ScoreGTM by DataMoon← Back to ScoreGTM

Guide

The Ultimate GTM Audit Checklist (2026)

A practical, opinionated checklist for auditing a Google Tag Manager container by hand. Work through it section by section - or upload your container to ScoreGTM and get most of it scored automatically in 30 seconds.

1. Deprecation & modernisation

Google retires products and tag templates on its own schedule. Anything legacy in your container is either silently broken or about to be.

  • Remove Universal Analytics tags

    UA stopped processing data in July 2023. Any UA tag still in the container is dead weight - delete it or pause it.

  • Confirm GA4 (or Google tag) coverage

    Every page that needs analytics should fire the Google tag (gtag) or a GA4 Configuration tag once. Look for missing pages, duplicate fires, or partial coverage.

  • Replace outdated community templates

    Open each Custom Template and check the template gallery for a newer version. Stale templates often hardcode endpoints or break under Consent Mode v2.

  • Audit Floodlight, Ads, and Conversion tags

    Make sure every conversion tag points at an active destination and uses the current ID format. Legacy Floodlight tags are a common silent failure.

2. Privacy & consent

Consent Mode v2 is mandatory for EEA traffic if you use Google Ads or GA4 for ad personalisation. Get this wrong and you lose data, conversions, or both.

  • Consent Mode v2 is initialised before any tag fires

    A Consent Initialization - All Pages trigger should set defaults (ad_storage, analytics_storage, ad_user_data, ad_personalization) before any measurement tag runs.

  • No tags fire before consent is granted

    Filter your tag list by trigger and check none of the marketing/analytics tags fire on All Pages without a consent check.

  • Region overrides match your CMP configuration

    If your CMP only manages EEA + UK, your Consent Mode defaults should reflect that. Don't blanket-deny consent globally.

  • Pixel tags respect consent

    Meta, TikTok, LinkedIn, and similar pixels need their own consent gating. Built-in Consent Mode only covers Google tags.

3. Container health & hygiene

Most containers carry years of experiments, paused tags, and unused variables. Cleaning these up makes the container faster and easier to reason about.

  • Delete paused tags older than 90 days

    If a tag has been paused for a quarter without anyone re-enabling it, the experiment is over. Remove it.

  • Remove never-fired tags

    Use GTM's built-in tag firing data or your debug logs to find tags that have never fired in production. Either fix the trigger or delete the tag.

  • Prune unused variables and triggers

    Any variable or trigger with zero references is clutter. Delete them so the next person doesn't have to guess what they do.

  • Check for duplicate tags

    Two GA4 Configuration tags or two Meta Pixel base tags on the same page double-count events. Search by tag type and dedupe.

4. Governance & maintainability

If a new hire can't open the container and understand it in 15 minutes, you have a governance problem.

  • Folders match how you think about the site

    Group by business domain (Marketing, Analytics, Consent, Internal) or by destination platform. Anything left at the root is a smell.

  • Naming convention is consistent and self-describing

    A standard like 'TYPE - Platform - Purpose' (e.g. 'GA4 - Event - Add to cart') makes search and audit trivial.

  • Workspaces and versions have meaningful notes

    Every published version should have a one-line description. Empty version notes are how outages happen.

  • Permissions are scoped to roles

    Publish access should be limited. Developers can edit; only the analytics owner should publish to production.

5. Performance & security

GTM runs in the user's browser. Every tag adds payload and execution time, and Custom HTML tags are a security surface.

  • Custom HTML tags are reviewed and minimal

    Every Custom HTML tag can read the page, exfiltrate data, or break CSP. Replace with built-in templates wherever possible.

  • Heavy tags don't fire on All Pages

    Marketing pixels and chat widgets rarely need to fire everywhere. Restrict to the pages where they're actually needed.

  • Container size is under control

    GTM containers cap at ~200KB. Above 150KB you should be actively pruning - large containers slow first paint.

  • Server-side GTM for high-volume tags

    If you have heavy Ads or analytics traffic, move the highest-volume tags to a server container. Faster pages, better data quality, fewer ad blockers.

6. Tracking coverage

A clean container with no events is still a broken setup. Coverage is what makes the data usable.

  • GA4 recommended events are implemented

    Map your site's key actions to GA4's recommended event names (purchase, sign_up, generate_lead, etc.) - it unlocks reporting and audience features.

  • Ecommerce events use the standard schema

    items array, currency, value, transaction_id. Custom shapes break GA4 monetisation reports.

  • Enhanced measurement settings match your needs

    Outbound clicks, file downloads, form interactions - turn on what you'll actually use, off what creates noise.

  • Conversions are mirrored to ad platforms

    Every meaningful GA4 conversion should have a paired Ads / Meta / LinkedIn conversion - with consent handling.

Skip the manual audit

ScoreGTM checks every item above automatically. Upload your container and get a graded report in 30 seconds - free, no login.