Blog · Analytics & Privacy · Jul 8, 2025 · 15 min read

Don't make GTM audits daunting — a practical guide to auditing your container

Audits shouldn't be scary. You just need a plan. Here's the 10-step framework I've developed through hundreds of client audits — ordered so the foundation gets validated before you touch the strategic questions.

Why every GTM container needs regular audits

Whether you're taking over a new client's tracking strategy or cleaning up for your legal team, auditing GTM containers is a critical step for any analytics professional. Yet most audits I've seen follow an ad-hoc approach that misses critical issues.

This guide shares the systematic framework I've developed through hundreds of client audits. The order follows a logical progression: validate the foundation first, then move to strategic and architectural questions.

Real-world impact

I once worked with a client who dismissed our privacy audit report, claiming it wasn't a priority. Two weeks later, they received a fine for the exact breaches we had identified. The audit cost €2,000. The fine was €25,000.

Step 1

Own the tagging plan

You can't build a house without a plan. Whether you're identifying relevant events with the marketing team or working from an existing tagging plan, having that documentation is mandatory before you open GTM.

Challenge the plan from the start: ensure event naming follows a clear taxonomy, that page names are consistent, and that obvious events aren't missing. A tagging plan isn't a one-time deliverable — it's a living document you enrich as your analysis uncovers gaps.

Key elements of a solid tagging plan

  • Event taxonomy: Consistent naming conventions across all events.
  • KPI alignment: Every tracked event should support a specific business KPI.
  • Data layer specifications: Expected variables and their possible values.
  • Trigger locations: Where each event should fire on your site.

A common failure mode is trying to track everything. There's a real cost to tracking — site performance, potential data leaks, maintenance overhead. Stay lean. A useful compass: build a list of KPIs with your business and marketing teams, then check that every KPI is covered by your tagging plan. If an event doesn't support any KPI, remove it.

Warning

Click tracking rarely makes sense by itself. And there's no point tracking events if you don't know how you'll analyze them later.

Step 2

Verify GTM loads on every page

Validate the simplest assumptions first. While it should be obvious that the container is present on every page, I've run into this issue multiple times in my career. Developers implement GTM in a shared component, someone removes it from a template, and suddenly a whole section of the site goes dark.

How to check GTM coverage

  • Compare analytics page data with your CMS. Missing pages in reports often mean GTM isn't present there.
  • Use the browser network tab on suspected pages and check for GTM requests.
  • Search your analytics for page path gaps — content you know exists but doesn't appear in reports.

When you find missing pages, bring specific examples to your development team. Vague reports slow things down.

Step 3

Audit dataLayer implementation

Your tagging plan lists all tracked interactions and the expected dataLayer variables. Now check that reality matches the spec.

Build custom reports in your analytics tool that list received values for each dataLayer variable. Compare those against your tagging plan. Filter by interaction type or page to isolate where fixes are needed.

Also cross-check the other direction: dataLayer variables can exist on the site without being mapped in GTM. Verify that every expected variable is correctly mapped to the right events in your container.

Pro tip

Open your browser console and type dataLayer. You'll see every event that's been pushed in real time. Faster than any third-party tool for a quick sanity check.

Step 4

Validate trigger configuration

With GTM verified everywhere and the dataLayer correctly populated, make sure your triggers reflect what's documented in the tagging plan. The tagging plan is your source of truth here.

Common trigger issues to check

  • Overly broad triggers: Firing on unintended pages or elements.
  • Missing conditions: Triggers that should have additional filters but don't.
  • Timing issues: DOM-ready vs window-loaded — the difference matters more than it should.
  • Conflicting triggers: Multiple triggers firing for the same event, inflating data.

Step 5

Challenge every tag present

Heavy containers are a real threat. Page performance positively correlates with SEO ranking and conversion rate — you don't want to undermine your SEO team's work because of tags nobody uses anymore.

For every tag, two questions: "What business objective does this serve?" and "Do we have an active agreement with this vendor?" I've seen containers still firing tags for vendors the company hadn't worked with for years. Beyond the performance cost, sending user data to vendors without a formal agreement is a GDPR liability — and one that's trivial to fix.

Worth remembering

Removing an outdated tag takes two clicks. Getting fined for sending user data to a vendor you no longer work with takes considerably longer to resolve.

Step 6

Comprehensive privacy compliance check

Some teams treat privacy as an afterthought — "we're too small to get fined." That's a gamble, not a strategy. Large companies get fined, but so do smaller ones. The size of the fine usually scales with the severity of the breach, not the size of the company.

1. CMP validation

Check that your Consent Management Platform loads correctly on every page. A common mistake: implementing the CMP inside GTM. Logical separation of concerns, but it creates a real problem — if a visitor uses an ad blocker, GTM gets blocked and the consent banner never shows.

Best practice

Implement your CMP outside GTM, directly in the site's code. It needs to load even when GTM doesn't.

