Navigating the complexities of GDPR compliance can be challenging, especially when managing cookies and tracking tools on your website. Google Tag Manager (GTM) provides a streamlined solution for handling various marketing and analytics tags. However, ensuring it aligns with stringent data protection laws requires careful setup and management.
We’ll explore how to use GTM effectively while staying compliant with global privacy regulations like the GDPR. We’ll discuss the role of Google Consent Mode, the importance of a consent management platform, and practical steps for configuring GTM to respect user consent.
Whether you’re new to GTM or looking to optimize your current setup, this guide will help you balance data collection needs with user privacy rights.
What is Google Tag Manager?
At its core, Google Tag Manager (GTM) is like a control center for your website’s tracking and marketing tools.
Google Tag Manager is a free tool that enables companies to manage and deploy marketing and analytics tags on their websites or mobile apps without modifying the code. It acts as a centralized system where one can add, edit, and manage various tracking codes and snippets, known as “tags,” from a web-based interface.
Imagine you’re running an ecommerce website and want to track user interactions, analyze traffic sources, and measure conversions. Instead of manually adding separate code snippets for Google Analytics, Google Ads, Facebook Pixel, and other tools directly to your website’s code, you would add a single GTM container code to your site.
Then, using the GTM interface, you can set up and manage all these different tags, defining when and where they should fire based on specific triggers, like page views, button clicks, or form submissions. This approach simplifies tag management, reduces the risk of errors, and enables marketers to make changes quickly without having to constantly rely on web developers to modify the site’s code.
In GTM, there are tags and triggers. Tags are the actual snippets of code you want to run on your site, while triggers determine when these tags should fire. For example, you might set up a Google Analytics tag to track pageviews, with a trigger that fires on all pages. You could also have a conversion tracking tag for Google Ads, with a trigger that only fires when a user reaches the “Thank You” page after completing a purchase.
Does Google Tag Manager use cookies?
The Google Tag Manager code does not use cookies. The one exception is when using GTM’s Preview and Debug mode, where it sets several first-party cookies essential for the preview functionality. These cookies are only set for administrators using the Preview mode and are deleted once you exit it.
While GTM doesn’t use cookies itself, it can be used to implement tags from other tools, like Google Analytics, that do set and use cookies. These third-party tools implemented via GTM are likely to store cookies and process personal information.
Therefore, the tags you implement through GTM may set and use cookies. This is why it’s vital to have proper Google Tag Manager cookie consent mechanisms in place, especially for compliance with privacy regulations like the General Data Protection Regulation (GDPR).
Google Tag Manager and cookie consent
Google Tag Manager doesn’t directly require cookie consent because it doesn’t set cookies, and so doesn’t collect personal information.
However, some tags added through Google Tag Manager may use cookies to track how users interact with a website. For example, Google Analytics uses cookies to collect information about user behavior, such as pages visited, time spent on site, and conversion actions.
Thus, obtaining Google Tag Manager cookie consent is a best practice and potentially necessary to meet GDPR and CPRA regulatory requirements. However, this depends on your marketing tools setup and operations.
Is Google Tag Manager GDPR-compliant?
Google Tag Manager itself is not inherently GDPR-compliant or non-compliant. Its compliance status depends on how it’s used and configured.
By default, GTM does not set cookies or collect personal data on its own. However, it’s commonly used to implement tags from other services, like Google Analytics or advertising pixels, that use cookies and collect personal data. These third-party tags implemented through GTM may require consent under the GDPR.
To use GTM in a GDPR-compliant manner, website owners need to take several steps:
- audit all tags to be up-to-date on what they are for, what data collection they may trigger, and ensure they are necessary for business operations
- enable restricted data processing for certain types of personal data
- install a consent management platform (CMP) to obtain and manage user consent
- configure tags to only fire after obtaining user consent
- avoid collecting Personally Identifiable Information (PII) where possible
GDPR data processing using Google Tag Manager
Google Tag Manager (GTM) can play a crucial role in GDPR compliance for websites that use it to manage tracking and marketing tags. As it often deploys scripts and tags that collect personal data. Thus, website owners must ensure that tags implemented through GTM only fire after obtaining proper user consent, in line with GDPR requirements. Under the regulation, website owners are responsible for ensuring that all data processing activities, including those facilitated by GTM, comply with GDPR stipulations.
