Why your Google Ads conversions can disappear after enabling Google Tag Gateway
You enabled Google Tag Gateway (GTG) through your CDN — maybe a one-click Cloudflare, Akamai or Fastly integration — expecting better measurement and first-party tag serving. Instead, your Google Ads conversions drop, GA4 reporting goes quiet, and Tag Assistant starts flagging a late consent signal warning. Your cookie banner looks fine. Your tags look fine. So what's going on?
The common but painful "fixes" people try first all have downsides:
Rolling back GTG entirely — you lose the conversion-measurement and first-party data benefits Google designed GTG to deliver.
Switching to Basic Consent Mode — tags are blocked entirely until the user clicks Accept, so any late-loading consent stub means zero measurement for that page load.
Hand-editing CDN routing rules — possible, but fragile, and most teams don't have the infrastructure access to do this safely.
There's a cleaner path. With Secure Privacy configured for Advanced Consent Mode (U+C), combined with Google's Data Transmission Controls and Global Consent Defaults, Google tags can load immediately under GTG and still respect consent — sending cookieless pings while consent is denied, and switching to full measurement the moment a user accepts. The load-order race condition stops mattering.
By the end of this article you'll know exactly what Google Tag Gateway does, how to check whether it's active on your site, how to diagnose a late consent signal, and which of three remediation paths fits your setup — with our recommended fix detailed step by step.
Who is this article for?
Marketing, analytics or web teams who have enabled (or are considering enabling) Google Tag Gateway on Cloudflare, Akamai or Fastly
Anyone seeing a "late consent signal" or "tag fired before consent default" warning in Google Tag Assistant
Teams running Secure Privacy as their CMP alongside Google Ads, GA4 or Campaign Manager 360
Implementers troubleshooting a sudden drop in conversions or modelled data after a CDN change
Prerequisites
Access to your Google tag UI (Google Ads, GA4, or Google Tag Manager)
Admin access to your Secure Privacy dashboard
Google Tag Assistant installed for debugging
Access (or a colleague with access) to your CDN configuration if you intend to use manual GTG setup
Overview
If your website uses Google Tag Gateway (GTG), the way your tags are served can affect when consent signals reach Google — and in some configurations, your measurement may stop working even when your banner is set up correctly.
This article explains what GTG is, how it can interact with your Secure Privacy banner, how to check whether GTG is active on your site, and what steps to take if you detect a timing issue.
What is Google Tag Gateway?
Google Tag Gateway (GTG) is a feature that lets you serve Google tags (gtm.js and similar scripts) from your own domain rather than from googletagmanager.com. It works through your existing Content Delivery Network (CDN), load balancer, or web server.
GTG is available for Google Tag Manager, Google Ads, and Google Analytics 4, and can be set up with major CDN providers including Cloudflare, Akamai, and Fastly.
Benefits Google cites for Google Tag Gateway
Improved conversion measurement completeness
Reduced reliance on third-party script domains
First-party data collection from your own domain
See Google's overview: Google Tag Gateway for Advertisers.
How GTG can affect consent signal timing
One-click / automated CDN setup
When you set up GTG using the automated option (available for Cloudflare, Akamai, and Fastly), Google injects routing rules directly into your CDN configuration. This means gtm.js is served from your domain automatically, without you controlling when or in what order scripts load.
This creates a potential problem: your CMP consent stub may load after gtm.js has already initialised.
Why load order matters for Google Consent Mode
For consent mode to work correctly, your consent defaults must be established before any Google tags fire. Google's own documentation is explicit:
"The order of the code is vital. If your consent code is called out of order, consent defaults won't work."
"Don't set default consent states asynchronously."
When gtm.js loads before your Secure Privacy stub has called consent('default', ...), tags may execute before any consent state exists. This is called a late consent scenario.
What a late consent signal looks like in practice
In a correctly configured setup, the sequence is:
CMP stub loads → calls
consent('default', { ad_storage: 'denied', ... })gtm.jsloads → tags respect the default denied stateUser interacts with banner →
consent('update', ...)fires → tags fire or remain blocked based on choices
In a late consent scenario with GTG CDN injection:
gtm.jsloads (via CDN injection)Tags fire — no consent state exists yet
CMP stub loads → calls
consent('default', ...)— too late
Google's Tag Assistant will flag this as an error in the consent timeline.
For more on consent mode fundamentals: Consent Mode overview · Set up consent mode on websites.
How to check whether Google Tag Gateway is active on your site
You can verify GTG enrollment status from within your Google tag interface (Google Ads, GA4, or Google Tag Manager).
