GDPR compliance of Server-side Tracking

How does GDPR apply to Server-side Tracking?

GDPR, or General Data Protection Regulation, is a privacy law regulating the processing of personal data, applying equally to Server-side Tracking.

Online, personal data includes information such as name, email address, IP address, some cookies, health data, and financial data. Whenever your website or application collects or processes this data (whether through server-side tracking or client-side) you must ensure that at least one of these 6 legal bases applies:

• explicit user consent
• contractual necessity
• legal obligation
• protection of vital interests
• public interest or official authority
• legitimate interests, unless overridden by user rights.

How does Server-side Tracking support GDPR compliance?

Server-side Tracking provides more control over what data is collected, processed, and shared with third parties. For example, you can filter out personal information such as IP addresses and client IDs before forwarding data to platforms like Google Analytics or Facebook.

However, GDPR requirements remain unchanged: every data processing activity must have a valid legal basis, and users must be informed transparently about what data is collected and for what purpose. For many online businesses, tracking user behavior is essential for optimizing services and making informed decisions. While website tracking is not inherently illegal, the correct setup of tracking activities and the business location are paramount to make it 100% GDPR-compliant.

To ensure GDPR-compliant tracking, you must understand your data collection methods and take specific steps to comply with legal requirements. This includes managing the collection, storage, and processing of data according to GDPR standards. Server-side Tracking should be implemented with privacy by design, robust consent management, and regular audits to maintain compliance and protect user rights.

Data collection

Data collection is usually done with a third party tracking script and third party cookies. These are codes from Google and Facebook, for example. These are often placed through GTM. These codes collect data. You have virtually no control over this. So Google can collect what it wants. To control which data is collected, you can apply server side tagging. This allows you to take full control over what data is sent to Google or Facebook.

This also allows you to exclude certain data from being collected. For example, you can exclude IP addresses and client ids from tracking. In addition, you can go even further by also not sending URL parameters (UTM tags, for example).

The new version of GA4 also has more flexibility to ensure that some data is not collected. For example, you can disable Google signals, ad personalization and location data for optimal security.

Finally, the most important thing is to use a cookie banner to ask permission to track data (and indicate what data you will collect, for what purposes). We use Cookiebot for that, because it works well with Google Tag Manager. By means of the Consent Mode in Google Tag Manager you can regulate that the tracking actually complies with what is indicated in the cookie banner.

When you set up consent mode in the Google Tag Manager server container, based on the consent level someone enters at the cookie banner, you forward the data to the relevant platforms. This ensures that data processing is more in line with user preferences and privacy laws, balancing user privacy with data use for targeted marketing and analytics.

Data storage

Data storage is also an important factor. How long will the data be stored? GA4 has made many strides in this as well. For example, you can exclude data being shared to other parts within Google. It is crucial that personal data is stored within the EU. This is the case with Google Analytics. Through Server-side Tracking, we ensure that the personal data is already excluded before and thus never sent to Google Analytics. This way you can use it within the guidelines of the GDPR.

TAGGRS owns a world-wide server infrastructure, so data can be securely stored and processed within your own country.

Processing data

Finally, you need to sign a processing agreement with the party receiving the data. In the case of GA4, you sign for this when you create an account.

Impact of GDPR on data tracking

A specific example of the impact of privacy laws on server-side tagging is the ban by some governments on the use of Google Analytics. Because Google Analytics collects data on the behavior of Web site visitors, this can lead to privacy concerns. Therefore, certain governments have decided to ban Google Analytics on government websites to protect citizens' privacy.

There are many countries that feel Google Analytics is not compliant with GDPR legislation. This development highlights the growing importance of privacy and data protection in the digital world, and at the same time, it shows the need for alternatives such as Server Side Tagging.

Here you can find a list of countries that think Google Analytics is illegal.

How does Server Side GTM help with GDPR compliance?

If you work with third-party cookies, you know that control over your data can sometimes be difficult. With Server GTM, you can solve this problem and better manage what happens to your data. Below we discuss how.

Control over third-party data

Working with third-party web tracking scripts doesn't always mean you know what data is being collected. With Server GTM, you can manage this more precisely. For example, if you want to set up server-side tagging for Facebook, you can use server tags to specify exactly what info goes to Facebook. This limits what Facebook can see.

Safely handling sensitive info and PII

It is against the policy of platforms like Google and Facebook to send personally identifiable information (PII). Server GTM helps you deal with this. You can remove PII such as IP addresses before it goes to external platforms, or you can hash the info.

Data Management Solutions

• Hashing of User Data: Different platforms have their own standards for hashing. For example, Google Analytics uses SHA256, as does Facebook.
• Use a Fake GA4 ID: Some people use a real Google Analytics 4 ID for event tracking, and a fake GA4 ID to send data to the server container.

Server GTM also allows you to modify Web site URLs before sending them to an external party. This is useful if, for example, you have sensitive information in your URLs that should not be shared.

Is Server-side the future?

Given the increasing emphasis on data privacy and the GDPR, server-side tagging seems to be more than a trend. It allows companies to refine data collection while ensuring better compliance with privacy laws. Some countries already prohibit the use of certain third-party tracking tools, further reinforcing the need for server side tracking solutions.

There is also a shift from third-party to first-party cookies due to greater emphasis on user privacy. Server-side tagging provides an additional solution here by filtering and hashing sensitive data before sending it to external parties.

All in all, server-side tagging not only seems to be the future; it seems to be the future. With an increasing focus on GDPR compliance and data integrity, server-side tagging offers a path to both compliance and detailed data analysis.

TAGGRS offers Server-side Tracking hosting that allows you to continue to collect data online while being GDPR compliant.