Server-side consent management with sGTM and Cookiebot

In the modern online landscape, safeguarding the data of website visitors and upholding their privacy isn't just a matter of best practice—it's a legal obligation. Consent management is the most popular way to obtain the user’s agreement to collect data. 

One of the simplest methods to implement consent is using tools such as Google Tag Manager's consent mode and dedicated Consent Management Platforms like Cookiebot.

The requirement of respecting user consent has been in some countries for a while, which is why most websites have already adapted their web tracking to treat users' consent. But during a couple of years, the popularity of server-side tagging has risen, and a straightforward question occurs: how should I treat user consent in server-side tagging, and is consent management necessary?

In this blog post, we will discuss server-side consent management in server Google Tag Manager and how to adapt server-side tag behavior to users' consent. Here, we will show how to set up consent management for server-side Google Analytics 4 and Facebook conversion API. 

Understanding server-side consent management

A lot of people mistakenly think that consent management is optional in server-side tagging. However, this is not the case. Server-side tagging requires consent management, similar to web tracking. 

How consent works in server GTM:

1. The consent banner on your website collects the user's consent choices and transmits them to the tag you choose to use for delivering consent status from the web to server GTM, for example, Google Tag.
2. This tag sends a parameter with consent status to sGTM. 
3. Within the server, you adapt tag behavior depending on the parameter's value that carries consent status.

To set up consent management in server GTM, you'll require the following components:

• Consent management platform like Cookiebot.

• Web and server Google Tag Manager container.

• Server-side Google Analytics 4 implemented. We will use ss GA4 to forward information about the user's constant status from the web container. It is possible to use other tags to transmit consent status to the server GTM container. We will cover it in the blog post as well. 

There are two types of Google Tags consent behavior. Which type of consent behavior you choose impacts the implementation of server-side consent: 

• Basic consent mode. Google tags load is blocked until the user consents. In this case, no pings are sent by Google, meaning it’s impossible to use ss GA4 to transmit user consent status. In this case, we will use Data Tag/ Data Client to send consent status to sGTM.
• Advanced consent mode. Google tags send pings even when the user does not consent, but these pings are anonymized and do not use cookies. This helps to use machine learning to model the behavior of users without consent. Implementing advanced consent mode unblocks GA4 behavioral modeling for consent. This means that Google will use users' data with consent to model the behavior of users without consent. With advanced consent, you can use GA4 pings to track user consent on the server. 

GCS parameter within server-side GA4 request is used to carry the consent status of a user. Below is the list of GCS parameter values that identify users' consent: 

How to set up server-side consent management using Cookiebot and sGTM

We will cover two scenarios in this guide: 

• GA4 advanced consent mode. In this case, GA4 sends anonymized requests even when consent is not granted. GCS is a parameter responsible for differing consent statuses.
• GA4 basic consent mode. Google sends no pings. Data Tag/Data Client will be used to deliver user consent choices from the web to the server. 

Set up Cookiebot in the web Google Tag Manager container.

1.1 Configure consent mode in web GTM. Go to the Admin tab, click Container Settings, and enable the checkbox “Enable consent overview.” 

1.2 Add Cookiebot template from template Gallery. Click Templates in the left menu of web GTM, search for Cookiebot CMP tag template, and click Add to Workspace. 

1.3 Configure Cookiebot CMP tag by adding "Cookiebot ID." You can find "Cookiebot ID" in your Cookiebot account. The trigger should be "Consent initialization - All pages".

1.4 If you want to use region-specific consent settings, open the Cookiebot tag and set up Default Consent State by adding a region or country and specifying the consent state. In the example below, consent is granted to California. 

2. Configure server GTM container.

2.1 Create a new Server container in sGTM. To do so, click Admin, click + in the container column, add the container name, and select the server. Select Manually provision tagging server and copy container config. 

2.2 Create a stape.io account, add the Container name, Container Config you’ve copied in the previous step, and select a Server location. Click Create Container. 

2.3 Configure a custom domain for your server GTM container. Once the custom domain is added, you need to configure the DNS setting you see on the screen. Domain verification can take up to 72 hours. 