One key aspect of GDPR compliance in GTM is data minimization. This involves carefully auditing all tags and scripts deployed through GTM to ensure they only collect necessary data. Website owners should regularly review their GTM container to remove any redundant or excessive data collection points.
Another important consideration is the principle of purpose limitation. Each tag in GTM should have a clear, documented purpose for data collection. This documentation can be maintained within GTM using notes and descriptions for tags and triggers, creating an audit trail demonstrating GDPR compliance efforts.
Navigating consent management with Google Tag Manager
To address privacy regulations like the GDPR and CCPA, GTM offers a Consent Mode framework that enables website owners to adjust tag behavior based on user consent status.
The Consent Mode in GTM supports various consent types for different data collection purposes, such as advertising, analytics, and personalization. Website owners can create Consent Initialization triggers to ensure consent settings are applied before other tags fire. Individual tags can also be configured with specific consent requirements, enabling granular control over data collection practices.
In addition, GTM integrates well with leading consent management platforms, making it easier to implement comprehensive consent solutions.
By leveraging these tools, website owners can ensure their data collection practices comply with global privacy regulations while still gathering valuable insights.
Google Tag Manager and Google Consent Mode
Google Tag Manager and Google Consent Mode work together to help websites manage user consent and comply with privacy laws like the GDPR. Google Consent Mode adjusts Google tags based on user consent status. When used with GTM, it enables precise control over when tags fire and how data is collected.
With this setup, website owners can set default consent states for purposes like analytics, ad storage, and personalization. Tags are configured to respect these consent states, running fully, partially, or not at all based on user choices. This allows data collection to continue in a privacy-respecting manner even if full consent isn’t given.
GTM simplifies implementing Consent Mode by offering built-in variables and triggers for consent management. Website owners can create conditions for tag firing, ensuring tags only execute with the proper consent. This integration helps maintain compliance with privacy laws and improves user experience by respecting privacy preferences while still gathering necessary data.
The consequences of GDPR noncompliance when using Google Tag Manager
Noncompliance with the GDPR when using Google Tag Manager can have severe consequences for businesses.
The penalties for violations can be substantial, with fines of up to EUR 20 million or 4 percent of global annual revenue, whichever is higher, for repeat or particularly serious violations.
Beyond the financial impact, companies can suffer significant reputational damage as customers become increasingly aware of and concerned about their data privacy rights. A breach or misuse of personal data can lead to negative publicity, loss of consumer trust, and a subsequent decline in sales and customer acquisition.
Lastly, non-compliant companies may face legal action from affected parties in jurisdictions that allow it, resulting in costly and time-consuming legal proceedings.
How a consent management platform can help with GTM GDPR cookie consent
A consent management platform is helpful for organizations using Google Tag Manager to comply with the GDPR for cookie consent. These platforms help websites collect, manage, store, and signal user consent (e.g., with Google Consent Mode) as required by data protection laws.
Integrating a CMP like Usercentrics’ with GTM makes it easier to obtain legally compliant cookie consent through features like customizable banners, an extensive data processing services database, and multi-language support. This helps to ensure transparent consent collection and enables users to easily modify or withdraw their consent.
Usercentrics CMP also tracks and records consent preferences, providing a centralized repository that can be used to demonstrate compliance in the case of a regulatory audit or if a user requests a copy of their personal data, including consent history.
By automating consent management for GTM, CMPs help businesses meet GDPR requirements and build user trust by giving individuals greater control over their data.
Usercentrics CMP and Google Tag Manager cookie consent
Usercentrics understands how important data privacy is to both your business and your customers. That’s why our solution can help you obtain and manage user consent effectively within Google Tag Manager.
