Server Side Tracking GDPR: What You Need to Know


The GDPR has changed a lot for online business owners. It is becoming increasingly important to handle personal data properly. In this context, Server Side Tracking helps you better comply with GDPR guidelines. What is the role of Server GTM in this? We explain that in this article.

Key Points 🔑

  1. Admin Data Collection: Using Server Side Tracking provides more control over what data is sent to platforms such as Google and Facebook, allowing you to exclude personal information such as IP addresses and client IDs.
  2. Data Storage and Processing Agreements: Important considerations regarding where and how long data is saved, and the importance of processing agreements with third parties such as Google Analytics.
  3. Future of Server Side Tracking: The increasing emphasis on data privacy and the shift from Third-party to First-party Cookies highlight the growing importance of Server Side Tracking as a method for GDPR compliance and advanced data analytics.

What is the GDPR?

The GDPR is about regulating (online) personal data. This took effect May 25, 2018. Online, at least the following are considered personal data:

  • Name
  • Email
  • IP
  • Address
  • And some cookies

In addition, health data or financial data, for example, are also personal data and thus should not be collected or shared without consent.

By default, Google and Facebook collect IP, location and cookie data. Also, you can send additional data (enhanced conversions data) to these platforms, but that’s not in the default setup.

So, in the current way, you cannot link Google and Facebook to your website within GDPR guidelines. That linking is often done through a tool like Google Tag Manager. GTM does not save data, but acts as a conduit. So you can use Google Tag Manager to be GDPR proof, however, in a specific way. More on that later.

What does GDPR mean for data tracking?

For many online businesses, monitoring user behavior on their website or app is an essential part of their operations. Through trackers, they collect data on user behavior, leading to informed decisions and ultimately greater profits.

Website tracking in itself is not illegal. Legality depends on where you do business and how tracking is regulated. To determine if your Web site is tracking data correctly, you need to understand how you monitor your users and what steps you need to take to comply with legal requirements.

To be GDPR proof yet do data tracking, a few things are important to consider. Collecting, saving and processing data.

Collecting data

Data collection is usually done with a third-party tracking script and third-party cookies. These are codes of e.g.. Google and Facebook. These are often posted through GTM. These codes collect data. You have virtually no control over this. So Google can collect what it wants. To keep control of what data is collected, you can apply Server Side Tracking. This allows you to take full control over what data is sent to Google or Facebook.

This also allows you to exclude the collection of certain data. This allows you to exclude IP addresses and client ids from tracking. In addition, you can go even further by not including URL parameters (UTM tags, for example).


The New version of GA4 also has more flexibility to ensure that some data is not collected. This allows you to disable google signals, ad personalization and location data for optimal security.

Finally, the most important thing is to use a cookie banner to ask permission to track data (and indicate what data you will be collecting, for what purposes). We use Cookiebot for that because it works well with Google Tag Manager. Through the consent mode in Google Tag Manager, you can regulate that the tracking actually complies with what is specified in the cookie banner.


When you set up consent mode in the Google Tag Manager server container, based on the consent level someone enters at the cookie banner, you send the data to the relevant platforms. This ensures that data processing is more in line with user preferences and privacy laws, striking a balance between user privacy and data use for targeted marketing and analytics.

Save data

In addition, saving data is also an important factor. How long will the data be saved? GA4 has also made many strides in this regard. This allows you to exclude data being shared to other parts within Google.

In addition, it is important that personal data not be saved outside the EU. Google Analytics does. Through Server Side Tracking, we ensure that the personal data is already excluded before and thus never sent to Google Analytics. This way, you can use it within the guidelines of the GDPR.

TAGGRS has servers around the world , so data is securely saved and processed within your own country.


Processing data

Finally, you should enter into a processing agreement with the party receiving the data. In the case of GA4, you sign for this when you create an account.

Google Analytics Terms of Service Agreement

First-party vs third-party cookies.

First-party cookies are created by the visited website itself and are primarily intended to optimize the user experience, such as remembering login information and shopping basket items. They are crucial to the functionality of the site and are only active on the website that created them. In contrast, Third Party Cookies are created by third parties, such as ad networks, and focus on tracking, retargeting and delivering personalized ads to users.