GTG status indicators to look for
Status | Meaning |
|---|---|
First-party | GTG is active and serving tags from your domain |
Active | Setup complete; your domains are listed |
Pending | GTG is enabled but no diagnostic data has been received yet |
Paused | GTG has been paused |
Not started | GTG has not been activated |
How to verify using Google Tag Assistant
Open Tag Assistant and enter your website URL
Start a session and allow the page to load
In the Summary panel, go to Output → Hits Sent
Check that hits are routed to your own measurement path (your domain), not to
googletagmanager.com
If hits show your domain as the source, GTG is active.
Setup guides by CDN provider: Cloudflare · GTG setup guide (general) · GTG with CDN + server-side tagging.
What to do if you detect a late consent signal and GTG is active
If your Secure Privacy banner is detecting a late consent signal (consent update fires after Google tags have already executed), and you have confirmed that GTG is active, you have three remediation paths. We recommend Option A.
Option A — Adopt Advanced Consent Mode (U+C) with Data Transmission Controls and Global Consent Defaults (recommended)
Why this works: Advanced Consent Mode loads Google tags immediately but sends cookieless measurement pings when consent is denied. This means even if there is a load-order issue with GTG, measurement continuity is preserved — tags are never fully blocked, they simply operate in a privacy-safe mode until consent is granted.
Step 1 — Enable Advanced Consent Mode (U+C) in Secure Privacy
In your Secure Privacy dashboard, switch the banner to Advanced Consent Mode (U+C). This configures your banner to call consent('default', ...) with denied states and consent('update', ...) when the user makes a choice.
Step 2 — Enable Data Transmission Controls in your Google tag
Data Transmission Controls are available in Google Ads, GA4, and Campaign Manager 360. They let you independently configure what data Google tags can send while consent is denied:
Advertising data — limit or block ad data until consent is granted
Behavioural analytics — block analytics data collection until consent is granted
Diagnostics — block diagnostic pings until consent is granted
Step 3 — Enable Global Consent Defaults in GTM
In your Google tag configuration in GTM, enable Global Consent Defaults. This setting overrides any consent('default') commands in your website code and sets a baseline denied state per region — useful when you cannot guarantee the CMP stub will always load first.
Reference: Data Transmission Controls · About Consent Mode (GTM).
Option B — Migrate all tags into a GTM container and deploy GTM via GTG
Why this works: If all your tags live inside a single GTM container, GTM's built-in consent mode support ensures tags respect the consent state set by your CMP. GTG then serves the GTM container itself from your domain, rather than injecting individual tag scripts separately.
Step 1 — Consolidate all Google tags into a single GTM container
Move Google Ads, GA4, Floodlight, and any other Google tags currently loaded directly on the page into one Google Tag Manager container.
Step 2 — Configure GTG to serve the GTM container from your domain
Set up GTG so that the GTM container (gtm.js) is served from your first-party domain.
Step 3 — Place the Secure Privacy stub before the GTM snippet
Ensure your Secure Privacy banner is initialised before the GTM snippet in your page <head> so that consent defaults are set first.
Option C — Set up GTG manually to regain control over script load order
Why this works: Instead of using the one-click automated CDN injection (which removes your control over load order), you configure your CDN or load balancer routing rules manually. This lets you ensure your CMP stub always loads and fires consent('default', ...) before gtm.js is requested.
Step 1 — Do not use the automated one-click GTG setup
Avoid the one-click GTG setup option in the Google tag UI, since it removes your control over load order.
Step 2 — Configure your CDN routing rules manually
Configure your CDN (Cloudflare, Akamai, Fastly, etc.) routing rules manually, following Google's self-service setup instructions.
Step 3 — Place the Secure Privacy stub before the Google tag snippet
Ensure your page <head> order places the Secure Privacy stub snippet above the Google tag snippet.
Reference: GTG setup guide · GTG with CDN.
Why Advanced Consent Mode is the recommended path for GTG-enabled tags
Advanced Consent Mode (also called U+C — "Update and Collect") is the only remediation path that works regardless of your GTG configuration:
It is fully compatible with one-click automated CDN injection (Option A)
It is fully compatible with manual GTG setup (Option C)
It preserves conversion modeling even when consent is denied, by sending cookieless pings to Google
Basic Consent Mode, by contrast, blocks tags entirely until consent is granted — if the consent stub loads late, there is no measurement at all for that page load
If you are using GTG and are unsure which path to take, start with Option A. Options B and C require more infrastructure changes and may not be feasible depending on your setup.