2.4 Go to the server Google Tag Manager container setting and add a custom domain or the default tagging server URL (not recommended) inside server GTM.

2.5 Update the web GTM script on your website with the custom domain. 

3. Set up server-side GA4.

3.1 Open the web GTM container and create a new tag (or modify an existing one) of the tag Type Google Tag. Add your Google Tag ID.

In the section Configuration Settings, add the following parameters:

• Name: server_container_url.
• Value: Enter the URL you've created in step 2.3.

Add trigger to GA4 tag. Typically, it should trigger on all page views. 

3.2 Go to the Server GTM container and create a GA4 client. 

3.3 Create GA4 tag in server GTM container. The tag should trigger whenever a GA4 client is claimed. 

3.4 Open web and server GTM previews and GA4 debugger to check if server-side GA4 works correctly. You should see GA4 tags triggered in web and server GTM previews, and GA4 debugger sees the events. 

4. Consent setting for server-side GA4.

Cookiebot has a feature that works together with Google Tag Manager that enables you to modify tag behavior depending on users' Consent. Some tags, mostly Google Tags (Google Analytics, Google Ads, and Floodlight), have built-in consent checks.

Server Google Analytics 4 will adjust its behavior based on consent configuration in web GTM. There is no configuration in server GA4 as needed. All the setup is done in web GTM.  

4.1 Advanced consent mode

Tags with built-in consent checks automatically adjust tags' behavior based on user choice. Note that, for example, GA4 will still send anonymized pings even if the user did not consent to analytics cookies. To enable advanced consent configuration in GA4, go to the web GTM and update Consent Settings to “No additional consent required”. No configuration is needed in sGTM.

4.2 Basic consent mode

If you want to restrict Google Analytics from sending anonymized pings, set Consent Settings to Require additional consent and select the types required. Server Google Analytics 4 will adjust its behavior based on consent configuration in web GTM. That is why no other settings are needed in sGTM.

5. Consent setting for Facebook Conversion API.

5.1 Advanced consent mode in GA4.

In this case, we will use anonymized GA4 requests to server GTM and modify Facebook CAPI triggering based on the value of the GCS parameter. Facebook conversion API tags should trigger when ad_storage cookies are allowed. In this case, the GCS parameter should be either 110 or 111.

5.1.1 Create a new variable in server GTM that will read the GCS parameter from the GA4 request. Use the event data variable type and add x-ga-gcs to the key path.

5.1.2 Update the Facebook conversion API tag to trigger only when the x-ga-gcs variable equals 110 or 111. 

5.2 Basic consent mode in GA4.

With basic consent mode, GA4 does not send anonymized pings to the server container, so you will need another way to deliver users’ consent state to sGTM. In this example, we will use Data Tag and Data Client to transmit user consent to sGTM. 

5.2.1 Open web GTM and add Data Tag from the community template galley. Set the event name, Add transport URL (we created it in step 2.3), scroll down to consent settings, select require additional consent for the tag to fire, and choose ad_storage. 

5.2.2 Data tag should trigger on a custom event cookie_consent_update. 

5.2.3 Download the Data Client template and add it to your sGTM container by going to the template section, clicking New, clicking three dots in the top right corner, and selecting Import. 

5.2.4 Set up a Data client. Click new in the client sections and select the Data Client template that we’ve recently downloaded. The goal of the Data Client is to retrieve information that sends the Data Tag to the sGTM container. 

5.2.5 Update the trigger of your Facebook conversion API tags. The new trigger should work whenever Data Client is claimed, and the event's name is marketing_consent.

Conclusion

Implementing server-side consent management is a crucial step in ensuring compliance and data privacy when leveraging server-side tagging. Using tools like server Google Tag Manager and Cookiebot, you can streamline and simplify the process of managing server-side consent.

Server-side consent management provides you with the capability to obtain and manage user consent for various tracking and analytics technologies that operate on your website or application. This is especially important in today's digital landscape, where privacy regulations like GDPR and CCPA require organizations to be transparent about data collection and obtain explicit user consent.

We hope this guide helped you understand the process of setting up consent management in server Google Tag Manager. If you have any questions, do not hesitate to contact us.