Usercentrics CMP integrates seamlessly with GTM using a data layer variable, enabling smooth communication between your GTM settings and the CMP. This integration allows for automated tag management, ensuring that only tags corresponding to consented purposes are fired, respecting user privacy preferences.
Usercentrics also generates customizable consent banners that can be easily implemented through GTM, enabling users to provide granular consent for different types of cookies and data processing purposes.
What comes after third-party cookies?
As we wave goodbye to third-party cookies, businesses are facing a big shake-up. Website operators need a new way to identify users, learn about their activities, and share data with partners in a way that’s privacy-compliant and not browser-dependent.
Server-side tagging (SST) is a part of this next evolutionary leap forward. It’s a sophisticated and privacy-focused solution that’s gaining momentum as a way to help companies collect online data.
What is server-side tagging?
Server-side tagging is a different approach to tracking data. Instead of relying on third-party services like Google or HubSpot, you shift control to your company. Using server-side tagging, both your website and your users’ data are hosted on a secure, centralized server, giving you more control and protection over users’ personal data, as required by data privacy regulations.
Server-side tags act as a centralized, protective buffer between your users and third-party vendors seeking to track data. Therefore, third parties do not have direct access to data collection from websites, including users’ personal data. This helps ensure better control and security.
Google Tag Manager server-side tagging
Google Tag Manager’s (GTM) server-side tagging is a powerful tool that enables website operators to manage tags, triggers, and variables on a server instead of the user’s browser. It’s a popular and widely adopted solution among marketers and developers because of its ease of use.
GTM’s server-side tagging shifts tag management from the user’s browser to a server managed by your company, offering benefits like improved website performance, better data quality control, and enhanced privacy compliance. It’s ideal for companies needing more data control and better website performance, especially those handling sensitive data or prioritizing privacy compliance.
What is server-side tracking?
Although server-side tracking and tagging both use a server for data management, the two concepts shouldn’t be confused. Server-side tagging refers to the implementation of tracking tags on the server side.
Server-side tracking refers to gathering data straight from the server instead of solely depending on the client’s browser. This method boosts data accuracy, lessens the workload on the client’s side, and can enhance your website’s performance.
Google Analytics server-side tracking
Google Analytics is a popular tool for server-side tracking because it’s user-friendly, integrates with many existing platforms, and has a strong community of users and developers who provide guidance and support.
Google Analytics server-side tracking involves sending data directly from the server to Google Analytics, thus bypassing the user’s browser. Doing so improves your website performance, enhances data privacy, and offers better data quality control.
Client-side tagging vs. Server-side tagging
Both client-side and server-side tagging enable the collection and delivery of data, and each has benefits.
Client-side tagging is the most widely used system. It uses tags and the user’s browser data, which is directly transmitted to one or more servers. Tag management uses this functionality to share data from your website with marketing technology partners. However, there is no centralized control over the data or access to it in this model.
In server-side tagging, data from tags or pixels is sent to your web server. Then, this is forwarded to destination servers, like those used by marketing partners or analytics providers. This method offers centralized control over data access and usage conditions. There is one data stream, which both enables and controls relevant services’ access to the data. It enables granular user consent, allowing some web technologies while blocking others.
Our partner Tealium has an excellent article to learn more: Choosing Between Client-side and Server-side Data Management.
Who is server-side tagging for?
Server-side tagging is best for organizations seeking enhanced data control, improved privacy, and better data quality. For example, organizations dealing with sensitive personal data can use server-side tagging to control and modify data before distributing it to third parties.
Moreover, server-side tagging benefits marketing teams aiming to improve visibility throughout the purchasing cycle and boost conversion rates and return on investment from advertising efforts. This approach offers enhanced control over data collection and distribution, resulting in more precise insights and improved decision-making capabilities.
Lastly, website visitors benefit from improved privacy and security for their data. As once their consent choices are received, it can be better communicated across systems to ensure no data collection or sharing without their consent. Thus boosting trust levels with your website visitors and customers.
