Cookieless GA4 tracking using server GTM

In the ever-evolving digital landscape, the approach towards user tracking and data privacy is undergoing significant shifts. With web browsers phasing out third-party cookies and stringent data privacy laws coming into play, traditional user tracking methods are rapidly becoming irrelevant. 

Adapting to these changes is not just necessary for businesses and marketers relying on data-driven insights; it's an absolute must-have. 

One of the ways to adapt to the newest tracking challenges is switching to cookieless tracking. Though there are multiple cons and dislikes about the latest version of Google Analytics, it remains the most popular analytics platform. That is why this article will discuss how to set cookieless Google Analytics 4 tracking using the server Google Tag Manager. We will use sGTM, consent mode, Firestore, and stape User-ID power-up.

There are debates about whether cookieless tracking is compliant with GDPR. In this blog post, we share an example of how cookieless tracking can be implemented using Google Tag Manager. Before configuring it, consult with your DPA to check countries' regulations.

What is cookieless tracking?Copy link to this section

When websites want to remember something about you (like what's in your shopping cart or what ad you clicked before you landed on the website), they often use little pieces of data called "cookies." 

But now, many websites are moving away from using these cookies to track users' activities. Instead, they're using new methods that don't rely on storing that data on users' browsers. This new way of keeping track without cookies is called "cookieless tracking."

When tracking does not rely on cookies, it uses first-party user data. The best way to gather and safely handle this information is by using server-side tracking.  This method lets you track, store, enrich, transform, and strictly control first-party user data flow. 

This not only helps to get rid of cookies and make tracking more accurate but also makes it more compliant and has greater control over the user data. 

Benefits of cookieless trackingCopy link to this section

Cookieless tracking helps to adapt to recent changes in tracking privacy and restrictions. Here are a few examples:

1. Regulations. Data Protection Regulators in Europe and some other countries restrict the use of cookies without the user's consent. The percentage of users who declined cookies varies from country, age, and cookie banner requirements. But overall, around 50% of people reject marketing and analytics cookies. 
2. Depreciation of 3rd party cookies. Safari and Firefox already limit 3rd party cookies, Brave does not support third-party cookies, and Chrome plans to start phasing out third-party cookies in 2024. The advertising network uses third-party cookies to differentiate what ad users clicked before they landed on the website and, after that, convert. Besides that, analytics platforms use third-party cookies to track users who have already visited the website and show the complete journey of users. Without cookies, proper conversion attribution and differentiation between new and returning users becomes very difficult.
3. Complete tracking restrictions. Apple leads the privacy in terms of tracking restrictions. All iOS apps are required to ask for user permissions to track users. Besides that, iOS users can withdraw apps permission to track their activity at any time. Another trend that is rising is the use of AdBlockers. When ad blockers are enabled, marketing and analytics tools do not receive any information about users.    

The backgroundCopy link to this section

Google Analytics 4 uses machine learning to model the behavior of users who did not consent to analytics cookies. They use the behavior of similar users who allowed consent to analytics cookies to model the behavior of those who did not agree to analytics cookies. 

To be eligible for machine learning, GA4 property should meet specific:

• Consent mode is enabled across all pages
• Tags should trigger before the consent dialog appears 
• Google tags load in all cases, not only if the user consents
• 1,000 events per day with analytics_storage='denied' for at least 7 days.
• 1,000 daily users sending events with analytics_storage='granted' for at least 7 of the previous 28 days

If your GA4 property doesn't qualify for machine learning or if you discover that machine learning isn't providing accurate results, you have the option to rely on first-party data when a user opts out of analytics cookies and implement cookieless GA4 tracking. 

To make GA4 work correctly and recognize users who come back, you have to provide GA4 with the following information:

• Client ID (cid)
• Session ID (sid)
• Session Count (sct)
• First Visit (_fv)
• User Engagement (seg)

To set up cookieless GA4 tracking when a user hasn't given consent, we'll use these tools:

1. Server Google Tag Manager.
2. Server GA4.
3. Differentiate user consent using the GA4 gsc parameter.
4. Connect Google Service Account to Stape.
5. Write data to firestore.
6. Read data from Firestore.
7. Stape user ID power-up.

Set up of Cookieless GA4 tracking in sGTMCopy link to this section

To determine if consent was granted or not, I use the gcs parameter. The default GA4 consent configuration sends requests to sGTM, but the request lacks some information. All GA4 requests are written to the Firestore. 

