Google Tag Manager (GTM) is a tool that lets marketers put code for tracking users/analytics onto a website without having actually change the code of the website. Essentially, Google Tag Manager will inject the code, after the page has loaded. “Tags” in this instance aren’t just #hashtag, but are snippets of code that can record data and send it to third party services.

The advantage of this is that Marketers can put JavaScript code into your production website without needing a developer, and that is genuinely useful to them. However… it’s allowing marketers to put code into your live website!

Normally, when you’re developing a site, code gets written, tested, approved and ultimately deployed into the site. It’s written by developers, tested by testers, approved by someone in charge, and then added to the site in a controlled manner. GTM lets someone who is probably not a web-development expert skip most of those steps and shove code live on your website.

Why is that a problem? Well, has anyone tested this code against a range browsers? What’s the origin of the JavaScript? Has it been reviewed and checked for malicious code? (MageCart is a thing! Remember Browsealoud?) Do you trust where the code is coming from?

It gets worse if you start to think about issues wider than the purely technical. Consider GDPR compliance – what will the impact of the data you’re gathering be? Heck, if marketing are able to capture this without outside discussion, will the rest of the business know what is being recorded? How will you ensure you’re not capturing Personally Identifiable Information (PII), and how will you remove it if someone requests so?

Problems I’ve seen due to GTM:

• Everything, and the kitchen sink! – Marketing teams that have gone nuts and added a slew of different analytics tools to their pages. I’ve actually seem some where the analytics JavaScript is more than half the total page size. My personal favourite is a 500Kb .js file that I’ll like to block. It is just obscene. I’ve also seen 9 different analytics tools added to the one site. I bet no more than 2 are actually ever used. Having 5 or 6 seems common, because it’s easy to add new analytics, and why bother removing them (well, apart from speed, cost, and keeping things simple). Performance matters. Pick one or two analytics and bin the rest.
• But we can’t use CSPs… – A Content Security Policy (CSP) is a powerful tool that can mitigate a number of risks in the site, but it does tend to block newly added analytics tools until they are whitelisted. In some customers, this leads to the position “let’s not use CSPs then“. This is bonkers, but is a result of IT and Marketing not engaging with each other and discussing how to add analytics tools in a controlled fashion.
• What do you mean, badly written? – I’ve also seen some pretty shonky custom code inserted by GTM. Some didn’t work, or didn’t work in all target browsers. Some was trying to insert PII into Google Analytics (in contravention of Google Analytics policy). Some, I genuinely couldn’t work out what it was trying to do, or how to tell if it was working or not (which was quite special…)

Now, the good news is that if marketers stick to the standard features of many of the GTM tags, there shouldn’t be too much of a problem. And it is a neat technology. And it can be incorporated into a proper software development life-cycle. It doesn’t have to stop the use of CSPs, and you can be GDPR compliant with it. But that’s not easy, especially when it’s not your primary role.

In short, do you trust your marketers to be developers? I would suggest that this is as wise as letting the IT guys run advertising campaigns…  and to be clear, I’m not trying to insult marketing, but just observing that coding and software quality assurance and Internet security isn’t part of their job.

IT could help themselves by being a bit more attentive and supportive of their marketing departments – I’ve seen some customers where IT were dismissive of Marketing, and I’ve seen some where they work well together – but really, IT should be the gatekeepers of the code on their website. They serve an important role, and if they’re slow and deliberate, then consider – would you rather use a slow and deliberate surgeon, or one who is in a rush? Getting things reliably right takes time and conversations.

Edit:

It seems I’m not the only one who thinks like this.