While working at Billtrust, one of the most important initiatives I led within our marketing technology stack was implementing a fully GDPR-compliant tracking architecture using:
- OneTrust CookiePro
- Google Tag Manager (GTM)
- Google Consent Mode
- GA4
- Marketing and advertising platforms
As a global accounts receivable software company, Billtrust receives website traffic from users across North America, Europe, APAC, and other international markets daily.
That meant privacy compliance wasn’t optional.
It needed to be built directly into the foundation of our analytics and marketing infrastructure.
The challenge was balancing two competing priorities:
- Maintaining compliant user consent handling across regions
- Preserving high-quality marketing attribution and analytics visibility
To solve this, I architected and configured a consent-aware GTM implementation that dynamically governed analytics and advertising behavior based on user consent preferences in real time.
The result was a scalable enterprise-grade privacy framework that enabled compliant marketing measurement without sacrificing operational flexibility.
The Business Problem
Modern marketing stacks rely heavily on behavioral tracking.
Platforms such as:
- GA4
- Google Ads
- LinkedIn Ads
- Meta Ads
- Demand generation platforms
- Attribution systems
all depend on user-level interaction data.
However, regulations such as GDPR introduced strict requirements around:
- User consent
- Data processing transparency
- Marketing cookie governance
- Consent-based tracking activation
- Regional privacy protections
Without proper governance, organizations face risks including:
- Non-compliant data collection
- Regulatory exposure
- Inaccurate analytics
- Broken attribution
- Inconsistent consent enforcement
At the same time, marketing teams still need reliable reporting and campaign visibility.
This creates a difficult engineering problem:
How do you maintain compliant tracking while still enabling modern marketing analytics?
The Solution Architecture
The implementation combined several systems working together:
OneTrust CookiePro
Handled:
- Consent banner management
- Consent category storage
- User preference management
- Regional consent experiences
- Consent state updates
Google Tag Manager
Handled:
- Tag orchestration
- Consent-aware trigger management
- Consent state propagation
- Conditional tag execution
- Event governance
Google Consent Mode
Handled:
- Consent signal communication to Google platforms
- Analytics behavior adaptation
- Advertising data restrictions
- Cookieless modeling behavior where applicable
Consent-First Tag Architecture
One of the most important implementation decisions was making consent initialization occur before all marketing and analytics tags.
Inside GTM, this leveraged:
Consent Initialization TriggersThis ensured consent states were established before:
- GA4 executed
- Advertising pixels fired
- Marketing tags initialized
- Conversion tracking occurred
This sequencing is critical for GDPR compliance.
Without it, tags may execute before consent preferences are applied.
Default Denied Consent States
The architecture followed a privacy-first approach.
By default, consent states were initialized as denied until explicit user consent was granted.
This included consent categories such as:
analytics_storage: denied;
ad_storage: denied;
ad_user_data: denied;
ad_personalization: denied;Only after OneTrust captured user preferences were consent states updated dynamically.
This prevented unauthorized tracking prior to consent.
OneTrust + GTM Integration
The integration leveraged the OneTrust CMP template inside GTM to synchronize consent categories directly with Google Consent Mode.
The flow worked roughly like this:
- User lands on website
- OneTrust banner initializes
- Default denied consent states are applied
- User selects cookie preferences
- OneTrust updates consent categories
- GTM receives updated consent states
- Eligible tags become allowed to fire
This created centralized governance between the CMP and tag management system.
Dynamic Consent Updates
One of the major benefits of Google Consent Mode is that consent updates occur dynamically without requiring full page reloads.
When users updated preferences:
gtag('consent', 'update', {
analytics_storage: 'granted',
});Google platforms adapted behavior immediately.
This allowed:
- Analytics collection after opt-in
- Advertising enablement after consent
- Real-time tag governance
- Improved UX continuity
Consent-Aware Tag Governance
Inside GTM, tags were configured with built-in consent checks.
This ensured platforms such as:
- GA4
- Google Ads
- LinkedIn Insight Tag
- Meta Pixel
only executed when appropriate consent categories were granted.
This architecture reduced reliance on brittle custom trigger logic and instead leveraged GTM’s native consent framework.
That made the implementation:
- More scalable
- Easier to maintain
- Easier to audit
- More future-proof
Google Consent Mode Benefits
Google Consent Mode provided a major advantage over simply blocking tags outright.
Instead of losing all analytics visibility when users denied consent, Consent Mode allowed Google platforms to operate in a limited, privacy-preserving mode.
Benefits included:
- Cookieless pings
- Modeled conversions
- Aggregated measurement
- Reduced attribution loss
- Better campaign optimization signals
This was especially important for marketing reporting continuity.
Regional Compliance Strategy
Because Billtrust operates globally, regional privacy considerations mattered significantly.
The implementation supported:
- GDPR compliance
- Regional consent experiences
- Consent-based advertising restrictions
- Analytics governance across jurisdictions
OneTrust’s CMP infrastructure enabled regional policy enforcement while GTM handled downstream execution logic.
Marketing Operations Impact
This project had significant operational value beyond legal compliance.
Preserved Marketing Attribution
Without Consent Mode, denied consent can dramatically reduce measurable conversion data.
The implementation helped preserve:
- Campaign attribution
- Conversion visibility
- Paid media optimization
- Funnel reporting accuracy
while still respecting user privacy preferences.
Reduced Governance Risk
The architecture centralized tracking governance within GTM and OneTrust rather than relying on fragmented hardcoded scripts across the website.
This improved:
- Auditability
- Scalability
- Compliance consistency
- Change management
Improved Team Agility
Marketing teams could continue deploying tags and campaigns through GTM while operating within a governed consent framework.
This reduced developer bottlenecks while maintaining compliance protections.
Technical Challenges
Managing Tag Execution Order
Consent sequencing is one of the most important — and most commonly mishandled — aspects of GDPR implementations.
Tags must not fire before consent states initialize.
This required careful orchestration of:
- Consent Initialization triggers
- Tag priorities
- Consent update timing
- CMP loading order
Balancing Compliance vs Analytics Visibility
Blocking all tags entirely creates reporting blind spots.
Allowing unrestricted tracking creates compliance risk.
Google Consent Mode helped bridge this gap by enabling privacy-aware measurement capabilities.
Finding that balance was critical.
Vendor Governance
Modern enterprise websites often contain dozens of marketing and analytics tags.
Ensuring every vendor respected consent states required:
- Tag audits
- Consent category mapping
- Trigger governance
- Ongoing validation
This became an important part of overall MarTech governance strategy.
Key Takeaways
This project reinforced something important about modern marketing technology:
Privacy architecture is now a core part of marketing engineering.
Consent governance is no longer just a legal requirement.
It directly impacts:
- Analytics quality
- Attribution accuracy
- Campaign optimization
- Customer trust
- Operational scalability
The most effective implementations are not simply “cookie banners.”
They are integrated systems where:
- CMPs
- GTM
- Analytics platforms
- Advertising tools
- Governance processes
all work together cohesively.
By combining:
- OneTrust CookiePro
- Google Tag Manager
- Google Consent Mode
- Consent-aware tag governance
- Enterprise marketing operations strategy
I was able to help build a scalable global tracking framework that balanced both compliance and business intelligence needs.
And as privacy regulations continue evolving globally, this type of consent-first architecture is becoming foundational to modern digital marketing systems.