There is a clear shift from the use of Third-party Cookies to First-party Cookies. This trend is reinforced by the increasing focus on privacy and data protection. In addition, browsers such as Google Chrome and Mozilla Firefox also consider user privacy increasingly important resulting in the increasing blocking or restricting of Third Party Cookies.

These developments are creating a shift from Third-party to First-party Cookies.

More info in this blog on first party vs third party cookies.

GDPR impact on data tracking

A specific example of the impact of privacy laws on Server Side Tracking is the ban by some governments on the use of Google Analytics. Because Google Analytics collects data about the behavior of website visitors, this can lead to privacy concerns. Therefore, certain governments have decided to ban Google Analytics on government websites to protect citizens’ privacy.

There are many countries that feel Google Analytics is not GDPR compliant. This development highlights the growing importance of privacy and data protection in the digital world, and at the same time it shows the need for alternatives such as Server Side Tracking.

Here you can find a list of countries that think Google Analytics is illegal.

How does Server Side GTM help with GDPR compliance?

If you work with third-party cookies, you know that control over your data can sometimes be tricky. With Server GTM, you can solve this problem and better Admin what happens to your data. Below we discuss how.

Control Over Third Party Data

Working with third-party Web tracking scripts doesn’t always mean you know what data is being collected. Server GTM allows you to Admin this more precisely. For example, if you want to set up Server Side Tracking for Facebook, you can use server side tags to specify exactly what info goes to Facebook. This limits what Facebook can see.

Safely Handling Sensitive Info and PII

It is against the policy of platforms like Google and Facebook to send personally identifiable information (PII). Server GTM helps you deal with this. You can remove PII like IP addresses before it goes to external platforms, or you can hash the info.

Data Management Solutions.

Hashing of User Data: Different platforms have their own standards for hashing. For example, Google Analytics uses SHA256, as does Facebook.

Use a Fake GA4 ID: Some people use a real Google Analytics 4 ID for event tracking, and a fake GA4 ID to send data to the server container.

Server GTM also allows you to customize Web site URLs before sending them to an external party. This is useful if, for example, you have sensitive information in your URLs that should not be shared.


Is Server Side the Future?

Given the increasing emphasis on data privacy and the GDPR, Server Side Tracking seems to be more than a trend. It allows companies to refine data collection while ensuring better compliance with privacy laws. Some countries already prohibit the use of certain third-party tracking tools, further reinforcing the need for server side solutions.

There is also a shift from Third-party to First-party Cookies because of greater emphasis on user privacy. Server Side Tracking provides an additional solution here by filtering and hashing sensitive data before sending it to external parties.

All in all, Server Side Tracking not only seems to be the future; it seems to be the future. With an increasing focus on GDPR compliance and data integrity, Server Side Tracking provides a path to both compliance and detailed data analytics.

TAGGRS offers Server Side Tracking hosting that allows you to continue collecting data online while complying with GDPR legislation.

See you on the server side!

FAQ – Server Side Tracking GDPR

What data falls outside the GDPR?

Anonymous data, where identification of individuals is impossible, falls outside the GDPR. The GDPR applies to personal data, which means that any information that can directly or indirectly identify a person is covered by this law. Anonymous data, or data processed in such a way that it no longer identifies the individuals involved, is excluded from the GDPR. Server Side Tracking can help anonymize personal data such as IP addresses.

Is Google Tag Manager GDPR compliant?

Google Tag Manager can be GDPR compliant if it is correctly set up to collect and process personal data only with consent, using Consent Mode.

Is Server Side Tracking legal?

Server Side Tracking is legal provided it complies with GDPR rules. It requires transparency and user consent for the collection and processing of personal data.

Can GDPR be done without consent?

GDPR requires consent in many cases, but processing is sometimes possible without consent for specific purposes such as contractual necessity or legal obligations.

About the author

Ate Keurentjes

Ate Keurentjes

Server Side Tracking Specialist at TAGGRS

Ate Keurentjes is a Server Side Tracking specialist at TAGGRS. He has experience with various Google Tag Manager concepts. Keurentjes has been editing and writing about the latest developments and trends in data collection / Server side tracking since 2023.

Ready for the next level?

Start with Server Side Tracking and generate more revenue and conversions in a world without third-party cookies.