Google Tag Manager and the global site tag (gtag.js) are both fully supported methods for the deployment of tags for Google products, such as Google Ads and Google Marketing Platform.
Both Tag Manager and gtag.js perform similar functions:
- Tag Manager is a tag management system that allows you to quickly and easily update tags on your website or mobile app from a web interface.
What Makes Google Tag Manager a Bad Idea? (Generally Speaking)
Google Tag Manager (GTM) is a code injector. Browsers generally view code injectors negatively because they can easily become a weak link through which hackers can plant malicious code in a website or app. As a result, GTM is blocked by most ad blockers and browser privacy tools. It is estimated that 42.7% of internet users use ad blockers, meaning you could be missing anywhere from 8% to 25% of user traffic data if you’re using GTM. If your entire mar-tech stack is delivered through GTM and it’s blocked, you’ll run into some serious challenges.
General causes for concern: (all detailed in the article):
- GTM is a code-injection tool prone to security vulnerabilities
- It has limited support for the variety of tools data-driven businesses need
- It slows site performance
- It’s difficult to manage user state at scale
Why Do Rievent and HealthStream Not Support Google Tag Manager?
The heart of the Rievent and HealthStream rationale, similar to the Rudderstack argument above, is that we will not provide customers with the ability to inject arbitrary, unsanctioned code into the learner presentation. This represents inherent security, privacy, and maintenance risks that are outside of Rievent's control.
- Arbitrary Customer Code Injection - Google Tag Manager opens the door to arbitrary insertion of unsanctioned scripts and code into the page. This inherently represents security and/or privacy risks that are outside of Rievent's control.
- Defective Scripts - What happens when a customer script goes off the rails? We have precedent for this having taken place. There was an episode in which a customer inserted defective script caused runaway load on the Rievent Platform and compromised the availability of our multi-tenant application.
- GDPR, Privacy, Compliance - The ability to insert arbitrary code into the page potentially risks Rievent compliance with international privacy laws. Rievent loses control over whether and how PII in the page is harvested and distributed. To fulfill our compliance obligations, Rievent must know and endorse what types of PII is collected and in what locations. The ability to execute arbitrary scripts on any given page with Google Tag Manager makes this level of control an impossibility.
- HealthStream and InfoSec Compliance - HealthStream InfoSec requires application development and implementations to restrict the ability for customers and end users to inject code and/or behavior into the web presentation. There are a wide variety of avenues for ensuring the web application is locked down from external code injection and evaluation, and including Google Tag Manager within Rievent web pages effectively allows customers to bypass these restrictions in unknown and opaque ways.
- Maintenance and Support - Organizational and the web browser security model restrictions represent a moving target. Support for external script execution within an application, and those that may be explicitly or implicitly sanctioned, may one day find their functionality compromised or blocked to due newly added browser restrictions, web server content policy changes, or similar measures to limit the scope of non-first-party script execution. Rievent would not want to put ourselves in a position to troubleshoot, resolve, or maintain support for such unknown or unsanctioned scripts.
- Question: "[Customer Site] is a subdomain under our parent domain, which we own. Why are we not allowed to install the tags we want on a website that is our property?".
- Answer: Customers license the Rievent Platform as Software-as-a-Service and are subject to the policies and restrictions of the service we provide.