Server-side tagging benefits
Implementing server-side tagging benefits multiple parties.
Server-side tagging benefits for businesses
Moving data processing and distribution to the server not only enhances website performance by eliminating the need for heavy third-party technologies and container tags but also provides website administrators with greater control and auditability over shared data with third parties. This shift bolsters website security by limiting access to the website and its data, making it foundational for establishing a corporate data strategy despite the increased costs, such as those for a dedicated web server.
Furthermore, as third-party cookies disappear, small businesses will also benefit from these technologies. Server-side tagging leverages first-party server capabilities to bring tracking closer to website content, preventing ad blockers from blocking content and thwarting Safari’s Intelligent Tracking Prevention (ITP) from shortening HTTP cookie lifetimes or deleting those cookies entirely.
Lastly, marketing teams also see advantages, such as better visibility into the purchasing cycle and improved conversion rates and ROI on advertising.
Server-side tagging benefits for website visitors
Server-side tagging also enhances the privacy and security of your website visitors by ensuring that their consent choices are effectively communicated across systems, preventing unauthorized data collection or sharing. This approach also limits access to and control over collected data, with companies retaining control rather than third-party vendors having direct access. Improved targeting for ads is possible, enabling personalization while preserving privacy.
Although server-side tagging may reduce visibility for users in their browsers regarding data collection and sharing, Usercentrics is collaborating with tagging platforms to restore this visibility. By integrating the Consent Management Platform (CMP), information about data collection and purposes will be extracted and shared with website visitors through the consent banner.
Server-side tagging benefits for third-party vendors
SST provides third-party vendors, such as those offering customer data platforms or data warehouse solutions, with reassurance that granular consent has been obtained from users regarding their data and any associated activities. This reduces the risk of data privacy violations and unauthorized data access since there is more control.
Companies can also develop better communication and shared insights with vendors as the business centralizes its control over website behavior and determines data flow.
How can I implement server-side tagging?
To implement server-side tagging, you will need to work with a tag management system that supports server-side tagging. You will also need to set up a web server or use a cloud-based solution that supports server-side tagging. Once you have these in place, you can start implementing server-side tagging on your website.
Is server-side tagging GDPR-compliant?
The short answer is yes, server-side tagging can be GDPR-compliant. However, you will need to ensure that you obtain granular consent from users for their data and any activities undertaken with it. You will also need to have appropriate data protection measures in place to protect user data.
If you’re using Google Tag Manager server-side tagging, you can pair that with Google Consent Mode to make your tags more GDPR compliant. As it allows websites to communicate a user’s cookie consent choices effectively to Google tags. This mode works by adjusting tag behavior based on the user’s preferences, ensuring that tags respect these choices.
Usercentrics Web & Apps CMP are Google-certified, fully supporting Transparency and Consent Framework (TCF) and Google Consent Mode v2.
It’s worth noting that implementing server-side tags doesn’t automatically make you compliant with the ePrivacy Directive, which is a set of privacy compliance guidelines separate from the GDPR, which complements and expands upon the GDPR’s data protection regulations.
Server-side tagging and cookies
Server-side tagging doesn’t mean you wave goodbye to all cookies. Whether you use Google server-side tagging or another tool, you will still be using cookies. Why? Because cookies are used to monitor user interactions and sustain states, reducing dependence on client-side cookies alone.
Unlike client-side cookies, server-side cookies are managed directly via the server of your choice. Thus offering enhanced flexibility and more control over your data management processes.
So server-side cookies are not a bad thing. They will help you to be more GDPR compliant by providing you with additional control over data handling and user privacy.
Next steps with server-side tagging and privacy-centric marketing
“The end of third-party cookies has been gradual, but is actually happening. Google started phasing out third-party cookies with the goal of deprecating their use completely in the Chrome browser, but delayed it several times and has now cancelled that plan.
However, other major browsers deprecated third-party cookie use some time ago, and we believe that privacy-led marketing is the “”cookieless”” future.”
