Consent in GTM Containers: What 2,000 B2B SaaS Sites Show
We scanned ~2,000 GTM containers and 2,081 homepages from B2B SaaS websites and looked specifically at consent: where CMPs are deployed, how consent is configured inside containers, which vendors lead the market, and what patterns emerge across different container sizes and advertising stacks.
This is a companion to our State of GTM in B2B SaaS research. That report covers the full measurement landscape. This one goes deep on consent.
Where consent management is deployed
The first observation from this data is that consent lives in a different place than most people check. Consent Management Platforms like OneTrust and Cookiebot are designed to load in the page source before GTM fires. Google's Consent Mode documentation says to set consent defaults before any tags execute. OneTrust's deployment guide and Cookiebot's implementation docs both recommend loading their scripts in the page head, before GTM.
When we scanned only GTM containers, 87% showed "no CMP detected." That number dropped to 56% once we added page-level scanning.
Among the 879 sites where we detected a CMP, the deployment pattern is consistent:
| Where the CMP lives | Share |
|---|---|
| Page source only (not in GTM) | 78% |
| Both page and GTM container | 12% |
| GTM container only | 10% |
78% of CMPs deploy exclusively on the page, outside GTM. This is the correct architecture. The CMP needs to set consent defaults before GTM loads so that tags respect consent from their first execution. The 10% deploying only inside GTM are likely using GTM's Consent Initialization trigger, which fires before other tags. Valid, but less common.
This deployment pattern creates a real challenge for any container-level audit tool, including TagManifest. Container-only analysis has a 39% false alarm rate on consent findings because it can't see the CMP loading on the page. This is why we added page scanning to this research, and why we're transparent about these limitations in every TagManifest scan.
CMP market share in B2B SaaS
| CMP | Sites | Market share |
|---|---|---|
| OneTrust | 289 | 34% |
| Cookiebot | 261 | 31% |
| CookieYes | 152 | 18% |
| Osano | 61 | 7% |
| TrustArc | 46 | 5% |
| Complianz | 42 | 5% |
OneTrust and Cookiebot together represent 65% of CMP deployments in B2B SaaS. CookieYes at 18% has emerged as a notable third option, particularly among smaller companies.
The market looks slightly different for sites without GTM. Among the 225 non-GTM sites with CMPs, OneTrust and Cookiebot are even more dominant (73% combined). CookieYes drops to 8%. TrustArc rises from 5% to 8%, reflecting its enterprise positioning.
One finding worth noting: GTM sites adopt CMPs at nearly double the rate of non-GTM sites (40% vs 24%). Companies investing in tag management are more likely to also invest in consent management. The tools often get sold to the same audience and evaluated by the same teams.
Consent defaults by CMP vendor
Having a CMP on the page is one layer. Setting consent defaults in the page source before GTM loads is another. Only 16% of all pages have consent defaults detected in the source code. Among sites that have a CMP, only 22% set consent defaults.
| CMP | Sites | Sets defaults | Rate |
|---|---|---|---|
| Osano | 61 | 31 | 51% |
| Usercentrics | 22 | 10 | 45% |
| Cookiebot | 261 | 83 | 32% |
| OneTrust | 289 | 52 | 18% |
| CookieYes | 152 | 26 | 17% |
| TrustArc | 46 | 5 | 11% |
Osano leads at 51%. Usercentrics at 45%. Cookiebot in the middle at 32%. OneTrust, the market leader by volume, sits at 18%.
This doesn't necessarily mean OneTrust handles defaults worse. OneTrust's integration is more complex (enterprise deployments, multiple configuration options), and defaults may be set through script parameters our detection doesn't capture. But the gap is notable: among detectable implementations, simpler CMPs set defaults more consistently.
Google's Consent Mode v2 documentation is specific about why this matters: consent defaults should be set before gtag() or GTM loads. Without defaults, there's a window between page load and CMP initialization where tags may fire in an unconsented state. The consent('default', { ad_storage: 'denied', ... }) pattern ensures nothing fires until the CMP grants consent.