Debugging late consent issues with Google Tag Assistant
If you suspect a late consent problem, use Google's Tag Assistant to diagnose it:
Open Tag Assistant and connect to your site
Open the Consent tab in the Summary panel
Look at the consent timeline — Tag Assistant will flag cases where tags fired before
consent('default', ...)was calledCheck the order of events: the default consent call must appear before any tag firing events
Full debugging guide: Troubleshoot consent mode with Tag Assistant.
Common late consent failure modes
"Tag fired before consent default was set" — almost always a load-order issue caused by one-click GTG CDN injection. Fix with Option A.
Tags blocked entirely / no pings at all on denied page loads — you're on Basic Consent Mode with a late-loading stub. Move to Advanced (U+C) so cookieless pings continue while consent is denied.
Consent state shows as unknown in Tag Assistant — the default consent command never fired on this page. Confirm your Secure Privacy stub is present and that
wait_for_updateis set (500ms is the Google-recommended value).
Summary table — which fix to choose
Situation | Recommended action |
|---|---|
GTG is active (one-click CDN) and you see late consent | Follow Option A — enable Advanced Consent Mode + DTCs + Global Consent Defaults |
GTG is active and you want maximum control over load order | Follow Option C — switch to manual GTG setup |
You want to simplify tag management and have all tags in GTM | Follow Option B — migrate to GTM container deployed via GTG |
You're unsure if GTG is active | Check status in Google tag UI or verify via Tag Assistant |
Frequently asked questions
What is Google Tag Gateway (GTG)?
Google Tag Gateway is a Google feature that lets you serve Google tags such as gtm.js from your own first-party domain instead of from googletagmanager.com. It works through your CDN, load balancer or web server, and is available for Google Tag Manager, Google Ads, and Google Analytics 4 — with one-click setup for Cloudflare, Akamai, and Fastly.
Why are my Google Ads conversions dropping after enabling Google Tag Gateway?
The most common cause is a late consent signal. When GTG is set up via one-click CDN injection, gtm.js may load before your CMP stub has set consent defaults. Tags fire without a consent state, Tag Assistant flags it as an error, and conversion data is lost or unmodeled. The recommended fix is to enable Advanced Consent Mode (U+C) in Secure Privacy together with Data Transmission Controls in your Google tag.
How do I check if Google Tag Gateway is active on my site?
Open your Google tag UI (Google Ads, GA4, or GTM) and look at the GTG enrollment status — "First-party" or "Active" means GTG is serving tags from your domain. You can also confirm via Google Tag Assistant: in the Summary panel, check Output → Hits Sent. If hits route to your domain rather than googletagmanager.com, GTG is active.
What is a late consent signal?
A late consent signal is when Google tags fire before your CMP has called consent('default', ...) to set a baseline consent state. Google's documentation is explicit that this breaks consent mode behaviour: tags may collect data without respecting the user's eventual choice, and Tag Assistant will flag the event in the consent timeline.
Does Google Tag Gateway work with Cloudflare, Akamai, and Fastly?
Yes. All three providers support GTG, and Google offers a one-click automated setup for each. The trade-off with one-click setup is that Google injects routing rules directly into your CDN configuration, which can introduce a load-order issue between gtm.js and your CMP stub. Manual setup is also available if you need full control over load order.
What is the difference between Basic and Advanced Consent Mode for GTG?
Basic Consent Mode blocks Google tags entirely until consent is granted — so if the consent stub loads late under GTG, there is no measurement at all for that page load. Advanced Consent Mode (U+C) lets tags load immediately and send cookieless pings while consent is denied, preserving conversion modelling. Advanced Consent Mode is the recommended path for any site using Google Tag Gateway.
Do I need to roll back Google Tag Gateway to fix a late consent signal?
No. Rolling back GTG forfeits the first-party measurement benefits it provides. The recommended fix is to switch Secure Privacy to Advanced Consent Mode and enable Google's Data Transmission Controls and Global Consent Defaults, so measurement continues safely under denied consent without depending on script load order.
What are Data Transmission Controls and where do I enable them?
Data Transmission Controls are settings in Google Ads, GA4, and Campaign Manager 360 that independently restrict what data Google tags can transmit while consent is denied — covering advertising data, behavioural analytics, and diagnostics. You enable them inside your Google tag configuration in the respective product UI.
Related articles
For further guidance, contact Secure Privacy support or refer to Google's consent mode implementation guide.