Fortunately, there are replacement options to obtain the data needed for marketing operations, and they provide several benefits. Server-side tagging is one option to help marketers get the data they need, ensure data privacy compliance, and exercise more control over the data they obtain and process.
A consent management platform and Usercentrics’ Server-side Tagging solution implemented with your tools and tech stack, can help you improve monetization, better control data privacy and access, improve website performance and security, and more.
More user data is generated, collected and processed these days via more platforms than ever before. It might seem counterintuitive that the world is moving away from trying to access as much data as possible however it can be done. Instead, the focus is on higher quality data and more strategic use of it, with the direct involvement of the customers and users who supply it.
What are the issues with third-party data?
Third-party data — which has provided the bulk of data powering marketing, advertising, analytics, and more — and the tools used to collect it, are increasingly becoming yesterday’s solutions and technologies. Certainly because changing data protection regulations make it an ever less-viable strategy, but also because there are simply better options now. The evolution of these data strategies is toward zero- and first-party data, better control and systems integrations, and a greater focus on user consent and privacy. Marketers need to pay attention and act sooner rather than later.
What are the advantages of Server-Side Tagging?
Server-Side Tagging (SST) is a key part of this data strategy and privacy evolution. Companies can expand their integration capabilities across channels — like web, apps, or smart devices — and technologies like data warehouses and customer data platforms (CDP). They also gain more control over cookie usage. As a result, they have access to more consistent data across their customer touchpoints, can improve automation and reduce costs over time.
From a legal perspective, they improve their consent management, have an option for managing adequacy issues like with the Privacy Shield (if relevant), and in the case of audits, there is a single, cohesive source of information.
Whether with client-side or Server-Side Tagging, the key is to collect and deliver data where the company wants it to go. SST creates a single data stream to enable centralized control over data access. With SST, instead of using JavaScript tags, the tag or pixel sends collected data to a first-party tagging server, which then distributes it to various partners or vendors. You decide what servers can access what data. The data itself is also influential, as consent preferences, for example, influence additional systems and platforms that the organization is connected to, controlling cookie usage or preventing some third-parties from accessing more sensitive information.
How Tealium can help with Server-Side Tagging
Tealium is a long-time integration partner of Usercentrics, with extensive experience with both the Usercentrics CMP and Server-Side Tagging. Their Customer Data Platform is a trusted, market-leading solution that connects customer data across online and offline channels to enable businesses to better connect with their customers. They enable powerful, flexible control over marketing technologies and customer data with tag management that puts privacy first.
Tealium EventStream
Tealium EventStream is a data collection and delivery solution that is lightweight and flexible — ideal across platforms. Web, mobile, connected devices and more, anywhere efficiency is critical. Centralize your cloud-based (server-side) data with one central hub. Anyone with assigned control can activate the data that powers better customer experience. (EventStream documentation)
The Usercentrics Extension
With the Usercentrics Extension, Tealium customers get simplified, fully integrated consent-based control over services, including tags and vendor integrations. Map data processing services to specific tags and better integrate tag management and consent management. Then, only with user consent does data get transmitted to third parties. To simplify implementation, setting up the Usercentrics CMP in Tealium iQ Tag Management can be done with the plug-and-play extension.
Implementation guide for EventStream
Prerequisites
For the Tealium SST setup with Usercentrics CMP, some prerequisites are required for implementation:
- Tealium iQ Tag Management fully set up and configured.
- Usercentrics Extension implemented for user consent management on the website.
- Current EventStream setup in combination with the Tealium Collect tag to capture website data.
Note: While the example shown is commonly used, each Server-Side Tagging setup may be unique to individual company needs. The example used in this guide is for educational purposes only and we cannot guarantee completeness or accuracy for individual use cases.
