Google Tag Gateway (GTG) and Consent Studio

An article that explains what Google Tag Gateway is, and how to set it up.

Last updated About 3 hours ago

Combining Google Tag Gateway (GTG) with Consent Studio CMP

Are you debugging a load order issue on your website?

The documentation below aims to help you configure Google Tag Gateway properly. However, if you see a warning about a late consent signal but your site is not enrolled in Google Tag Gateway, the issue lies somewhere in your standard CMP-to-Google-tag loading sequence.

In that case, please follow the instructions of our Installation Assistant in the Consent Studio dashboard (“Web CMP” → “Install Consent Studio” in the dropdown menu). Carefully answering Consent Studio’s installation assistant will guide you to a proper installation.

Of course, you can always contact support for a response from our team members.

What is Google Tag Gateway (GTG)?

Google Tag Gateway (GTG) is a Google tagging feature that lets your website serve Google tags such as Google Analytics, Google Ads, or Google Tag Manager from your own domain instead of directly from Google's servers.

Normally, scripts are fetched from domains like googletagmanager.com or google-analytics.com.
With GTG, those requests are routed through your CDN (or load balancer/web server) via a path on your own domain (for example yourwebsite.com/metrics), which then forwards them to Google's servers.

Google introduced GTG to improve measurement durability, drive conversion uplift, and enhance privacy. However, it introduces specific considerations for Consent Management Platforms, as it can cause Google tags to load before the CMP has set consent defaults.

For more information, see the official Google Tag Gateway documentation.

How GTG works

GTG repositions Google tag delivery so that requests flow through your own domain instead of Google's, typically using your CDN as the intermediary:

First-party serving: Tag scripts that would normally be fetched from Google domains (e.g., googletagmanager.com, google-analytics.com) are instead delivered from a path on your own domain, such as yourwebsite.com/metrics.
CDN-based forwarding: Your CDN handles the rewriting: it serves the Google tag from your first-party path and forwards the resulting measurement hits on to Google's servers in the background.
Top-of-page injection: In automated setups where the tag is deployed for the first time via GTG, the CDN injects the Google tag at the very top of the page, ahead of all other scripts. This means Google tags can begin executing before the rest of the page's JavaScript runs. As a result, the CMP may not have had a chance to initialise and set consent defaults before the tags fire.

Note: if your site already has the Google tag deployed on-page, GTG honours the existing on-page configuration.

Impact of GTG on consent

When GTG is enabled on a website with automatic top-of-page injection, Google tags may fire before Consent Studio's consent default command is set. This means the tags can execute without proper consent signals in place, which Consent Studio detects as a "late consent" issue.

The "late consent" issue occurs because GTG can load Google tags at the infrastructure level, independently of the page's script execution order. As a result, it effectively bypasses the CMP's consent initialisation sequence.

Because late consent causes Google tags to fire without the proper consent signals, it can compromise compliance with privacy regulations (for example, GDPR) and limit the effectiveness of Google Consent Mode on your website.

Verifying whether GTG is active on your site

There are two practical ways to confirm enrolment.

Method 1: Inspect the GTM admin

Sign in to Google Tag Manager and open the relevant container.
Go to Admin.
Under the container column, choose Google tag gateway.
Each listed domain will carry one of four statuses:
- First-party: gateway is live for that domain.
- Not started: gateway has never been switched on.
- Paused: gateway is temporarily off.
- Pending: gateway is switched on, but Google hasn't received diagnostic data back yet.

A First-party label is the definitive "yes, GTG is running here." Google's own Help Center documents these four statuses on its Tag Manager + Cloudflare setup page.

Method 2: Watch the network in your browser

We recommend Tag Assistant as the primary verification tool: open it, navigate your site, and confirm under Summary → Output → Hits Sent that measurement requests route through your first-party measurement path.

