The challenge of GDPR compliance with Google Analytics 4 and data transfers
Online business today is increasingly global, which creates complexity for data privacy compliance. Customers or website visitors can come from anywhere, requiring companies to meet compliance responsibilities from a variety of data privacy laws. Partners and vendors can also be located around the world, which can mean that data needs to be transferred internationally.
Under many regulations, particularly the European Union’s General Data Protection Regulation (GDPR), user data cannot be transferred outside the regulation’s jurisdiction (e.g. the EU) unless there is an adequacy agreement with the country it is going to, which guarantees a sufficient level of data protection.
The European Union and United States have been without such an adequacy agreement since the previous Privacy Shield was struck down in 2020. This presents challenges for many companies, particularly in the EU, as some of the most widely used tools and technologies for running businesses online come from US-based companies like Google. The two entities are working toward a new agreement, but finalizing it will take some time.
Relatedly, in 2022 there have been a number of rulings in the EU that highlight data protection authorities’ concerns with Google Analytics and data transfers in light of this lack of adequacy agreement. Learn more: Google Analytics and GDPR compliance rulings in the European Union.
Until a new Privacy Shield is established, how can companies continue to protect data and privacy and remain GDPR-compliant while using the tools and systems they rely on? This article will explain how to use server-side tagging with Google Analytics 4 as a solution to help with GDPR-compliant data transfers.
How Server-side tagging can provide a solution to GDPR compliance and GA4 data transfers
What is server-side tagging?
Server-side tagging is part of the evolution of data strategy, away from the need for third-party data, which is often of lower quality and can present issues with user consent. But while third-party cookies (a major source of third-party data) will be going away, companies still need ways to identify customers and users, as well as integrate with and share data with partners across channels in secure ways.
It enables you as the customer to decide what data is sent and which servers can access the data, but is also influential over the platforms with access to the data. For example, user consent can be one kind of data collected and disseminated through this system to influence additional systems, like allowing only certain cookies to be activated or removing sensitive data before sharing it with third-party vendors like Google.
With investment in server-side tagging, companies can gain better data insights again, leading to more informed ad spend and customer insights. Increasing legal restrictions as well as technical restrictions due to intelligent tracking prevention technologies that are included in modern web browsers have led to data loss and decreased ad spend ROI. SST can help to reverse that. It also enables better automation and integration with technologies like customer data platforms or data warehouses, and a single source of data for legal audits.
Additionally, server-side tagging can help solve a range of other issues, including:
- self-hosting tag management systems to negates legal restrictions
- limited control over and ability to audit script behaviors
- less robust security due to greater access to systems and data by third parties
- consistent and better data quality instead of choppy overviews of customers due to disparate data sources
How does server-side tagging work?
Server-side tagging moves tag use from the client side, i.e. the browser, to a separate tagging server. A tag or pixel in use on the client side (browser) sends data to a tagging server, which passes it to a destination service provider (vendor) like Google, Facebook, etc. The recipients can be analytics providers, marketing technology partners, own databases and more, but access to the data is more controlled because there is one stream of data relayed through a central system, directed by the customer’s setup.
We will be focusing on using Google Analytics 4 to transfer data from the browser to the server-side tag manager. Note that there are also other ways to do this, including custom scripts or third-party tools.
How to set up Google Analytics 4 with server-side tagging for GDPR-compliant data transfers
In order to prevent any personally identifiable information (PII) being sent to or stored in unwanted third countries at any point, the tagging server should be hosted within the EU. This can be in the Google Cloud; on another cloud provider; or on-premise in a self-managed, non-cloud environment, depending on decisions by your data protection officer.
Once your EU server is successfully set up, make sure to respect consents server-side and only process data when the respective consent was provided by the user. (Learn more: How to implement server-side conversion tracking with Google Ads and Usercentrics CMP)
In terms of a compliant data transfer, you can also omit all data you do not want to provide to third parties like Google, such as the IP address, before sending it to vendors or manipulating or pseudonymizing the data, e.g. omitting only parts of the IP address to keep geo-information. It’s also possible to enrich the data with additional information that is not available through client-side tracking.
DWC Consult is a long-time Usercentrics partner. They’ve developed extensive experience with both the Usercentrics CMP and server-side tagging, and particularly with Google tools like GTM, GA4, BigQuery and the Google Cloud. Because these projects and custom clients on the server-side tag manager are often quite unique, engaging a partner to assist can be very useful.
DWC can help you to understand what data should be collected and analyze data protection requests. If needed, they can also take care of the complete setup, including the development of custom clients or the technical setup in the Google Cloud.
Additional advantages to using server-side tagging with Google Analytics 4
The use of server-side tagging with Google Analytics 4 enables the circumvention of (intelligent) browser tracking prevention (ITP), as data collection and processing depend on the server and not the client. More specifically, cookies can be set server-side, preventing the shortening of HTTP cookie lifetimes or the complete deletion of these cookies caused by ITP in Safari, which enormously affects tracking and accuracy.
We recommend reading: How to implement server-side conversion tracking with Google Ads and Usercentrics CMP
Companies still rely on data-centric tools, like Google Analytics, even as the wait for a replacement to the Privacy Shield continues. Companies need data, but also have data privacy responsibilities with regulations like the GDPR.
Server-side tagging can be a decisive benefit in evolving data strategy. It provides organizations with greater control over their data, improved security, and helps prevent data from being sent to unwanted third parties. It can help improve website performance and user experience by integrating consent management to respect users’ privacy choices and communicate them to connected systems. This also helps companies achieve and maintain privacy compliance. Server-side tagging also helps maintain higher data levels by circumventing intelligent tracking prevention (ITP) and adblockers.
Using server-side tagging with Google Analytics 4 enables companies to get more from the tools they’re using, and provides a viable strategy to manage data transfers in the EU. A specialized setup with a custom client can enable enrichment of analytics data as well.
For individual setups, Usercentrics collaborates with experienced partners like DWC, who use their knowledge of server-side tagging, Google Analytics and our CMP to provide the best possible advice and to raise customers’ tracking capabilities to the next level.
Contact our experts to learn how you can implement server-side tagging for your business.