiction and business context.