2. CMP configuration

Verify the CMP is correctly configured. Vendor categories (analytics, performance, functional, etc.) should accurately reflect every vendor present on the site — including hardcoded ones outside GTM. GDPR requires consent withdrawal to be as easy as granting it: reject buttons should be as prominent as accept buttons.

3. Tag consent integration

Every tag should only fire when the appropriate consent has been granted. Consented categories are usually stored in a cookie — create a cookie variable in GTM and use blocking triggers that check for specific categories. Blocking triggers are more modular than trigger groups: one blocking trigger per consent category, reused across tags.

4. Detect hardcoded tags outside GTM

Any privacy audit must cover vendors firing outside GTM. Three approaches:

  • Marketing team inventory: Get an updated list of all active vendor relationships and compare against GTM tags.
  • Code component review: In modern frameworks (Next.js, SvelteKit, Astro), hardcoded vendors often live in a shared component.
  • Network tab analysis: The most thorough approach — manually check every page's network requests for vendors firing outside GTM.

5. Cookie and storage audit

Beyond tag firing, pay attention to what gets written in cookies and localStorage. Build a list of these with their associated vendors and consent requirements. Cookie databases like OneTrust's can help identify vendor ownership for cookies you don't recognize.

Watch out

Meta offers "automated tracking" that collects pageviews, clicks, and form entries automatically — potentially including PII like emails, names, and addresses. When something seems easy, check what it's collecting before enabling it.

Step 7

Quality assessment and testing

Now that the foundation is in place, verify everything works. Open your browser's network tab and walk through each implemented event — check that tags fire correctly, with the right data attached, and to the correct destination.

I once met a well-known agency that tried to put QA burden back on the client because it was "too cumbersome for their team." If you're the agency — QA is part of the job. Full stop.

Essential QA checks

  • Data format consistency: Page names follow conventions, prices use the same format throughout.
  • Complete data flow: No missing variables or events.
  • PII prevention: No personal information leaking into analytics — this is both a privacy risk and a cause for platform bans.
  • Cross-device testing: Tracking works correctly on mobile, tablet, and desktop.
  • Analytics validation: Data lands correctly in your tools.

Step 8

Challenge your assumptions

Now that you're confident the tracking works as configured, go back to the drawing board. Are your initial assumptions still valid? Do your KPIs and their translation into tracking specs actually produce actionable insights?

You might find you're missing data to answer specific questions, or collecting data that doesn't meaningfully contribute to your analysis. Don't hesitate to remove it. More data is rarely better. Better data is the goal.

Step 9

Plan regular audits

Audits are tedious and time-consuming. Instead of doing everything at once and losing your mind, perform targeted audits regularly. Privacy compliance review one month, tag inventory the next.

A reasonable audit schedule

  • Monthly: Tag inventory review and performance impact check.
  • Quarterly: Privacy compliance and cookie audit.
  • After major releases: DataLayer and trigger validation.
  • Annual: Full comprehensive audit following this framework.

Work smarter

Team up with your dev team to implement basic unit tests for your tracking. Even the smallest automated check could save you from discovering a broken variable on a Friday evening.

Step 10

Make the audit actionable

There's nothing more frustrating than spending days on a detailed audit only to see nobody act on it. The temptation is to stuff everything into the report to show the work. Resist it.

A good audit report for a mature client is short, prioritized, and in plain English. It answers: what are the risks, how severe are they, and what specifically needs to happen next.

Elements of an actionable report

  • Executive summary: High-level findings and recommendations. One page maximum.
  • Priority matrix: Issues ranked by impact and effort to fix.
  • Clear action items: Specific steps with owners and timelines, not open-ended recommendations.
  • Plain language: No jargon. Your audience should understand the risk without needing a glossary.

Automating the repetitive parts

Most of the steps above — verifying GTM presence, inventorying tags, checking for consent gaps, reviewing vendor lists — are repetitive and time-consuming when done manually. That's the problem Tagstack is built to solve.

What Tagstack automates

  • Container scanning: Analyze any GTM setup without needing container access.
  • Tag inventory: Automatically detect all vendors and technologies deployed.
  • Privacy signals: Identify consent mode status, CMP presence, and server-side GTM.
  • Competitive benchmarking: See what technologies any competitor runs and how their container scores.
Try the scanner free See all use cases

Key takeaways

Audits feel daunting when they're undefined. With a fixed framework, they become routine. The order matters: don't go chasing complex consent issues before verifying GTM loads on every page.

  • Start with foundations — verify GTM loads everywhere before touching configurations.
  • Privacy isn't optional — GDPR compliance should be part of the audit, not an afterthought.
  • Quality over quantity — better data beats more data, every time.
  • Automate where possible — repetitive checks are the best candidates for tooling.
  • Make it actionable — the best audit is the one that actually gets implemented.