Server-side tracking and GDPR

Jun 21, 2024
Dec 14, 2021
Also available in

The General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) are online privacy legislation all website owners need to know and follow. The GDPR sets out specific rules about processing personal data, including collecting, storing, and deleting it. 

The GDPR can heavily affect what users’ data you collect on the website and how you use it. In this blog post, we want to talk about how server-side Google Tag Manager can help to adapt tracking to the GDPR requirements

What is GDPR?

GDPR is a set of rules that limits what information about users websites can collect and how they should manage, store, and process it. The rules are organized in 99 individual articles of GDPR laws.

GDPR came into force on May 25, 2018. However, the main principles of GDPR laws remain the same in all European countries, and each country has the right to modify them according to its needs. That is why you need to be aware of GDPR aspects in your country.

It’s important to understand that GDPR rules apply to businesses and websites outside the EU (in the USA or Asia). Even if a user visits your site not from a European country, you must still comply with GDPR rules.

What does GDPR mean for website tracking?

The critical point of the GDPR rules concerns personal data. They describe when and how website owners can collect and store personal data and whether they can transfer it to third parties.

Though each country has a right to change the definition of Personal Identifiable Information (PII), a user’s name, address, email, IP, or even cookies can be considered PII. More than that, data about users’ health, religious, and political preferences can also be PII.

Though GDPR, ePrivacy, and CCPA’s primary purpose was to restrict big advertising companies (like Google or Facebook) from profiling you across different websites and protect user privacy, more often, smaller companies started to receive notifications or even fines for not complying with GDPR policy.

1. Cookie consent

coockie consent stape

Web Google Tag Manager has a consent mode feature. This feature is still in beta, meaning we can expect many improvements and changes shortly. With the consent mode enabled, Google checks users' consent status and reacts accordingly. Google will understand if GTM can set cookies depending on what the user selects on your cookie banner.

Web Google Tag Manager consent mode should work with the consent management platform (CMP). The primary purpose of CMP is to let users select what cookies they allow sites to use. Most popular CMPs integrate with web GTM consent mode, meaning they automatically block cookies and trackers until the user gives their consent.

The cookie banner has several different requirements, and each country has its own adjustments. For example, some governments require you to use a single color for all buttons. You can’t make the “Allow Cookie” button green while the "Block Cookie" button is white, making it more natural for the users to press the green button.

Another requirement for a cookie banner is that a user should easily browse a website without clicking any button on the cookie banner. One recent update says you should keep logos of all user consent decisions.

2. Promotional email consent

In most cases, there are two types of email: promotional and strictly necessary. You are not allowed to send promotional emails without user consent.

For example, you can send the event to your email marketing software when an existing user agrees to receive sales and promo materials. You can utilize the web Google Tag Manager to identify users who have agreed to receive promotional emails. On the other hand, if a new user wants to receive marketing emails, web GTM won't help since most email software platforms do not allow the creation of new users in their systems from the web. You can do it only through the backend or server GTM.

Server-side Google Tag Manager and GDPR

Server-side GTM gives you better control over the data flow each vendor receives. The ideal scenario of how server GTM should work is having one data stream in the web GTM that delivers data to the server GTM. For example, you can use Google Analytics 4 to send data to the server container. Server GTM processes GA4 requests and maps them into the events data inside the sGTM. Then, you can use the event's data and HTTP requests to send information further to third-party tools.

stape server gtm

Server GTM does not have a consent mode, similar to the web GTM. You should set up a consent management platform and integrate it with the web Google Tag Manager. Web GTM’s consent mode will control what information GA4 collects and sends, depending on user consent. If the user does not agree to use cookies, Google Analytics 4 will work in a restricted mode and not read or write marketing cookies.

When a user doesn’t consent to set up marketing cookies, Google Analytics will still send requests to the server GTM container, meaning your data will be delivered and processed in the server GTM. In this case, the difference is that GA will be restricted from writing, storing, or reading cookies.

This type of request will have a new parameter, gcs, containing the consent status. You can use this parameter in the server GTM to record the user's consent mode.

GDPR requirements for server GTM

GDPR rules require all European countries to store users’ visits on European servers. When you set up a Google Tag Manager server for the website where your main business is in Europe, make sure you select the European hosting region.

How does server GTM help to comply with GDPR rules?

1. Control what data third parties collect

When inserting third-party web tracking scripts, you can’t strictly control what information they collect. They can scrape sensitive data or personal identifiers without letting you know.