Step 1: Forwarding of Consent
The great thing about the Tealium integration is that forwarding of consent is made as simple and automated as possible, mainly via interactions with the Usercentrics Extension, Collect and EventStream. Once the Usercentrics Extension has been configured in Tealium iQ Tag Management, the data processing services with consent will be automatically added to an array called usercentrics_services_with_consent and included via Collect Tag in each request to EventStream.
Step 2: Respecting Consent in EventStream
The next step is to ensure that only consented data is activated within EventStream. This can be easily achieved by adding a consent condition for your Event Feeds. This only captures events that have the attribute usercentrics_services_with_consent assigned and that contain the respective service for which consent is required. Make sure to use the same names as the data processing services (e.g. “Facebook Pixel”) provided in the Usercentrics Extension and Admin Interface, as the mapping is done via the name of services.
Repeat the process for all your Event Feeds and everything is set up. Users’ consents that are requested on the website get forwarded to EventSteam, ensuring that only consented data is activated.
Summary
In a world where technologies, regulations and user expectations are ever-changing, Server-Side Tagging can be an important tool in evolving your data strategy and marketing operations. Get higher quality data and more control over how it’s used. Negate intelligent tracking prevention (ITP) and adblockers. Improve website performance and user experience. Put privacy first to meet legal responsibilities and respect customers’ consent choices.
As the guide illustrates, Tealium helps make consent forwarding as easy and automated as possible with the Usercentrics integration. Data privacy compliance can be complex, but the partnership helps make consent management seamless. With Tealium iQ Tag Management and EventStram, you have powerful tools at your fingertips to take advantage of Server-Side Tagging and embrace the opportunities of first-party data.
Usercentrics embraces collaborations with experienced partners like Tealium that use their knowledge of both Server-Side Tagging and the CMP to enable systems integrations that meet customers’ goals and enable better use of data.
Contact our experts to learn how you can implement Server-Side Tagging for your business.
The challenge of GDPR compliance with Google Analytics 4 and data transfers
Online business today is increasingly global, which creates complexity for data privacy compliance. Customers or website visitors can come from anywhere, requiring companies to meet compliance responsibilities from a variety of data privacy laws. Partners and vendors can also be located around the world, which can mean that data needs to be transferred internationally.
Under many regulations, particularly the European Union’s General Data Protection Regulation (GDPR), user data cannot be transferred outside the regulation’s jurisdiction (e.g. the EU) unless there is an adequacy agreement with the country it is going to, which guarantees a sufficient level of data protection.
The European Union and United States have been without such an adequacy agreement since the previous Privacy Shield was struck down in 2020. This presents challenges for many companies, particularly in the EU, as some of the most widely used tools and technologies for running businesses online come from US-based companies like Google. The two entities are working toward a new agreement, but finalizing it will take some time.
Relatedly, in 2022 there have been a number of rulings in the EU that highlight data protection authorities’ concerns with Google Analytics and data transfers in light of this lack of adequacy agreement. Learn more: Google Analytics and GDPR compliance rulings in the European Union.
Until a new Privacy Shield is established, how can companies continue to protect data and privacy and remain GDPR-compliant while using the tools and systems they rely on? This article will explain how to use server-side tagging with Google Analytics 4 as a solution to help with GDPR-compliant data transfers.
How Server-side tagging can provide a solution to GDPR compliance and GA4 data transfers
What is server-side tagging?
Server-side tagging is part of the evolution of data strategy, away from the need for third-party data, which is often of lower quality and can present issues with user consent. But while third-party cookies (a major source of third-party data) will be going away, companies still need ways to identify customers and users, as well as integrate with and share data with partners across channels in secure ways.
Server-side tagging moves away from JavaScript tags. Unlike client-side tagging, where data always goes from the user’s browser directly to the (third-party) vendor, data in server-side tagging is only sent to the (first-party) tagging server. From this point, the data can then be distributed to various vendors in a more controlled way.
It enables you as the customer to decide what data is sent and which servers can access the data, but is also influential over the platforms with access to the data. For example, user consent can be one kind of data collected and disseminated through this system to influence additional systems, like allowing only certain cookies to be activated or removing sensitive data before sharing it with third-party vendors like Google.