To determine if a user without consent has an active session in GA4, we will use the difference in the timestamp of the previous visit vs the current visit. If the difference is more than 30 minutes, we will update the session parameters in Firestore. 

Firestore will use the UserID as the document name and save details about the user session within these documents. While this is a straightforward way to organize Firestore, there are numerous other approaches to maintain data about the complete user experience in Firebase.

1. User with consent to analytics cookies.Copy link to this section

1.1 Use default GA4 server-side setup. 

1.2 If needed, write data to Firestore. For this purpose, I use the Firestore Writer tag. Please check this detailed guide on how to use the Firestore Writer tag. I use the collection UserID. For each user ID, I create a new document that uses cid as a document name. 

1.3 The GA4 server-side tag has a standard configuration and triggers every time the GA4 client is claimed, and the user consents to analytics cookies. 

2. A user without consent to analytics cookieCopy link to this section

2.1 Existing users with active sessionCopy link to this section

2.1.1 If consent to analytics cookies was not granted, I used Stape User ID power-up to add user ID in sGTM request headers. 

2.1.2 With the help of the Firestore Writer tag, I write data to Firestore and use Stape User ID as a document name.  

2.1.3 To check that the session is active, I use the Firestore Reader variable to extract the timestamp that is associated with the last visit of this user in the Firebase. Then, check the difference between the user's previous session timestamp and the current timestamp. If the timestamp is less than 30 minutes, the user has an existing session. 

2.1.4 Parameters are updated like below: 

• cid and client_id is the value of Stape UserID
• ga_session_number - a value of the ga_session_number in the Firestore
• ga_session_id - a value of the ga_session_id in the Firestore
• x-ga-mp2-seg (engaged session) is set to 1
• x-ga-system_properties.fv (first visit), x-ga-system_properties.ss (session start), x-ga-system_properties.nsi (new session ID) are removed.

2.1.5 Send modified data to GA4. To update data before sending it to GA4, I use transformation. 

2.2 Existing user with no active sessionsCopy link to this section

2.2.1 If consent to analytics cookies was not granted, I used Stape User ID power-up to add user ID in sGTM request headers. 

2.2.2 Write user data based on Stape User ID in Firestore again with the help of the Firestore writer tag.  

2.2.3 To check that the session is active, I use the Firestore Reader variable to extract the timestamp associated with this user in the Firebase. Then, check the difference between the user’s last session timestamp and the current timestamp. If the timestamp is more than 30 minutes, a new session has started. 

2.2.4 Parameters are updated like below: 

• cid and client_id is the value of Stape UserID.
• ga_session_id is a ga_session_id value from Firestore, previously set to timestamp in seconds.
• ga_session_number is the ga_session_number number you have in Firestore plus 1.
• x-ga-system_properties.ss (session start) is set to 1.
• X-ga-mp2-seg (Engaged Session) is set to 1.
• x-ga-system_properties.fv is removed.

2.2.5 Send modified data to GA4. To update data before sending it to GA4, I use transformation. Tag triggers when a GA4 client is claimed, consent is not granted, and the time difference between sessions is more than 30 minutes. 

2.3 New userCopy link to this section

2.3.1. When analytics cookies are not allowed, use Stape’s User ID power-up to generate a user ID.

2.3.2. Check if a user with the same UserID already exists in Firestore. If no user with the same user ID is found, use a Firestore Writer tag to create a user with session details in the database. 

2.3.3 Parameters are updated like below: 

• cid and client_id is the value of Stape UserID.
• ga_session_id is ga_session_id from Firebase.
• ga_session_number is the ga_session_number number you have in Firestore.
• x-ga-system_properties.ss (session start) is set to 1.
• x-ga-mp2-seg (engaged session) is set to 1.
• x-ga-system_properties.fv (first visit) is set to 1.

2.3.4 Send modified data to GA4. 

Conclusion:Copy link to this section

Implementing cookieless Google Analytics 4 tracking through server Google Tag Manager represents a significant step forward in adapting to the changing landscape of online data privacy and user preferences. As the digital world evolves, gathering valuable insights without relying on cookies becomes essential. 

By harnessing the power of server-side tracking and Google Tag Manager, businesses can maintain their commitment to data privacy while still harnessing the crucial data-driven insights provided by GA4. This approach not only ensures compliance with emerging regulations but also fosters trust with users concerned about their online privacy. As we navigate the cookieless future, embracing innovative solutions like server-side tracking and GA4 can help businesses stay competitive and relevant digitally.