78% of CMP sites don't have detectable consent defaults. Whether this creates a compliance gap depends on implementation details we can't see from the outside (CMP script loading order, tag firing rules, regional targeting). But it's a question worth asking during an audit.
What consent looks like inside GTM
Inside GTM containers, consent configuration divides cleanly by tag type:
| Tag type | Consent configured |
|---|---|
| Native Google tags (GA4, Ads, Linker, Floodlight, UET) | 100% |
| Custom HTML (28,546 tags across the dataset) | ~20% |
| Universal Analytics (4,432 tags) | ~5% |
Native GTM tag templates enforce consent at the template level. You can't save a Google Ads tag without setting consent categories. This is template enforcement, not human diligence. Custom HTML has no such guardrail. The consent settings section exists but defaults to NOT_SET, and 80% of Custom HTML tags stay there.
Custom HTML is where consent falls through
89% of containers have Custom HTML tags. The mean is 14.3 per container. These tags run with full page access, no sandboxing, and in 80% of cases, no consent configuration.
41% of containers have Custom HTML tags containing known ad pixel code (Meta fbq(), LinkedIn lintrk(), TikTok ttq()) with no consent configured. These are the highest-risk tags: they transmit data to third-party ad platforms with no consent gate inside GTM.
Whether this creates a compliance gap depends on the consent architecture. If a page-level CMP blocks tag execution before granting consent, the Custom HTML tag never fires regardless of its GTM consent setting. But if consent is managed through GTM's Consent Mode, the Custom HTML tag's NOT_SET status means it fires unconditionally. The distinction between page-level blocking and GTM-level consent determines whether these tags are covered or exposed.
Only 4% of containers have zero consent findings
85 containers (4.3%) trigger zero consent-related findings. These average 9.4 tags with a mean score of 93. They're small, simple containers, not complex stacks where consent has been comprehensively configured. Only 25 of the 85 have a CMP detected anywhere. The other 60 are simply too small to trigger consent findings.
Containers at scale with genuine consent coverage essentially don't exist in this dataset. Any container with meaningful complexity triggers at least one consent finding.
What drives consent adoption
More ad platforms, more consent
| Ad platforms | CMP rate |
|---|---|
| 0 | 29% |
| 1 | 38% |
| 2 | 42% |
| 3 | 50% |
| 4+ | ~57% |
The correlation is monotonic. Companies running more ad platforms are more likely to have a CMP. The likely drivers: Google's Consent Mode requirements for EU-targeting campaigns (phasing in through July 2025), the compliance surface area of multiple vendor relationships, and the maturity correlation (companies sophisticated enough to run 4+ ad platforms tend to have more mature operations overall).
The inverse is also notable: 29% of zero-ad-platform containers have a CMP. These are analytics-only containers where consent is driven by privacy requirements independent of advertising.
Larger containers, more consent
| Container size | CMP rate |
|---|---|
| 1-10 tags | 26% |
| 11-25 tags | 39% |
| 26-50 tags | 41% |
| 51-100 tags | 49% |
| 101+ tags | 62% |
Larger containers are more likely to have consent management. The pattern mirrors the ad-platform correlation: larger containers tend to have more ad platforms.
Lower scores correlate with higher consent adoption
| Score range | CMP rate | Mean tags |
|---|---|---|
| 90+ (A) | 30% | 9 |
| 75-89 (B) | 44% | 42 |
| 60-74 (C) | 48% | 94 |
| <60 (D/F) | 55% | 116 |
This seems counterintuitive: lower-scoring containers are more likely to have consent management. But it makes sense once you account for container size. CMP sites average 76 tags vs 49 for non-CMP sites. The size penalty in scoring (each 50 tags costs ~3 points) outweighs any consent benefit.
Consent adoption is a maturity signal, not a quality signal. Mature containers are bigger and messier, not cleaner. The companies that have invested in consent infrastructure are the same ones running complex, multi-platform measurement stacks that naturally accumulate more findings.
