In the modern online landscape, safeguarding the data of website visitors and upholding their privacy isn't just a matter of best practice—it's a legal obligation. Consent management is the most popular way to obtain the user’s agreement to collect data.
One of the simplest methods to implement consent is using tools such as Google Tag Manager's consent mode and dedicated Consent Management Platforms like Cookiebot.
The requirement of respecting user consent has been in some countries for a while, which is why most websites have already adapted their web tracking to treat users' consent. But during a couple of years, the popularity of server-side tagging has risen, and a straightforward question occurs: how should I treat user consent in server-side tagging, and is consent management necessary?
In this blog post, we will discuss server-side consent management in server Google Tag Manager and how to adapt server-side tag behavior to users' consent. Here, we will show how to set up consent management for server-side Google Analytics 4 and Facebook Conversions API.
A lot of people mistakenly think that consent management is optional in server-side tagging. However, this is not the case. Server-side tagging requires consent management, similar to web tracking.
How consent works in server GTM:
To set up consent management in server GTM, you'll require the following components:
There are two types of Google Tags consent behavior. Which type of consent behavior you choose impacts the implementation of server-side consent:
GCS parameter within server-side GA4 request is used to carry the consent status of a user. Below is the list of GCS parameter values that identify users' consent:
GCS | Marketing cookies | Analytics cookies |
G100 | no | no |
G101 | no | yes |
G110 | yes | no |
G111 | yes | yes |
We will cover two scenarios in this guide:
1.1 Configure consent mode in web GTM. Go to the Admin tab, click Container Settings, and enable the checkbox “Enable consent overview.”
1.2 Add Cookiebot template from template Gallery. Click Templates in the left menu of web GTM, search for Cookiebot CMP tag template, and click Add to Workspace.
1.3 Configure Cookiebot CMP tag by adding "Cookiebot ID." You can find "Cookiebot ID" in your Cookiebot account. The trigger should be "Consent initialization - All pages".
1.4 If you want to use region-specific consent settings, open the Cookiebot tag and set up Default Consent State by adding a region or country and specifying the consent state. In the example below, consent is granted to California.
2.1 Create a new Server container in sGTM. To do so, click Admin, click + in the container column, add the container name, and select the server. Select Manually provision tagging server and copy container config.
2.2 Create a stape.io account, add the Container name, Container Config you’ve copied in the previous step, and select a Server location. Click Create Container.
2.3 Configure a custom domain for your server GTM container. Once the custom domain is added, you need to configure the DNS setting you see on the screen. Domain verification can take up to 72 hours.
2.4 Go to the server Google Tag Manager container setting and add a custom domain or the default tagging server URL (not recommended) inside server GTM.
2.5 Update the web GTM script on your website with the custom domain.
3.1 Open the web GTM container and create a new tag (or modify an existing one) of the tag Type Google Tag. Add your Google Tag ID.
In the section Configuration Settings, add the following parameters:
Add trigger to GA4 tag. Typically, it should trigger on all page views.
3.2 Go to the Server GTM container and create a GA4 client.
3.3 Create GA4 tag in server GTM container. The tag should trigger whenever a GA4 client is claimed.
3.4 Open web and server GTM previews and GA4 debugger to check if server-side GA4 works correctly. You should see GA4 tags triggered in web and server GTM previews, and GA4 debugger sees the events.
Cookiebot has a feature that works together with Google Tag Manager that enables you to modify tag behavior depending on users' Consent. Some tags, mostly Google Tags (Google Analytics, Google Ads, and Floodlight), have built-in consent checks.
Server Google Analytics 4 will adjust its behavior based on consent configuration in web GTM. There is no configuration in server GA4 as needed. All the setup is done in web GTM.
Tags with built-in consent checks automatically adjust tags' behavior based on user choice. Note that, for example, GA4 will still send anonymized pings even if the user did not consent to analytics cookies. To enable advanced consent configuration in GA4, go to the web GTM and update Consent Settings to “No additional consent required”. No configuration is needed in sGTM.
If you want to restrict Google Analytics from sending anonymized pings, set Consent Settings to Require additional consent and select the types required. Server Google Analytics 4 will adjust its behavior based on consent configuration in web GTM. That is why no other settings are needed in sGTM.
In this case, we will use anonymized GA4 requests to server GTM and modify Facebook CAPI triggering based on the value of the GCS parameter. Facebook Conversions API tags should trigger when ad_storage cookies are allowed. In this case, the GCS parameter should be either 110 or 111.
5.1.1 Create a new variable in server GTM that will read the GCS parameter from the GA4 request. Use the event data variable type and add x-ga-gcs to the key path.
5.1.2 Update the Facebook Conversions API tag to trigger only when the x-ga-gcs variable equals 110 or 111.
With basic consent mode, GA4 does not send anonymized pings to the server container, so you will need another way to deliver users’ consent state to sGTM. In this example, we will use Data Tag and Data Client to transmit user consent to sGTM.
5.2.1 Open web GTM and add Data Tag from the community template galley. Set the event name, Add transport URL (we created it in step 2.3), scroll down to consent settings, select require additional consent for the tag to fire, and choose ad_storage.
5.2.2 Data tag should trigger on a custom event cookie_consent_update.
5.2.3 Download the Data Client template and add it to your sGTM container by going to the template section, clicking New, clicking three dots in the top right corner, and selecting Import.
5.2.4 Set up a Data client. Click new in the client sections and select the Data Client template that we’ve recently downloaded. The goal of the Data Client is to retrieve information that sends the Data Tag to the sGTM container.
5.2.5 Update the trigger of your Facebook Conversions API tags. The new trigger should work whenever Data Client is claimed, and the event's name is marketing_consent.
Implementing server-side consent management is a crucial step in ensuring compliance and data privacy when leveraging server-side tagging. Using tools like server Google Tag Manager and Cookiebot, you can streamline and simplify the process of managing server-side consent.
Server-side consent management provides you with the capability to obtain and manage user consent for various tracking and analytics technologies that operate on your website or application. This is especially important in today's digital landscape, where privacy regulations like GDPR and CCPA require organizations to be transparent about data collection and obtain explicit user consent.
We hope this guide helped you understand the process of setting up consent management in server Google Tag Manager. If you have any questions, do not hesitate to contact us.
Don't worry, we've got you covered! Click on Get help and we will send you a free quote.