Google Tag Manager Server Side: the privacy-friendly data tracking

Online data profiling has entered a period of profound change, brought about by regulatory variations and new perceptions in public awareness.

Consider, for example:

• Browsers are moving towards decommissioning third-party cookies (Firefox in 2019, Safari in 2020, Chrome in 2023), losing the ability to identify cross platform users and thus showing advertisements in line with individual user preferences.
• The public is becoming more and more concerned about online privacy. 
• Users can now use softwares such as AdBlocker or native browser tools to block profiling, or even refuse to download cookies used to track their behaviour.

On June 23rd 2022, the Italian Data Protection Authority ruled that the transfer of personal data to the United States did not comply with the European GDPR Regulation. The authority pointed out that websites using Google Analytics are able to record user data such as IP address, operating system, browser, suggested language, date and time of visit. An IP address remains a piece of personal data even when cut off, as Google is always able to complete it with other data.

Unfortunately, as it turned out, such anonymization occurs when the data is already processed in the United States and stored on Google's servers. 

From this point of view, the US does not appear to be compliant with GDPR requirements (Art. 45 EU 2016/679): sure enough, post 9/11 US Governmental Agencies have access to big tech companies’ data and, consequently, to the personal data of millions of European users.

All data collected by Google services is stored in the US, confirmed Google. The issue, then, is the totally inadequate protection of personal data and privacy offered by non-EU jurisdictions, 'potentially' turning all tools operating in a similar way illegitimate.

On June 9th 2022, the Italian Data Protection Authority ruled that a certain implementation of Google Universal Analytics (GA3) on a website was unlawful, as the website in question transmitted data to Google servers in the United States.

Google Analytics 4 is the version of the well-known data analysis platform that provides greater guarantees with regards to privacy:

• On this version, the user's IP address is no longer recorded or stored, making anonymization  superficial
• Account managers can now customise the kind of data they wish to process (e.g. browser version, city, age, gender, screen resolution...)

Since GA3 is not GDPR compliant then, is anyone okay by installing GA4? Unfortunately, not. The issue here is not what version of Google Analytics one can use, but the fact that any of the versions would transfer user data outside Europe and to the US.

So far, Google Tag Manager has been used as a client-side tool. As to say, as a mode of loading onto a website the entire container prepared in GTM. We therefore have a contact line between GTM and the respective services:
each tag must add javascript libraries in order to implement the calls, resulting in:

• A slower performance
• A termination of direct control over the data collected
• The enabling of external services to take direct action on our site

The server-side tracking mode maintains a client-side GTM container. Furthermore, one needs to perform a transfer through a cloud with a first-party domain, in which the server-side GTM container is allocated.

Server-side data tracking involves a tag sending data from the client to the web server (which plays the role of a proxy), then the server forwards that data to the destination server. By using a first-party subdomain it is possible to install proprietary cookies that expand the lifetime of the cookies (as opposed to the very restricted one granted by browsers), and the attribution of sales to the correct channels that generated them.

Eliminating third-party cookies reduces the required loading time (resulting in better core web vitals) and improves the user experience.

GTM server-side is a very convenient approach: third-party javascript files are replaced by a consolidated event stream, resulting in improved performance. The advantages of this approach include:

• GDPR compliance (greater control over data sent to third-party providers, while cleaning or adding information)
• Easier control over personal data (and how to avoid its collection)
• Increased security (third-party scripts are no longer loaded on the device nor the browser)
• A reduction in loss of information due to Adblock or other browser tracking tools
• Faster web page loading speed (and consequently, better search engine rankings)
• A cookie expiry extension on Safari (lesser cookie restrictions on IOS users via container in first-party server)
• Increased return on advertising investment
• Lesser spam visits by hiding the GA tracking ID and Facebook Pixel
• Increased security in data handling and storage

• Certain maintenance costs depending on the website’s traffic volume (like Google Cloud Platform). This is not the case for we-go, which can rely on a proprietary server and thus bears certain costs for the service.
• Specific know-how required to implement the server-side container in a first-party domain

• Configuration of server-side hosts
• Configuration of tracking subdomains
• Installation of preview and production environments for Google Tag Manager SST
• HTTPS certificate configuration
• GTM server container activation 
• Configuration of tags and clients for request forwarding
• WEB container configuration for GTM
• Script installation and prior consent configuration via Cookiebot for client-side scripts
• Verification and testing of implemented configuration with possible debugging of sent test events

If something about this process is not clear... don't beat yourself up! To be implemented correctly, this configuration requires specific technical skills and means unavailable to most.
If you would like to learn more about this topic or request services for the implementation of GTM server-side monitoring, contact us now, our we-go experts are at your disposal!