Yeah, never allow non-technical people to put something like google tags manager on the business' website, that can load arbitrary other stuff. The moment this is pushed through, against engineering's advice, distancing yourself from the cesspool, that the website will inevitably become sooner or later, is the healthy choice. It is difficult to uphold the dam, against wishes of other departments, like marketing and sales, and it takes an informed and ethically aware engineering department lead, who upholds principles and remains steadfast. Rare.

GDPR-compliance is the first thing that goes out of the window, and with that conforming to the law, when in the EU. Ethics fly out of the window at the same time, or just slightly afterwards, when they add tracking, that no one agreed to, or when they forget to ask for consent, or when they have a "consent" popup, that employs dark pattern, or when they outsource consent to a third party tool, that informed visitors don't want anything to do with.