Google Ads containers and consent
750 containers have Google Ads tags but no CMP detected anywhere. Google announced Consent Mode requirements for Google Ads: EU-targeting campaigns needed compliance by March 2024, with broader requirements phasing in through July 2025. Among B2B SaaS containers running Google Ads, 52% (750 / 1,440) have no CMP.
There are several possible explanations: they may not target regulated markets, they may have implemented consent through means we can't detect, or they haven't responded to the requirement yet. For companies with European traffic, this is worth verifying. Google's enforcement includes potential suspension of personalized ads, remarketing, and conversion tracking for non-compliant accounts.
DMA consent type gaps
Google's Digital Markets Act compliance requires specific consent types for ad tags:
| Gap | Containers | Share |
|---|---|---|
| Missing ad_user_data | 437 | 22% |
| Missing ad_personalization | 225 | 11% |
22% of containers have ad tags with ad_storage configured but missing ad_user_data, a newer consent type added for DMA compliance. This is a common pattern: consent was configured before the DMA requirement and hasn't been updated. Without ad_user_data, European conversion data is silently dropped by Google Ads. No error, no warning. The conversions just don't appear.
CMP adoption and tracking outside GTM
45% of sites with a CMP also load tracking scripts outside GTM (compared to 47% without a CMP). CMP adoption doesn't appear to change the prevalence of tracking loaded independently of the tag manager.
| Segment | Double gtag.js rate |
|---|---|
| With CMP | 23% |
| Without CMP | 29% |
Sites with a CMP are slightly less likely to double-load gtag.js (23% vs 29%), suggesting marginally more control over their tracking deployment. But nearly a quarter of CMP sites still have duplicate Google Analytics implementations, meaning the CMP may manage consent for GTM-loaded tags but not for the independently loaded script.
The enterprise CMPs show better control. OneTrust sites (31% tracking outside GTM) and TrustArc sites (30%) have the least independent tracking. CookieYes sites (67%) and Complianz sites (64%) have the most. The enterprise tools tend to deploy on more mature tech stacks with tighter control over what loads on the page.
Consent audit priorities from this data
Check page and container
Container-only analysis has a 39% false alarm rate on consent findings. Before acting on a "no CMP" finding, verify whether a CMP loads on the page. View the page source and search for OneTrust (cdn.cookielaw.org, optanon), Cookiebot (consent.cookiebot.com), CookieYes, or other CMP vendor scripts.
Custom HTML is the audit priority
Native Google tags enforce consent automatically. Custom HTML is where consent falls through. The 80% of Custom HTML tags at NOT_SET each need individual evaluation: is this tag loading an ad pixel that needs consent, or a configuration snippet that doesn't? The answer is per-tag, not per-container.
Check consent defaults
If you have a CMP, verify that consent defaults are set in the page source before GTM loads. Only 22% of CMP sites have detectable defaults. Without them, there's a timing window where tags may fire before consent state is established.
DMA consent types
If you're running Google Ads, verify ad_user_data and ad_personalization are configured alongside ad_storage. 22% of containers are missing ad_user_data. European conversion data depends on it.
The regulatory context
56% of B2B SaaS sites in this dataset have no CMP detected. 20 US states now have active privacy laws. 12 require honoring Global Privacy Control signals. Google is enforcing Consent Mode requirements for Ads accounts. In October 2025, the Stockholm Court of Appeal upheld a €15M fine against pharmacy chains for deploying Meta Pixel without consent.
The data from this research suggests consent adoption follows advertising maturity: companies add consent management when ad platforms require it. The correlation between ad platform count and CMP adoption (29% at zero platforms, ~57% at four or more) is the clearest pattern in the dataset.
Companion to the State of GTM in B2B SaaS. ~2,000 GTM containers, 2,081 page scans, 934 non-GTM site scans. April 2026. Scanning engine: TagManifest. All findings are observations about configuration patterns, not compliance assessments.