Server-side tracking and GDPR

The General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) are sets of online privacy legislation that all website owners need to know and follow. It sets out specific rules about processing personal data, including collecting, storing, and deleting it

The GDPR can heavily affect what users’ data you collect on the website and how you use it. In this blog post, I want to talk about how server-side Google Tag Manager can help to adapt tracking to GDPR requirements. 

What is GDPR?Copy link to this section

GDPR is a set of rules that limits what information about users websites can collect, how they should manage it, store it, and process it. This set of rules is organized in 99 individual articles of GDPR laws.

GDPR came into force on May 25, 2018. However, the main principles of GDPR laws stay the same in all European countries, and each country has the right to modify it according to their needs. That is why you need to be aware of GDPR aspects in your country.

It’s important to understand that GDPR rules also apply to you if you have a business and website outside the EU (let's say in the USA or Asia). You must still comply with GDPR rules if a user visits your site from a European country.

What does GDPR mean for website tracking?Copy link to this section

The key point that GDPR rules talk about is personal data. It describes when and how website owners can collect personal data, store it, and if they are allowed to transfer it to third parties. 

Though each country has a right to change the definition of Personal Identifiable Information (PII), a user’s name, address, email, IP, or even cookies can be considered PII. More than that, data about users’ health, religious, political preferences can also be PII. 

Though GDPR, ePrivacy, and CCPA’s primary purpose were to restrict big advertising companies (like Google or Facebook) from profiling you across different websites and protect user privacy, more often, smaller companies started to receive notification or even fines for not complying with GDPR policy.

.

1. Cookie consent

Web Google Tag Manager recently released a consent mode feature. This feature is still in beta, meaning we can expect a lot of improvements and changes in the nearest future. With the enabled consent mode, Google checks the consent status of users and reacts accordingly. Depending on what user selected on your cookie banner, Google will understand if GTM can set cookies. 

Web Google Tag Manager consent mode should work together with the consent management platform (CMP). The primary purpose of CMP is to let users select what cookies they allow sites to use. Most of the popular CMP have integration with web GTM consent mode. Meaning they automatically block cookies and trackers until the user gives their consent. 

There are several different requirements for the cookie banner, and each country has its adjustments. For example, some governments require you to use a single color for all buttons. You can’t make the “Allow Cookie” button green while the "Block Cookie" button white, making it more naturally correct to press the green button. 

Another requirement for a cookie banner is that a user should be able to easily browse a website without clicking any button on the cookie banner. One of the recent updates says that you should keep logos of all user consent decisions.

2. Promotional email consent.

In most cases, there are two types of email: promotional and strictly necessary. You are not allowed to send promotional emails without user consent.

For example, you can send the event to your email marketing software when an existing user agrees to receive sales and promo materials. You can utilize web Google Tag Manager to identify users who agreed to receive promotional emails. On the other hand, if a new user would want to receive marketing emails, web GTM won't help since most email software platforms do not allow creating new users in their systems from the web. You can do it only through the backend or server GTM.

Server-side Google Tag Manager and GDPRCopy link to this section

Server-side GTM gives you better control over the data flow each vendor receives. The ideal scenario of how server GTM should work: you have one data stream in the web GTM that delivers data to the server GTM. For example, you can use Google Analytics 4 to send data to the server container. Server GTM processes GA4 requests and maps them into the events data inside the sGTM. Then you can use event's data and HTTP requests to send information further to third-party tools.

Does server GTM have a consent mode?Copy link to this section

Server GTM does not have consent mode, similar to the web GTM. You should set up a consent management platform and integrate it with the web Google Tag Manager. Web GTM’s consent mode will control what information GA4 collects and send it depending on user consent. If the user does not agree to use cookies, Google Analytics 4 will work in a restricted mode and not read or write marketing cookies.

When a user doesn’t consent to set up marketing cookies, Google Analytics will still send requests to the server GTM container, meaning your data will be delivered and processed in the server GTM. In this case, the difference is that GA will be restricted from writing, storing, or reading cookies.

This type of request will have a new parameter gcs that contains the consent status. You can use this parameter in the server GTM to record user's consent mode. 

GDPR requirements for server GTMCopy link to this section

GDPR rules require all European countries to store information about their website visitors on servers located in Europe. When you set up a server Google Tag Manager for the EU website, make sure you select the European hosting region. 

How does server GTM help to comply with GDPR rules?Copy link to this section

1. Control what data third parties collect.Copy link to this section

When inserting third-party web tracking scripts, you can’t strictly control what information these scripts collect. They can scrape any sensitive data or personal identifiers without letting you know. 

Server Google Tag Manager solves this problem. Let’s say you want to set up server-side tracking for Facebook without using the web one to restrict FB from collecting undesired data from your website. In this case, server Facebook tags will send only information that you specified inside these tags. FB won't be able to access any other information.

You can use Outgoing HTTP requests to see what information was sent to Facebook. This will prevent FB from collecting any data from your website they are not allowed to collect.

