This study presents the first systematic academic assessment of privacy and compliance risks posed by third-party tags in Google Tag Manager (GTM). It identifies pervasive issues—including undisclosed third parties, covert data exfiltration, unauthorized personal data sharing, and cookie misuse—that materially contravene GDPR requirements and vendor privacy commitments. To address these challenges, the authors introduce *Isolation-Based Privacy Leak Detection*, a novel methodology integrating dynamic JavaScript analysis, automated tag reverse engineering, legal text alignment, and Consent Mode mechanism auditing. Applying this approach to six in-depth tag analyses, 718 automated tag evaluations, and a dedicated Consent Mode study, the work uncovers multiple substantive GDPR violations. It reveals structural privacy flaws inherent in GTM’s architecture, thereby providing critical empirical evidence and methodological foundations for regulatory enforcement and privacy-enhancing technology development.

Tag Management Systems were developed in order to support website publishers in installing multiple third-party JavaScript scripts (Tags) on their websites. Google developed its own TMS called ``Google Tag Manager'' (GTM) that is currently present on 42% of the top 1 million most popular websites. However, GTM has not yet been thoroughly evaluated by the academic research community. In this work, we study, for the first time, the Tags provided within the GTM system. We propose a new methodology called ``detecting privacy leaks in isolation'' and apply it to multiple Tags to analyse the types of data that Tags collect and contrast them to the legal and technical documentation, in collaboration with a legal expert. Across three studies - in-depth analysis of 6 Tags, automated analysis of 718 Tags, and analysis of Google ``Consent Mode'' - we discover multiple hidden data leaks, incomplete and diverging declarations, undisclosed third-parties and cookies, personal data sharing without consent and we further identify potential legal violations within EU Data Protection law.