we-go | loading
16.12.2022

Google Tag Manager Server Side

Ilario Gobbi
Ilario Gobbi
SEO Specialist

6 min reading

The online privacy topic has entered a period of great turmoil and professions related to the analysis of web activity data will experience changes of equal magnitude.

The whole system is moving towards a cookieless approach, a clear change of course from current practices. Sure enough, up until now, organizations relied on third-party cookies to define users' browsing habits.

Goodbye cookies… goodbye profiling?

Online data profiling has entered a period of profound change, brought about by regulatory variations and new perceptions in public awareness.

Consider, for example:

* Browsers are moving towards decommissioning third-party cookies (Firefox in 2019, Safari in 2020, Chrome in 2023), losing the ability to identify cross platform users and thus showing advertisements in line with individual user preferences.
* The public is becoming more and more concerned about online privacy. 
* Users can now use softwares such as AdBlocker or native browser tools to block profiling, or even refuse to download cookies used to track their behaviour.

In such a context, it is now increasingly difficult to understand which tool influenced a user conversion. At the same time, identifying the channels on which a budget should be invested on is equally troublesome.

 According to figures gathered from our clients' websites, on average, only 32% of users consent to the processing of their personal data for marketing purposes with the cookie policy banner.

Is Google Analytics GDPR Compliant?

On June 23rd 2022, the Italian Data Protection Authority ruled that the transfer of personal data to the United States did not comply with the European GDPR Regulation. The authority pointed out that websites using Google Analytics are able to record user data such as IP address, operating system, browser, suggested language, date and time of visit. An IP address remains a piece of personal data even when cut off, as Google is always able to complete it with other data.

In the end, Google Analytics per se is not the problem: it is the way Universal Analytics (the third version of the tool) sends sensitive data to the United States. Many thought GA’s native anonymization function was enough to protect user privacy by hiding the IP address.

Unfortunately, as it turned out, such anonymization occurs when the data is already processed in the United States and stored on Google's servers. 

From this point of view, the US does not appear to be compliant with GDPR requirements (Art. 45 EU 2016/679): sure enough, post 9/11 US Governmental Agencies have access to big tech companies’ data and, consequently, to the personal data of millions of European users.

All data collected by Google services is stored in the US, confirmed Google. The issue, then, is the totally inadequate protection of personal data and privacy offered by non-EU jurisdictions, 'potentially' turning all tools operating in a similar way illegitimate.

Google Analytics' non-compliant data tracking system is only the tip of the iceberg.

Soon, the issue will reach many giants of the web such as Meta, LinkedIn, Hubsto, Magento…

For example, the Italian Data Protection Authority recently commented on the data transfer methods used by Caffeina Media SRL. The company declared it had not activated the anonymization function of the user's IP, ending up getting admonished by the Authority for 

for violation of data protection regulations.

Google Analytics 4 is safe enough… right?

On June 9th 2022, the Italian Data Protection Authority ruled that a certain implementation of Google Universal Analytics (GA3) on a website was unlawful, as the website in question transmitted data to Google servers in the United States.

Google Analytics 4 is the version of the well-known data analysis platform that provides greater guarantees with regards to privacy:

* On this version, the user's IP address is no longer recorded or stored, making anonymization  superficial
* Account managers can now customise the kind of data they wish to process (e.g. browser version, city, age, gender, screen resolution...)

Since GA3 is not GDPR compliant then, is anyone okay by installing GA4? Unfortunately, not. The issue here is not what version of Google Analytics one can use, but the fact that any of the versions would transfer user data outside Europe and to the US.

Google Tag Manager client side: an outdated approach

So far, Google Tag Manager has been used as a client-side tool. As to say, as a mode of loading onto a website the entire container prepared in GTM. We therefore have a contact line between GTM and the respective services:
each tag must add javascript libraries in order to implement the calls, resulting in:

* A slower performance
* A termination of direct control over the data collected
* The enabling of external services to take direct action on our site

However, this process, although widely used, is not ideal. Client-side tracking offers only partial control over the data collected from users by tracking pixels.

Server-side tracking, on the other hand, prevents third-party services from acquiring users' personal data, thus complying with the obligations imposed by the GDPR.

Let us see how the latter works and how to implement it.

Server-side GTM tracking: how it works

The server-side tracking mode maintains a client-side GTM container. Furthermore, one needs to perform a transfer through a cloud with a first-party domain, in which the server-side GTM container is allocated.

Server-side data tracking involves a tag sending data from the client to the web server (which plays the role of a proxy), then the server forwards that data to the destination server. By using a first-party subdomain it is possible to install proprietary cookies that expand the lifetime of the cookies (as opposed to the very restricted one granted by browsers), and the attribution of sales to the correct channels that generated them.

Eliminating third-party cookies reduces the required loading time (resulting in better core web vitals) and improves the user experience.

Server-side GTM tracking: the pros

GTM server-side is a very convenient approach: third-party javascript files are replaced by a consolidated event stream, resulting in improved performance. The advantages of this approach include:

* GDPR compliance (greater control over data sent to third-party providers, while cleaning or adding information)
* Easier control over personal data (and how to avoid its collection)
* Increased security (third-party scripts are no longer loaded on the device nor the browser)
* A reduction in loss of information due to Adblock or other browser tracking tools
* Faster web page loading speed (and consequently, better search engine rankings)
* A cookie expiry extension on Safari (lesser cookie restrictions on IOS users via container in first-party server)
* Increased return on advertising investment
* Lesser spam visits by hiding the GA tracking ID and Facebook Pixel
* Increased security in data handling and storage

Of course, if it were so easy to implement, everyone would pick it. So what are the main cons of resorting to server side tracking with Google Tag Manager?

Server-side GTM tracking: the cons

* Certain maintenance costs depending on the website’s traffic volume (like Google Cloud Platform). This is not the case for we-go, which can rely on a proprietary server and thus bears certain costs for the service.
*  Specific know-how required to implement the server-side container in a first-party domain
*  Specific know-how required to implement the server-side container in a first-party domain

Server-side GTM monitoring: the steps

* Configuration of server-side hosts
* Configuration of tracking subdomains
* Installation of preview and production environments for Google Tag Manager SST
* HTTPS certificate configuration
* GTM server container activation 
* Configuration of tags and clients for request forwarding
* WEB container configuration for GTM
* Script installation and prior consent configuration via Cookiebot for client-side scripts
* Verification and testing of implemented configuration with possible debugging of sent test events

If something about this process is not clear... don't beat yourself up! To be implemented correctly, this configuration requires specific technical skills and means unavailable to most.
If you would like to learn more about this topic or request services for the implementation of GTM server-side monitoring, contact us now, our we-go experts are at your disposal!