2. Remove sensitive data and PII.Copy link to this section

According to Google or Facebook policy, you can’t send personally identifiable information (PII) to these platforms. User name, email, phone number can be considered as PII. 

There are two ways how sGTM can help with PII. You can either remove it before sending it to the 3rd party platforms, or you can hash PII before sending it. 

If you’ve set up Facebook CAPI, then you know that some parameters are required to be hashed before sending it to the Facebook server. The same applies to GA. For example, you can hash user email before sending it to GA4, which will comply with GA privacy policy. 

So if sending user data is against GA4 privacy policy and server-side GA4 is one of the most popular ways of sending data from web to server GTM, how should you approach it without violating the privacy policy regarding PII. 

     We have several solutions:

     1. Hash user data before sending it. 

Each platform has its standards of hashing user data. Google Analytics says that you should use SHA256 + use of a salt, with a minimum of 8 characters. Facebook also requires SHA256, while MailChimp requires MD5. 

That being said, you can hash user data in the web GTM before sending it to any vendor. Custom templates are available in the web/server GTM gallery to hash user data that simplify hashing.

     2. Use Fake Google Analytics 4 ID

Some people use a real Google Analytics 4 ID to track events, while the fake GA4 ID is only used to deliver data to the server container. This will protect their main GA4 property from being blocked for non complying with GA policy. 

     3. Use Data Tag/Data Client

You can use a Data Tag/Data Client to send information to the GTM server. And then, inside the server GTM, hash needed data before sending it to the vendor.

3. Modify PII before sending it.Copy link to this section

Not only user data (like email or phone number) can be considered as PII. We have a client who runs advertising of medical equipment on Facebook. They have the names of medical devices and sometimes diseases in the URLs. Facebook complains that they send users’ health information (considered PII) to Facebook, which is against FB policy. FB also notified that their Ad account might be restricted from advertising if they do not remove health information from the URLs. 

Using Server GTM, you can modify a website URL before sending it to any vendor. You can cut parameters from the URL or replace any keyword in the URL.

How to use consent status in the server GTMCopy link to this section

    1. First of all, select and set up a consent management platform. For stape.io, we use cookiebot since it has all features that GDPR requires, reasonable price, and integration with the consent mode in web GTM. I will use cookiebot in this how-to. Some integration steps may be different if you use another CMP, but the logic should be the same. 

    2. Set up a server Google Tag Manager container. 

    3. Set up server-side Google Analytics 4. 

    4. Set up a CMP tag in the Web GTM. Most likely, you will find your CMP tag in the web GTM template gallery. In my case, I added the cookiebot tag from the gallery -> created a new tag -> added ID, and defined the default consent state. This tag should trigger on the Consent Initialization trigger. 

    5. In the Web GTM, there are tags with built-in consent checks (mainly Google’s products, such as Google Ads, Google Analytics, and Floodlight). The main benefit is that these tags automatically react to the consent behavior and adjust their actions. No additional configuration is needed. 

Please be aware that you will need to set up the additional configurations for those tags that do not support built-in consent checks. Most likely, you will have to use custom events in GTM for that. As well as set up Consent Settings.

    6. The next step would be to set up or modify GA4 tags in the Web GTM container. To do that, go to the Advanced Settings -> Consent Setting -> enable. No additional consent required. Modify this tag to trigger on the Consent Initialization tag.

    7. Open Web and Server GTM previews and test GA4 as you are a user who didn't select anything on the cookie banner or denied cookies. In the server GTM, you should see gcs=G100 in the GA requests. Gcs parameter indicates consent status, and gcs=G100 means that the user didn’t give any consent. 

    8. Test GA4 as you are a user who allows cookies. In this case, in the server GA4 requests, you should see gcs=G111.

    9. Let’s say you want to set a tag in the sGTM container that does not fire when a user denies cookie storage. In this case, create a new variable with the type Query Parameter and add gcs. After that you can create a trigger that restricts the tag from firing when gcs=G100, it will mean that the user denied the consent. 

Conclusion:Copy link to this section

With the help of web Google Tag Manager, you can adapt to GDPR rules more easily. All you need to do is choose from various consent management systems or use a custom solution and then integrate it with your web GTM,  in order for users' online privacy rights be protected properly while still allowing to use necessary cookies to provide seamless experience.

For now, server GTM does not have a built-in consent mode, but you can use GA requests to read the consent status from the web GTM. GTM denies setting and reading cookies in "do not allow" consent mode, while GA requests will still be processed. 

Server GTM enables you to control the data your vendors receive strictly. Unlike browser tracking, where you can’t be 100% sure of what information the scripts collect. With server-side tagging, only configured data will be delivered to the 3rd party vendor. Not only does it help to protect your site from unwanted scripts, but it will also speed it up cause no work will be done in the user browser. SS tracking also allows to modify and hash PII before sending it to 3rd party tools.

If you're looking for a way to streamline your website performance and make user data secure - then server-side tracking is something that should be seriously considered. We can help set up server-side tracking for any website!