Keeping Google Tag Manager secure: Best practices

Overview

Google Tag Manager (GTM) allows you to inject JavaScript into your website to track user behavior. This provides an extraordinary amount of power and flexibility for your web analytics needs. However, it may also, if used without caution, create security vulnerabilities, particularly around your users' personal data.

Here are some best practices for keeping your GTM container secure.

Don’t collect Personally Identifiable Information (PII)

GTM permits you to write code that "sees" everything that happens client-side on your website -- including data that a user enters into a form field. This could result in collecting names, addresses, and even social security information.

Furthermore, this kind of collection might happen by accident. Some web forms store PII in their markup -- in a input's value attribute, for example -- and collecting those values might inadvertently result in collecting PII data. We recommend that anyone creating code to collect data work closely with site developers to avoid accidental PII collection pitfalls.

Don't expose PII in the dataLayer

Another way that user data might be exposed is if you push it to the dataLayer. Since all client-side code has access to the dataLayer, personal information you store there could be accessed by malicious third-party applications.

In addition to all this, it is against Google's terms of service to send PII data to Google Analytics. Here's an article that further describes some of the possible PII issues that web analytics developers might run in to.

Updating passwords & managing permissions

You should keep track of and regularly audit the list of people who have access to your Tag Manager container(s). We require that instead of using personal Google accounts to access GTM, you associate your state email with a Google Account. This makes it easier to manage former employees' access to GTM.

If Mass Digital is managing your container, you should let us know whenever you need to remove a team member's access, e.g. if they move to another team that doesn't need access to your website's container, or another state organization.

Additionally, not everyone with access to GTM requires the same level of permissions. Limit the number of people who can deploy tags, and ensure that you have a review process for any code that's deployed to your live site. This reduces the risk of malicious or troublesome code being added to the site.

Finally, you should make sure you require 2-factor authentication for anyone with access to your account. (You can do this under Admin -> Account settings.) Mass Digital has this setting turned on for all containers we manage.

Think twice before using Custom HTML and JavaScript

GTM comes with built-in tag templates, which require limited knowledge of CSS and JavaScript. Using these reduces, but does not entirely eliminate, the risk of problems, such as collecting PII or negatively affecting performance. While custom HTML tags and JavaScript variables provide more flexibility, they also require a greater level of understanding about how code injection works. Because of this, we recommend using a built-in tag whenever possible. Whenever you do need to deploy custom code, make sure to subject it to rigorous review before releasing it.

Third-party pixels

Another common practice is injecting code into your site that provides some other organization, such as Facebook, access to your site's code. This usually allows the the third party to deliver additional analytics & marketing services.

It also could allow those third party organizations to collect your visitors' data, as their pixels will have access to anything available on the client side of your website. We recommend a conservative stance with respect to adding third-party pixels, especially if you are unfamiliar with the organization who owns it.

If you do collect data through third-party pixels, you should alert users via a privacy policy that states in language clear to the general public which organizations are able to collect web analytics on your site.