As a supplementary check, you can also use browser DevTools:

Open DevTools (F12 on most browsers) and switch to the Network tab.
Reload the page you want to check.
In the filter box, type collect, gtm.js, or your site's domain to narrow the noise.
Look at where Google measurement requests are being sent:
- No GTG → traffic goes to googletagmanager.com, google-analytics.com, or googleadservices.com.
- GTG active → those same requests are routed through a path on your domain. Typically it is something like yourwebsite.com/metrics/... or whatever measurement path was configured during setup. (Less commonly, a dedicated subdomain such as metrics.yourwebsite.com is used in manual setups.)

If you see your own domain in the request URL for Google measurement traffic, GTG is intercepting and proxying those calls.

What to do when a late consent signal is detected

If Consent Studio detects a late consent signal and you have confirmed that your site uses GTG, the recommended mechanism is the use of Advanced Consent Mode (U+C). Advanced Consent Mode is recommended because it is the only approach fully compatible with a manually configured Google Tag Gateway (CNAME or GCP load balancer setup) since it does not depend on script load order to establish consent defaults.

The good news: with Consent Studio, Advanced Consent Mode is enabled by default on every implementation. It is the standard installation method we use for every site running Google Consent Mode v2. Therefore no action is required on your part.

The sections below explain how Advanced Consent Mode works, what additional settings you can optionally configure, and two alternative architectures if you prefer a different setup

Advanced Consent Mode (U+C): enabled by default

Advanced Consent Mode (also referred to as "User + Consent mode" or U+C) works as follows:

The Consent Studio script loads in the <head> of the page, before any other tag executes.
In regions where your consent banner is shown, it immediately sends a default denied signal to Google for all relevant consent categories, so no data is collected before the user has made a choice. In regions where no banner is shown (for example where consent is not legally required), Consent Studio sends a default granted signal instead, so measurement keeps working for visitors who never see a banner.
Google tags are allowed to load, but send only anonymised, cookieless pings until the user grants consent.
Once the user has made their choices in the consent banner, the consent signal is updated to reflect their actual choices, and full measurement data is transmitted for any category the user has granted.

This way, Google always receives a timely consent signal, even when GTG loads tags from your first-party domain before the rest of the page has loaded.

Recommended: Data Transmission Controls and Global Consent Defaults

Because Advanced Consent Mode is already active on your Consent Studio implementation, you can optionally layer two additional settings on top of it to further tailor data flow to your privacy policy and regional requirements:

Data Transmission Controls: a tag-level setting in Google Ads, Google Analytics, Campaign Manager 360, and Search Ads 360 that lets you control which data Google tags may actually transmit when consent is denied. You can independently restrict advertising data (with or without conversion modelling preserved), behavioural analytics, and diagnostic data. Note that Consent Mode must already be active for this feature to work, which it is by default on every Consent Studio implementation. See Data transmission controls (Google Ads Help).
Global Consent Defaults: the default consent values (granted or denied) per category (ad_storage, ad_user_data, ad_personalization, analytics_storage) that apply before the user has made a choice.
- These can vary per region to comply with regional regulations. Regional consent behavior is configured manually in your Consent Studio dashboard through your banner rules: add a rule targeting each jurisdiction (for example, EEA, UK, and Switzerland) and set its consent behavior.
- Outside the regions you target, no banner is shown and consent defaults to granted so measurement continues.

Alternative 1: migrate all tags into a GTM container, then deploy GTM via GTG

If you prefer not to rely on Advanced Consent Mode signals alone, you can move all your Google tags into a single Google Tag Manager container and deploy that GTM container via GTG. GTM itself is then loaded through GTG, and all tags inside GTM are governed by GTM trigger logic which includes consent checks via Google Consent Mode.

This centralises load-order control: nothing inside GTM fires until GTM's built-in consent checks evaluate, regardless of how GTG serves the container.

Alternative 2: set up GTG manually

With a manual GTG installation, which is done using DNS records (CNAME) or a Google Cloud external load balancer instead of one-click CDN injection. You decide exactly where the GTG script appears in the page source. This lets you guarantee that the Consent Studio script always loads before GTG.

For the technical steps, see Google's official guide: Set up Google tag gateway for advertisers.