Server Google Tag Manager solves this problem. Let’s say you want to set up server-side tracking for Facebook without using the web to restrict FB from collecting undesired data from your website. In this case, server Facebook tags will send only information that you specified inside these tags. FB won't be able to access any other information.

You can use Outgoing HTTP requests to see what information was sent to Facebook. This will prevent Facebook from collecting any data from your website, which it is not allowed to do.

2. Remove sensitive data and PII

For some countries and for some business areas (e.g. medicine) there are additional regulations that require restrictions on sending certain PII parameters to third-party platforms.

Many such requirements are impossible to do with web tracking, but with server-side tracking, you have full control over payload events. With sGTM you can either remove it before sending it to third-party platforms or hash it before sending it.

For example, with sGTM, you can easily remove the sending of IP address and User Agent from the Facebook event data if needed, but this cannot be done for web events.

3. Hash user data before sending it

Most platforms require hashing of some or all of the data, especially PII. Typically MD5 or SHA256 format is used.

All standard popular GTM tags (FB, GA4, Google ADS, etc.) hash the data themselves before sending it to the platforms, but for some platforms it is necessary to do it yourself and it is easily available in sGTM using the template from the gallery. For example, here is a great template for SHA256 hashing.

Also hashing functions in different formats are available in Data tag. You can send data from a web container in the hashed format you need, which makes it much easier to set up in many cases.

4. Modify PII before sending it

It is not only user data (like email or phone number) that can be considered PII. We have a client who advertises medical equipment on Facebook. They have the names of medical devices and sometimes diseases in the URLs. Facebook complains that they send users’ health information (considered PII) to Facebook, which is against FB policy. FB also notified us that their ad account might be restricted from advertising if they do not remove health information from the URLs.

Using Server GTM, you can modify a website URL before sending it to a vendor. You can remove parameters or replace any keyword in the URL.

1. Select and set up a consent management platform. For, we use Сookiebot since it has all the features that GDPR requires, a reasonable price, and integration with the consent mode in web GTM. We will use Cookiebot in this how-to. Some integration steps may differ if you use another CMP, but the logic should be the same.

4. Set up a CMP tag in the Web GTM. You will most likely find your CMP tag in the web GTM template gallery. In our example, we added a cookie bot tag from the gallery →, created a new tag →, added ID, and defined the default consent state. This tag should trigger on the Consent Initialization trigger.

Set up a CMP tag in the Web GTM

5. The Web GTM has tags with built-in consent checks (mainly Google’s products, such as Google Ads, Google Analytics, and Floodlight). The main benefit is that these tags automatically react to the consent behavior and adjust their actions. No additional configuration is needed.

Please be aware that you must set up additional configurations for those tags that do not support built-in consent checks. You will most likely have to use the custom events in GTM for that. As well as set up Consent Settings.

6. The next step is to set up or modify a Google tag configuration tag in the web GTM container. To do that, go to Advanced Settings → Consent Setting → enable No additional consent required.

set up or modify a Google tag configuration tag in the web GTM

7. Open Web and Server GTM previews and test GA4 as you are a user who didn't select anything on the cookie banner or denied cookies.

In the server GTM, you should see gcs=G100 in the GA requests. The GCS parameter indicates consent status, and the GCS=G100 means the user didn’t consent.

consent status

8. Test GA4 as you are a user who allows cookies. In this case, in the server GA4 requests, you should see gcs=G111.

consent status

9. Let’s say you want to set a tag in the sGTM container that does not fire when a user denies cookie storage. In this case, create a new variable with the type Query Parameter and add gcs. After that, you can create a trigger that restricts the tag from firing when gcs=G100. This will mean that the user denied the consent.

finished setup


With the help of web Google Tag Manager, you can more easily adapt to GDPR rules. All you need to do is choose from various consent management systems or use a custom solution and then integrate it with your web GTM. This will adequately protect users' online privacy rights while still allowing the use of necessary cookies to provide a seamless experience.

For now, server GTM does not have a built-in consent mode, but you can use GA requests to read the consent status from the web GTM. GTM denies setting and reading cookies in "do not allow" consent mode, while GA requests will still be processed.

Server GTM enables you to control the data your vendors receive strictly. Unlike browser tracking, where you can’t be 100% sure of what information the scripts collect, server-side tagging delivers only configured data to the third-party vendor. Not only does it help protect your site from unwanted scripts, but will also speed it up because no work will be done in the user's browser. Server-side tracking allows you to modify and hash PII before sending it to third-party tools.

If you're looking for a way to streamline your website performance and secure user data, then server-side tracking should be seriously considered. We can help set up server-side tracking for any website!

Tagged with:gtm server

Host your GTM server at Staperight now!