Back to articles

Google Tag Manager audit: consent and pixels checklist

Most GTM containers grow faster than they are governed. Marketing adds pixels, agencies create workspaces, developers hardcode backups—and within a year nobody trusts the numbers. An audit focused on consent and pixels finds compliance risks and revenue-impacting bugs in the same pass.

Use this checklist for internal reviews or when scoping work with a GTM consultant.

Phase 1: Container hygiene

  • Export live container JSON; note version count and unpublished workspaces
  • List all users with publish access—remove departed agencies
  • Standardize naming: Platform - Type - Detail (e.g. GA4 - Config - Main Site)
  • Document container IDs per environment (prod/staging/dev)

Consent and firing rules

  • Consent Initialization tag exists and runs early
  • Consent Mode v2 covers all four required types where Google tags present
  • No marketing/analytics tags on Consent Initialization granted by mistake
  • Non-Google tags use blocking triggers tied to CMP categories
  • wait_for_update tuned—tags not leaking during race window
  • SPA page changes re-evaluate consent-dependent tags correctly

Pixel health

Google

  • Single GA4 config (no duplicate gtag + GTM)
  • Google Ads conversion tags use correct conversion labels and currency
  • Enhanced conversions only with approved hashing + consent

Meta

  • One Pixel base code path; avoid plugin + GTM duplicate PageView
  • CAPI events match browser events with shared event_id
  • Advanced matching fields documented and consent-gated

TikTok / LinkedIn / others

  • Each has explicit owner and last test date
  • Removed if campaigns inactive >12 months (vendor sprawl cleanup)

Legacy

  • No UA tags, obsolete Floodlight tests, or A/B tool duplicates

Data layer audit

  • Ecommerce events include items, value, currency
  • Form events do not push email/phone into variables sent to analytics
  • Login events avoid sending raw user IDs to marketing tags
  • Naming matches published event dictionary (or dictionary updated to match reality)

Performance and security

  • Custom HTML tags minimized—prefer official templates
  • No long-lived third-party scripts without business owner
  • First-party tagging / sGTM considered for high-value conversions

Deliverables from a solid audit

  1. Tag inventory spreadsheet with consent category and owner
  2. Findings ranked P0 (legal/revenue) → P3 (cleanup)
  3. Remediation roadmap with effort estimates
  4. Test script (10–15 scenarios) for QA after each publish
  5. Governance rules — who can publish, review required for new vendors

Sample P0 findings (real examples)

  • Meta Pixel firing on /checkout before consent on EEA traffic
  • GA4 receiving user_email from autofill listener
  • Four duplicate purchase events on thank-you page
  • Google Ads remarketing tag without ad_personalization check

Cadence

  • Full audit annually for active containers
  • Diff review every GTM publish affecting consent or conversions
  • Emergency audit after CMP change, site redesign, or consent complaint

Run this audit after every major campaign push or CMP vendor list update—not once a year when someone already noticed revenue dropped.

A well-audited container is a competitive advantage: faster launches, trusted reporting, and fewer weekends debugging “why Ads doesn’t match GA4.”