Google Tag Gateway and Consent Management
Google Tag Gateway (GTG) enables Google tags — Google Analytics, Google Ads, Google Tag Manager, and so on — to be served through the customer's first-party infrastructure (CDN, load balancer, or web server) rather than from Google's own domains. GTG can introduce behaviors that significantly affect consent management if it is not configured properly.
This page explains what GTG is, how it impacts the load order of tags relative to the CMP, how to verify whether a specific tag is enrolled in GTG, and what actions to take when Avacy detects a "late" consent signal on a GTG-enabled tag.
NOTE: For any issue related to GTG integration with Avacy, please contact our technical support team first at support@avacysolution.com. Google support will be involved only if necessary.
Official reference: Google Tag Gateway — Google documentation
What Google Tag Gateway is and its impact on consent
Google Tag Gateway makes Google tags reachable through an endpoint on the customer's own domain (for example https://www.yoursite.com/metrics/... instead of https://www.googletagmanager.com/...). This reduces reliance on third-party calls and improves resilience against ad blockers and browser restrictions.
The critical point for compliance is load order. Some CDN providers (for example Akamai through its "Enable Script Injection" behavior) offer a "one-click" GTG activation: the CDN injects the Google tag script directly into HTML responses before they reach the browser. In this mode, the customer loses control over the order in which scripts are loaded on the page. In particular, the customer cannot guarantee that the CMP script (with its gtag('consent', 'default', ...) call or TCF stub) will execute before the Google tags.
When this happens, Avacy flags a "late consent signal": a Google tag fired before the default consent state was set. In this situation the tag may read an incorrect consent state, and the user's choices may not be respected.
Important: one-click CDN injection of GTG is frequently the root cause of late consent signals. Avacy's recommendation is not to use this mode on sites that rely on a CMP for consent management.
How to verify if a tag is enrolled in GTG
There are three complementary ways to determine whether a specific tag is being served via GTG.
1. Browser network inspection
Open the site in Chrome (or another browser), open DevTools → Network, filter by js, and reload the page. If a Google tag is served from the customer's own domain (e.g. www.yoursite.com/metrics/gtm.js) instead of Google's original domain (www.googletagmanager.com/gtm.js), that tag is enrolled in GTG.
2. Google Ads / Google Analytics panel
Log into the corresponding Google property (Google Ads, Google Analytics, Tag Manager) and look for the "Tag Gateway" or "First-party tagging" section: this page lists all tags configured for first-party serving along with their enrollment status.
3. CDN configuration
If the customer is using a CDN such as Akamai, Cloudflare, or similar, check the configuration of the corresponding property. In Akamai, for instance, the "Google Tag Gateway" behavior appears under Advanced Options of the property; the "Enable Script Injection" option is the one that triggers the one-click injection described above.
What to do if Avacy detects a late consent signal on a GTG-enrolled tag
When Avacy's debug mode reports a late consent signal and you have confirmed that the affected tag is enrolled in GTG, three remediation paths are available, listed in order of preference.
Option A — Adopt Unified + Consent (U+C, Advanced Consent Mode)
Switch from Basic Consent Mode to Advanced Consent Mode (U+C) and enable:
- Data Transmission Controls: lets you define, on a per-tag basis, which data may be transmitted to Google based on the current consent state, regardless of the order in which the tag script was loaded.
- Global Consent Defaults: lets you define the global consent default (granted/denied) for each dimension of Google Consent Mode v2 based on the user's jurisdiction.
This is the recommended option because it is the only one compatible with manual GTG and with late consent signals, without requiring an infrastructure migration. See the Google Consent Mode integration page for the activation steps on the Avacy side.
Option B — Migrate all tags into a GTM container and deploy GTG via GTM
If the site is not already using Google Tag Manager, consolidate all Google tags into a GTM container and deploy GTG through the GTM container. This way the GTM container is loaded by the CMP at the correct moment, and all child tags automatically respect the consent order.
Option C — Manual GTG setup
Configure GTG manually (disabling one-click CDN injection) and insert Google scripts directly into the page HTML after the Avacy CMP script. This way the customer explicitly controls the import order of scripts and guarantees that gtag('consent', 'default', ...) is executed before any Google tag fires its first hit.
Why U+C is the recommended mechanism for GTG-enabled tags
When a tag is enrolled in GTG and the load order is not strictly controllable by the customer, Advanced Consent Mode (U+C) is the only mechanism compatible with manual GTG.
The reason is that U+C applies consent state to the tag's behavior at runtime, not just at load time. This means that even if a tag fires before the CMP has set the default consent, the tag will still respect subsequent consent signals (via gtag('consent', 'update', ...)) and will not read or write cookies or personal data until the user grants consent.
Basic Consent Mode, by contrast, relies on blocking the tag from loading at all, and is therefore insufficient when GTG or other injection mechanisms have already loaded the tag before the CMP.
For these reasons, Avacy recommends that every customer using GTG adopts Advanced Consent Mode (U+C) and enables Data Transmission Controls.