Most carry out regular maintenance on Google Tag Manager to update tracking requirements as their website or app develops over time. But other essential aspects of GTM hygiene often fall by the wayside, resulting in potential security vulnerabilities and underperformance.

In this article, we discuss these under-the-radar issues, the toll they can take on your marketing campaigns, and how to resolve them.

What is Google Tag Manager?

To collect marketing data and deliver it to third-party tools for analysis (e.g. GA4), small snippets of tracking code are applied to the source file of your website.

Before the days of Google Tag Manager, this was done manually, which:

a. Required technical knowledge

b. Could be time-consuming

c. Was often error-prone

GTM makes this process much more efficient by providing a centralised platform where you can manage all your tracking codes without having to directly modify your website. With GTM, you can easily add, update, or remove tags, reducing dependency on developers, speeding up implementation of tracking updates, and minimising errors.

User-introduced GTM security vulnerabilities 

While Google Tag Manager is generally a secure program in of itself, the way you use and maintain your account can render it susceptible to outside influence.

User access

One of the overlooked security risks we often observe in GTM accounts is an abundance of users no longer attached to the marketing efforts of the account holder. Despite not being involved in the project, these users retain varying degrees of access to the GTM account. 

Without proper maintenance, these access points accumulate, significantly increasing the risk of unauthorised action over time.

Who are these users, and where do they come from?

Sometimes these old user profiles belong to members of an agency (or agencies) the business has worked with in the past; these individuals may or may not be still employed by the agency through which they gained access. Others may be former members of the account-holder’s in-house team or freelancers employed over a limited period or for a specific task.

All outdated users carry security risks, such as unnecessary access, unauthorised actions, and potential data leaks, but the risk is generally higher if the access holder no longer works for the involved business entities.

With no links to an organisation, these access holders have no accountability, and changes can be made to your account with no oversight whatsoever. Their actions can be unpredictable and potentially even untraceable.

There’s also a higher likelihood of malicious intent if the access holder is no longer employed by the businesses in question. If they left under negative circumstances, they may be more inclined to misuse their access or sell it on to bad actors.

What are the risks of unchecked GTM user access?

Google Tag Manager has two levels of access: account level and container level. Each of these levels contain multiple access types that determine what a user can and cannot do within the GTM account. 

The tables below detail each GTM access type and its associated risks:

Don't wait for something to go wrong! 

For assistance securing your Google Tag Manager account, contact TDMP today.

Weak passwords

As is the case with any sensitive online location, a strong password is essential to optimising security.

Just like lingering user access permissions, a weak password can give control of your account to threat actors, which could result in data compromise, the injection of malicious codes, skewed analytics, and even compliance violations.

Best practices for strong GTM passwords

We recommend applying all the standard strong password best practises when creating your Google Tag Manager password. These include:

• Using at least 12 characters, selecting a mixture of uppercase and lowercase letters, numbers, and special characters
• Avoiding easily accessible personal information, such as family birthdates or names
• Avoiding any easily guessable sequences of characters, such as ‘qwerty’ or ‘12345’ - and avoid using common words or phrases in full
• Making a habit of updating your password periodically
• Activating two-factor authentication

Additionally, consider a regular review of account activity logs and establish steps for securing your account in the event of a breach.

Sensitive information in data layer

A data layer is incorporated into the source code of your website or app, enabling the transmission of tracking data to Google Tag Manager.

In the past, sensitive data could be used in a data layer to aid in more detailed analytics and personalisation without having to modify the backend system. For example, a developer may have included user email addresses or other personal identifiers in your data layer to make tracking user-specific interactions easier.

The problem is, anyone can access the contents of your data layer by inspecting the source code of your website or app. This means that any sensitive information in the mix is technically classed as “leaked”, potentially violating privacy regulations.

How to check for sensitive information in your data layer

There are various ways to check your data layer for signs of personally identifiable information, the most immediate being a careful, manual read-through, but setting up an automated scanner is a more efficient option in the long run.

We also recommend carrying out thorough code reviews of any data before it gets pushed into the data layer. This way, you can catch any PII and remove it before it becomes a problem.

To maintain tracking efficacy, consider replacing PII with anonymised data, such as hashed values or unique non-identifiable IDs.

User-introduced GTM performance issues

Much like the security issues discussed above, the following performance issues are not strictly speaking a GTM problem. Rather, they stem from the accumulation of old tracking scripts over time.

What sort of performance issues are caused by old script in GTM?

It might seem easier to leave the scripts from your old strategies and PPC campaigns live than to figure out which have served their purpose and remove them, but there’s a small price to pay in the form of diminished website performance for each residual code.

And when they pile up — so too do the costs:

1. 1. Increased page load time

Unnecessary tracking codes can significantly increase the load time of your web pages, contributing towards poor user experiences, higher bounce rates, and reduced conversion rates.

As page load speed is a direct ranking factor for Google and other search engines, when they start to snowball, old tracking scripts can also undermine your SEO efforts.

1. 2. Resource consumption

Each tracking script uses a small fraction of browser resources, so if they stack up, they can consume enough CPU power and memory to reduce browser performance, resulting in less responsive interactive elements and reduced user engagement.

This is particularly true when there are limited resources to begin with, as is the case on mobile devices or when the user has a slower connection to the internet.

1. 3. Increased bandwidth usage

Loading a surplus of outdated tracking scripts increases the amount of data transferred between the server and the user’s browser. Again, this can lead to slower load times, but it can also result in higher data usage costs — a problem for users with limited data plans.

1. 4. Potential script conflicts

The more tracking scripts you have active, the more likely it is that some will conflict with one another, potentially causing website features to malfunction, further inhibiting the user experience.

1. 5. Debugging difficulties

When your tracking scripts pile up, it often makes it much trickier for developers to identify the root cause of bugs, increasing the cost of website maintenance.

Best practices for reducing unnecessary scripts in GTM

We recommend the following for keeping unnecessary tracking scripts at a minimum:

1. 1. Regularly audit tracking scripts

Periodically review the tracking scripts deployed through GTM and remove any that are no longer necessary. Maintain an inventory of active tags and their purposes to streamline the audit process.

1. 2. Prioritise essential scripts:

Only deploy tracking scripts that are essential for your current marketing and analytics needs, and consider using asynchronous loading for non-essential scripts to reduce their impact on page load times.

1. 3. Optimise script placement:

Use tag sequencing in GTM to place critical tracking scripts in the head section, but defer non-essential scripts to load after the main content.

1. 4. Implement performance monitoring:

Use performance monitoring tools to track the impact of tracking scripts on your page load times and resource usage.

1. 5. Use server-side tagging:

Consider implementing server-side tagging to offload some of the tracking scripts from the client-side to the server-side. This approach can improve page load times and enhance data security.

1. 6. Follow tag naming conventions:

Ensure that your tags are named consistently and descriptively. This practice aids in handovers and multi-user management, making it easier for team members to understand the purpose of each tag.

1. 7. Avoid tag trigger overlaps:

Check for trigger overlaps that increase the GTM script size. If a trigger is already in place, use it in new tags rather than creating duplicate triggers.

1. 8. Eliminate duplicate tagging:

Regularly review your tags to identify and remove any duplicates performing the same actions. This helps in reducing unnecessary load and potential conflicts.

Final thoughts

Google Tag Manager maintenance isn’t the most exciting job in the world, but considering the potential consequences of letting it slide, we advise working regular account reviews into your schedule.

Quarterly reviews are recommended, but even biannual maintenance can significantly enhance the security of your GTM account and website performance.​​​​​​​

Contact TDMP for expert digital marketing support.