The Short Answer: Under GDPR, your business is the data controller and Google, Meta, LinkedIn are data processors, meaning the legal responsibility for data compliance sits entirely with you, not them. Most marketers configuring tracking tags don't realise they're making controller-level decisions that carry legal liability.
Most businesses I work with have no idea where the controller-processor line sits under GDPR. The platforms have figured this out, read their Data Processing Agreements and the language is explicit about where responsibility lies. The businesses haven't, mostly because nobody has briefed them on what being a data controller actually means.
Why most businesses don't understand their GDPR liability
GDPR clearly distinguishes between data controllers and data processors. Controllers determine purposes and means of processing while processors act on behalf of controllers. In practical terms: your business decides what data to collect and why, Google and Meta execute those instructions.
The platforms' DPAs spell this out in legal language that most business owners never read. Google's agreement explicitly states that the customer (your business) is the controller, determining what data gets sent and for what purpose. Meta's terms follow the same structure. LinkedIn's too.
This isn't accidental. The platforms structured their agreements this way because it limits their liability. They're providing a service according to your instructions. If those instructions violate GDPR, that's your problem, not theirs.
Most business owners think they're buying a marketing service. They don't realise they're making data processing decisions every time their marketer configures a tracking tag or sets up Enhanced Conversions.
Three candidates for who should own compliance, and why each fails
The question I keep coming back to: whose job is it to educate the controller?
The marketer: They're the person buying the ad tech, configuring the tags, deciding what data goes where. Practically, they ARE making controller-level decisions. But most marketers don't know what a DPA is, haven't read the platform's data terms, and don't see themselves as legally accountable for what gets sent. Their job description didn't include "data protection lead" but the consequences of what they configure are exactly that.
The solicitor or legal team: Most SMEs don't have one. The ones that do tend to use them for contracts, not for active operational guidance on tag configuration. The latency between a marketer making a tracking decision and a solicitor seeing it is usually months. By then the data has been flowing for months.
The business owner: They're legally on the hook regardless. But they don't know GTM from Google Ads, don't read DPAs, and the entire reason they hired the marketer was so they didn't have to understand the technical implementation.
Each role has a piece of what's needed, but none has the complete picture. The result is a compliance gap that nobody owns.
Why the platforms won't solve this for you
The marketing platforms themselves are not the answer. Google's support and Meta's account managers are sales reps reading scripts. The script is "this is easy, the more data you send the better you'll perform." It doesn't include "and the legal responsibility for that data sits entirely with you, not us."
Read between the lines of any platform's "we recommend you implement Enhanced Conversions" guidance and that's the bit they leave out. They'll tell you how to hash email addresses and send them to improve attribution. They won't explain that you need explicit consent for that data transfer, or that you're legally responsible for ensuring the hashing happens correctly.
The commercial incentive misalignment is obvious. Platforms make more money when you send more data. They have no commercial reason to remind you of the legal complexity around collecting and transferring that data. Their liability ends at processing it according to your instructions.
Platform support exists to help you send more signals, not to audit whether you have the legal basis to collect those signals in the first place.
The marketer is the practical answer, but only if they change three things
My view is the marketer is the practical answer. They're the only role with both proximity to the implementation and the technical literacy to understand what's actually being sent.
But that requires the marketer to do three things they currently mostly don't:
1. Treat DPAs as required reading, not legal noise. Every platform publishes a Data Processing Agreement. Most marketers never read them. The DPA tells you exactly what data the platform can process, under what legal basis, and where the responsibility boundaries sit. If you're configuring Customer Match or Enhanced Conversions without reading the relevant DPA sections, you're flying blind.
2. Build the consent and hashing logic into the data layer, not delegate it to the tag. Most tracking setups push raw email addresses to the data layer and let the Google Analytics or Meta tags handle hashing. That's backwards. Hash the data in your own system, push the hashed version to the data layer, and keep the consent logic on your side of the boundary. This keeps you in control of the data processing steps that matter legally.
3. Write the data flow down so the controller can sign off on it knowing what they're signing off on. Business owners can't approve what they can't see. Document what data you're collecting, where it's going, under what legal basis, and how users can withdraw consent. Make it readable by someone who doesn't know what GTM is.
The orthodoxy in the marketing world is "compliance is legal's problem." My disagreement: that's a comforting fiction. Compliance happens at the data layer. Whoever owns the data layer owns the compliance. That's the marketer, every time, whether they want it or not.
What this looks like in practice
Proper marketer-led compliance architecture starts with consent-gated data collection. User submits a form with explicit consent for processing. Your system captures the email, hashes it immediately using a library like js-sha256, and pushes the hashed version to the data layer. GTM picks up the hashed email and passes it to Enhanced Conversions or Customer Match.
The consent decision stays in your database. The hashing happens in your system. The platforms only see the processed data you've decided to share. If the user withdraws consent, you stop the data flow at source, you don't rely on the platform to forget data they've already received.
This architecture gives you audit trails, keeps control on your side, and creates business value beyond legal protection. You end up with first-party data infrastructure that works whether Google changes their attribution model or Meta updates their consent requirements.
Most setups push raw data to GTM and hope the tags handle compliance correctly. That delegates controller responsibilities to a processor, which is backwards under GDPR and risky for your business.
The marketer who understands they're making controller-level decisions builds systems that protect the business and improve signal quality. The marketer who thinks they're just implementing tags creates legal exposure they don't even know exists.
FAQ
What happens if I get GDPR compliance wrong as a marketer?
The business owner is legally liable, but practically you're the person who configured the non-compliant setup. In the best case, you have to rebuild everything under time pressure. In the worst case, you've exposed your employer or client to regulatory fines and you're explaining to the ICO why raw personal data was flowing to US servers without proper consent. Your professional reputation is tied to the systems you build, whether the legal responsibility technically sits with you or not.
Should legal teams be involved in tag configuration decisions?
Legal teams should set the policy framework, what types of data can be collected, what consent language to use, which countries data can transfer to. But they shouldn't be approving every GTM configuration change. The marketer needs to understand the legal boundaries well enough to implement within them without constant legal review. That requires the marketer to actually read the DPAs and understand what they're agreeing to on the business's behalf.
How do I know if my current tracking setup is GDPR compliant?
Check three things: First, can you map the legal basis for every piece of personal data flowing to external platforms? If you can't explain why you're allowed to send hashed emails to Google under GDPR, that's a red flag. Second, is consent withdrawal actually implemented? Can a user revoke permission and stop data flowing to all connected platforms? Third, are you hashing personal data in your own system or delegating it to third-party tags? If GTM is doing the hashing, you've lost control of a critical processing step.
About the Author: Nathan O'Connor is a Performance and Growth Specialist who helps UK businesses build systematic growth engines. He works with business owners to connect traffic, conversion, and tracking into systems that reliably generate leads and revenue.