With investment in server-side tagging, companies can gain better data insights again, leading to more informed ad spend and customer insights. Increasing legal restrictions as well as technical restrictions due to intelligent tracking prevention technologies that are included in modern web browsers have led to data loss and decreased ad spend ROI. SST can help to reverse that. It also enables better automation and integration with technologies like customer data platforms or data warehouses, and a single source of data for legal audits.
Additionally, server-side tagging can help solve a range of other issues, including:
- self-hosting tag management systems to negates legal restrictions
- degraded website performance due to large amounts of javascript, which then leads to a decreased SEO ranking through poor Core Web Vitals
- limited control over and ability to audit script behaviors
- less robust security due to greater access to systems and data by third parties
- consistent and better data quality instead of choppy overviews of customers due to disparate data sources
How does server-side tagging work?
Server-side tagging moves tag use from the client side, i.e. the browser, to a separate tagging server. A tag or pixel in use on the client side (browser) sends data to a tagging server, which passes it to a destination service provider (vendor) like Google, Facebook, etc. The recipients can be analytics providers, marketing technology partners, own databases and more, but access to the data is more controlled because there is one stream of data relayed through a central system, directed by the customer’s setup.
Learn more: Server-side tagging: what it is and how it will impact the future of consent and data
We will be focusing on using Google Analytics 4 to transfer data from the browser to the server-side tag manager. Note that there are also other ways to do this, including custom scripts or third-party tools.
How to set up Google Analytics 4 with server-side tagging for GDPR-compliant data transfers
Server Location
In order to prevent any personally identifiable information (PII) being sent to or stored in unwanted third countries at any point, the tagging server should be hosted within the EU. This can be in the Google Cloud; on another cloud provider; or on-premise in a self-managed, non-cloud environment, depending on decisions by your data protection officer.
Server-side Implementation
Once your EU server is successfully set up, make sure to respect consents server-side and only process data when the respective consent was provided by the user. (Learn more: How to implement server-side conversion tracking with Google Ads and Usercentrics CMP)
Learn why a Google-certified CMP like Usercentrics is essential for serving ads in the EU and EEA.
In terms of a compliant data transfer, you can also omit all data you do not want to provide to third parties like Google, such as the IP address, before sending it to vendors or manipulating or pseudonymizing the data, e.g. omitting only parts of the IP address to keep geo-information. It’s also possible to enrich the data with additional information that is not available through client-side tracking.
DWC Consult is a long-time Usercentrics partner. They’ve developed extensive experience with both the Usercentrics CMP and server-side tagging, and particularly with Google tools like GTM, GA4, BigQuery and the Google Cloud. Because these projects and custom clients on the server-side tag manager are often quite unique, engaging a partner to assist can be very useful.
DWC can help you to understand what data should be collected and analyze data protection requests. If needed, they can also take care of the complete setup, including the development of custom clients or the technical setup in the Google Cloud.
Additional advantages to using server-side tagging with Google Analytics 4
The use of server-side tagging with Google Analytics 4 enables the circumvention of (intelligent) browser tracking prevention (ITP), as data collection and processing depend on the server and not the client. More specifically, cookies can be set server-side, preventing the shortening of HTTP cookie lifetimes or the complete deletion of these cookies caused by ITP in Safari, which enormously affects tracking and accuracy.
We recommend reading: How to implement server-side conversion tracking with Google Ads and Usercentrics CMP
Summary
Companies still rely on data-centric tools, like Google Analytics, even as the wait for a replacement to the Privacy Shield continues. Companies need data, but also have data privacy responsibilities with regulations like the GDPR.
Server-side tagging can be a decisive benefit in evolving data strategy. It provides organizations with greater control over their data, improved security, and helps prevent data from being sent to unwanted third parties. It can help improve website performance and user experience by integrating consent management to respect users’ privacy choices and communicate them to connected systems. This also helps companies achieve and maintain privacy compliance. Server-side tagging also helps maintain higher data levels by circumventing intelligent tracking prevention (ITP) and adblockers.
