The conversation tends to happen after something has gone wrong. A campaign runs to an EU audience with analytics tags firing on a page that hasn't received a consent refresh. Or a marketing automation workflow reactivates contacts who had previously opted out of sale under CCPA. Or a new ad pixel gets added through the tag manager during a campaign launch, bypassing the consent infrastructure entirely. Legal opens a ticket. Marketing is confused — they assumed consent was handled. Legal assumed marketing understood the rules. Both are right that they were not at fault; neither is right that they have a functional process.
The gap is organizational, not technical. Consent infrastructure handles the mechanics. But the decisions about what data flows where, what tags fire, what audiences get built, and what processing happens downstream of a consent event — those decisions are made by marketing and legal teams in combination, often without a shared vocabulary or a clear ownership map.
What Marketing Actually Controls
Marketing teams are typically the primary operators of the tools that process personal data: the tag manager, the marketing automation platform, the CRM, the advertising platforms, the analytics stack. They add tags. They configure audiences. They trigger email sequences. They decide which tools are in use and which campaigns are running.
This means marketing has direct operational control over the surfaces where consent violations most commonly occur:
- Tag manager configurations. Every tag added to a tag manager container is a potential data flow to a third party. Marketing teams add tags during campaigns, frequently without a formal review of whether the tag has a consent trigger configured. The tag that fires a retargeting pixel on all pageviews, regardless of consent status, was almost certainly added by a marketing team member, not an engineer.
- Audience segmentation and suppression lists. Opt-outs, both CCPA and GDPR withdrawal events, need to be propagated to every platform where that contact appears in an audience. If marketing is running lookalike audiences in an ad platform using a customer list that has not been filtered for CCPA opt-outs, the upstream consent record is technically clean and the downstream data use is non-compliant.
- Email and automation consent basis. GDPR requires a lawful basis for email marketing. Most teams use consent. When someone withdraws consent or unsubscribes, every active marketing automation workflow touching that contact should stop. If segmentation rules in the automation tool don't sync with the consent record, re-enrollment is a real risk — and a documented one in DPA enforcement cases.
What Legal Actually Controls
Legal teams set the policy framework, define what processing is permissible under which lawful basis, and own the formal compliance documentation. What they frequently do not control in day-to-day operations: the actual tooling where data flows.
Legal's meaningful ownership areas in the consent context are:
- Consent purpose definitions. Legal defines what "analytics consent" means — which tools, which data flows, which purposes are in scope. Marketing implements against those definitions. If Legal writes "analytics" broadly and marketing interprets it to include behavioral profiling for ad targeting, the gap between definition and implementation is a compliance exposure.
- Privacy notice accuracy. Legal owns the privacy notice. If marketing adds a new data processor (a new analytics tool, a new advertising network) without notifying Legal, the privacy notice may not accurately describe the processing. An inaccurate privacy notice undermines the "informed" element of GDPR consent. This is a joint failure mode — marketing adds the tool, legal doesn't know to update the notice — but the legal accountability sits with legal.
- Vendor DPA review. Data processing agreements with marketing vendors — every tool that receives personal data — need to be in place and on file. Marketing tends to onboard tools at speed during campaigns; the procurement workflow that triggers a DPA review is often not in the critical path for a two-week campaign turnaround. Legal needs to be the checkpoint, with a clear process for expedited review when timelines are tight.
The Shared Responsibility Layer
Between marketing's operational control and legal's policy control sits a layer where shared responsibility is unavoidable: the data flow inventory. GDPR Article 30 requires a Record of Processing Activities (ROPA) maintained by the controller. For most organizations, the ROPA is maintained by legal or compliance, but the information that populates it — which tools are in use, what data they receive, what they do with it — is known primarily by marketing and engineering.
An early-stage SaaS company with an EU customer base ran into a concrete version of this in 2024. Legal had an accurate ROPA as of its last update in 2023. Marketing had onboarded three new tools during campaign work — a heatmapping tool, a chat support platform, and a customer data platform — none of which had been communicated to legal. All three were processing personal data. None were in the privacy notice. None had DPAs on file. The gap was discovered during a vendor security review, not a privacy audit, and required an accelerated remediation process: new DPAs, privacy notice update, and a retroactive assessment of whether the data collected under the old notice required a legitimate interests assessment or could be re-captured under corrected consent.
The fix was procedural: any tool onboarding that involves personal data processing requires a brief intake with legal before production deployment. Not a full review for every tool — a lightweight triage: is this tool receiving personal data? If yes, it gets flagged for DPA check and ROPA addition before it's enabled in production.
The Post-Deployment Drift Problem
Even when initial setup is compliant, consent architectures degrade over time. Tags accumulate in tag managers without cleanup. Vendor contracts renew without DPA review. Privacy notices go stale as tool stacks change. Marketing team turnover means the institutional knowledge of "why we have a consent trigger on that tag" walks out the door.
The most common drift pattern is incremental tag accumulation in GTM. Marketing teams typically have edit access to tag manager containers. Every campaign adds a tag; few campaigns remove tags when they end. A container that was clean and consent-gated in 2022 may have fifteen unchecked tags by 2025, several of which fire pre-consent or without a proper consent trigger. The consent banner is still running correctly; the problem is invisible below it.
An annual tag audit is the minimum viable practice: export the full tag list from the tag manager container, identify every tag that fires on any pageview trigger, verify that each one has a consent trigger configured matching the relevant purpose category. This is a 2-3 hour exercise for a typical mid-size tag container, and it tends to find at least two or three tags that need remediation.
Building the Shared Vocabulary
The structural solution is not more meetings between marketing and legal — it is shared operational artifacts that both teams maintain and refer to. The most useful ones are simpler than they sound:
A data flow map showing every marketing tool, the personal data it receives, the consent category it falls under (analytics, advertising, functional), and the status of its DPA. This does not need to be a sophisticated system — a maintained spreadsheet that both teams can edit is sufficient. The value is visibility: marketing can see when they're adding to the map without a DPA entry; legal can see when the map has grown without their knowledge.
A consent trigger policy for the tag manager: every tag that fires on a pageview or user interaction trigger must have a consent trigger configured. The consent trigger links the tag to the consent category. No consent trigger = tag does not fire. This is a technical control that enforces the policy without requiring legal review of every individual tag.
We are not saying that legal should approve every marketing decision involving data, or that marketing should gate every campaign behind a legal review queue. Those processes kill velocity and don't actually improve compliance. What works is a clear default — all data flows require a consent category before deployment — and a lightweight escalation path for edge cases. The gap that causes problems is not a policy gap; it is an operational visibility gap. Closing it requires shared tooling and shared vocabulary, not more policy documents.
This article is for educational purposes and does not constitute legal advice. Consult qualified legal counsel for guidance on GDPR, CCPA, and related privacy obligations applicable to your organization.