Comment by jakub_g
14 hours ago
> 422 network requests and 49 megabytes of data
Just FYI how this generally works: it's not developers who add it, but non-technical people.
Developers only add a single `<script>` in the page, which loads Google Tag Manager, or similar monstrosity, at the request of someone high up in the company. Initially it loads ~nothing, so it's fine.
Over time, non-technical people slap as many advertising "partner" scripts they can in the config of GTM, straight to prod without telling developers, and without thinking twice about impact on loading times etc. All they track is $ earned on ads.
(It's sneaky because those scripts load async in background so it doesn't immediately feel like the website gets slower / more bloated. And of course, on a high end laptop the website feels "fine" compared to a cheap Android. Also, there's nothing developers can do about those requests, they're under full the control of all those 3rd-parties.)
Fun fact: "performance" in the parlance of adtech people means "ad campaign performance", not "website loading speed". ("What do you mean, performance decreased when we added more tracking?")
I tried to fight against the introduction of GTM in a project I worked on; we spent a lot of effort on coding, reviewing, testing, optimizing and minimizing client-side code before our end-users would see it, and the analytics people want a shortcut to inject any JS anywhere?
I didn't win that one, but I did make sure that it would only load after the user agreed to tracking cookies and the like.
Yeah, it’s really hard to compete with a solution that takes engineers out of the loop. The biggest reason large orgs go so crazy with GTM is that it’s a shadow deployment pipeline that doesn’t require waiting for engineers to work a request, or QA, or a standard release process.
And sure, better prioritization and cooperation with eng can make the “real” release processes work better for non-eng stakeholders, but “better” is never going to reach the level of “full autonomy to paste code to deploy via tag manager”.
This is the same reason why many big apps have a ton of Wordpress-managed pages thougout the product (not just marketing pages); often, that’s because the ownership and release process for the WP components is “edit a web UI” rather than “use git and run tests and have a test plan and schedule a PR into a release”.
Similar story here. I had to remind them multiple times, that the website was not conforming with the law, and explain multiple times, that the consent dialog was not implemented correctly, or point out, that stuff was loaded before consenting, etc. They mostly found it annoying, of course. And of course no one thanked me for saving the business from running into any complications with the law. As far as I know, I was the only one there pointing out the issues, as a backend dev, and even the frontend team was blissfully ignorant of the issues.
The good thing about the heavy use of GTM, is that its easy to block. Just block that one endpoint and you remove most of the advertising and tracking. When some new advertising service is invented, its already blocked thanks to the blocking of GTM.
Developers do that as well. Especially now with llm-assisted coding. Accept half-baked solution and go to the next ticket.
I've had recently a case at work, while filling a contact form to add a new party there were 300+ calls to the validation service to validate email and phones. Three calls per every character entered to every text input!
Yeah, never allow non-technical people to put something like google tags manager on the business' website, that can load arbitrary other stuff. The moment this is pushed through, against engineering's advice, distancing yourself from the cesspool, that the website will inevitably become sooner or later, is the healthy choice. It is difficult to uphold the dam, against wishes of other departments, like marketing and sales, and it takes an informed and ethically aware engineering department lead, who upholds principles and remains steadfast. Rare.
GDPR-compliance is the first thing that goes out of the window, and with that conforming to the law, when in the EU. Ethics fly out of the window at the same time, or just slightly afterwards, when they add tracking, that no one agreed to, or when they forget to ask for consent, or when they have a "consent" popup, that employs dark pattern, or when they outsource consent to a third party tool, that informed visitors don't want anything to do with.