Hi,
Thanks for your question.
Questions about GDPR has been asked several times and I think it is very important to discuss this with everyone here and on other forums.
To understand the possible relationship between GTM and GDPR, you need to first clearly understand the behavior of GTM on a website: it is simply an additional layer between the site and your marketing codes.
Although the data layer seems to be a persistent storage of possible personal data, it is not. The data layer is filled with data during each page load. This data persists only on the page that your visitor has visited. When this visitor moves to another page (either on your site or on another website) the data layer is erased. If the next page visit is still on your site, the data layer object will be re-created, put into the page to be accessible on this particular page while it is visible and destroyed once that particular page is unloaded from the browser.
What you do or do not do with this data, that is only dependent on your GTM setup in your GTM container on the GTM UI.
Let’s say you enable in my plugin to include the email address of the logged in user in this data layer. This personal data will not be stored anywhere (even in the browser this is a data in the memory and not in any persistent storage like a cookie or the LocalStorage object). It can be passed to any tag inside your GTM container or you can use it to create a trigger that is dependent on the email address of the logged in user. But this usage, this use case is driven by you.
Therefore my plugin is actually doing nothing unless you setup GTM to use any such data. And GTM itself (and not my plugin) will be the software that makes it happen to use this data. And in that case GTM itself is actually not processing this data but sending to the desired server (that is usually not a Google server as it is against GTM’s TOS to pass PII to any Google related tag)
You can do this without GTM but as you may already know: with much more effort.
Therefore adding a checkout into my plugin that would lets say enable IP anonymization will not change anything as my plugin is not loading any Google Analytics code. Google Tag Manager will load it IF you setup your container to do so.
This is why (in my opinion) there is no need to add anything into my plugin that would make it GDPR compliant. You can use my plugin and keep GDPR compliance by using certain features only if you have the consent of your visitor to do so.
And in that part GTM and my plugin can be very helpful: let’s say you create a consent popup where you allow your user to select what kind of data usage is allowed or not. This consent popup should store user preferences in one or more cookies. You can then read the values of those cookies and block certain tags from firing if the user did not give any consent. Let’s say the user does not allow any remarketing functionality. You can read this preference from a cookie using GTM’s 1st party cookie variable and extend your existing “All pages” trigger to have a filter option: when this cookie has a value of 1 (or any value that the programmer of your consent popup defines). But you can fire your tags and setup certain parameters not be only active if the there is an appropriate consent.
Let me know if you have additional questions or you see some points differently.