Using server-side tagging with Google Analytics 4 enables companies to get more from the tools they’re using, and provides a viable strategy to manage data transfers in the EU. A specialized setup with a custom client can enable enrichment of analytics data as well.
For individual setups, Usercentrics collaborates with experienced partners like DWC, who use their knowledge of server-side tagging, Google Analytics and our CMP to provide the best possible advice and to raise customers’ tracking capabilities to the next level.
Contact our experts to learn how you can implement server-side tagging for your business.
Introduction to Server-side Tagging and its advantages
The world is shifting away from third-party tags and data. Increasingly this will require companies to evolve their data strategies to embrace first-party data and a greater focus on user privacy and consent.
Server-side tagging (SST) is a key part of this evolution of data strategy. It enables more control over cookies and can integrate with any channel, like web, apps or smart devices.
This results in more consistent data across customer touchpoints, better automation, reduced costs, improved consent management across platforms, and provides a single source of information for legal audits. SST also integrates with data management technologies like customer data platforms (CDP) and data warehouses and offers an option to handle the Privacy Shield issue.
Like client-side tagging, server-side tagging enables data to be collected and delivered where it’s needed. However, with SST, the tag or pixel sends data to a server, like a web server, which then passes it to a destination server (or servers). There is one data stream enabling and centralizing control of data access for services like marketing technology partners and analytics providers.
Check out the Usercentrics blog post for more information: Server-side tagging: what it is and how it will impact the future of consent and data.
A popular example of the use of server-side tagging is the tracking of conversions in Google Ads. For this purpose, two client-side tags are normally used. One that stores the Google click ID (“gclid”) in a cookie on the user’s device when an advertising campaign is called up, and another one that sends the conversion information directly to Google in the case of a conversion.
The integration of the server tag manager offers several advantages. The data from the user’s browser does not go directly to Google, but first to a dedicated server under an organization’s own control, which helps to bypass adblockers. Also, the cookie that stores the Google click ID can be generated by this tagging server and get transferred to the browser using an HTTP header. That offers several benefits, such as bypassing Safari’s maximum cookie runtime (Intelligent Tracking Prevention or ITP).
In the event that the owned server is hosted by a provider located entirely within the EU, it is possible to configure the server such that no unwanted data is transferred to unsecured third countries, such as the USA (Privacy Shield issue). And lastly, it also reduces the amount of Javascript code that the browser has to download and execute, which in turn leads to improved Core Web Vitals, and with that, better SEO performance.
dwc consult is a long-time Usercentrics partner, and they’ve developed extensive experience with both the Usercentrics CMP and server-side tagging, particularly with Google Tag Manager. They further specialize in CMP implementations that maximize consent rates with constant optimization and adaptation as the legal landscape changes, as well as hybrid tracking strategies.
Learn why a Google-certified CMP like Usercentrics is essential for serving ads in the EU and EEA.
Use case: Implementation process example
Prerequisite for the implementation is a fully set up and configured Google server tag manager with GA4 conversion tracking, as well as a web/client tag manager. Note that while the example shown is commonly used, each server-side tagging setup is unique to individual company needs. This example is for educational purposes only and we cannot guarantee completeness or accuracy for individual use cases.
Step 1: Configuration of GA4 in Client-Side Container
GA4 can be used for the transfer of information about pageviews and conversion. The transfer is also possible with other services, such as Universal Analytics or AT Internet, but for this article we will use GA4.
In order for the tags on the server to only trigger with consent, the current consent status for Google Ads must be sent to the server for the pageview as well as the conversion with the other GA4 data. For this purpose, you can add a parameter to the GA4 tags.
A variable can be defined as a value that reads the current consent from the data layer where it is provided by Usercentrics.
A simple data layer variable with the exact name of the service added in the Usercentrics Admin Interface is sufficient. (Note: variable name is case sensitive.)
This event parameter must be added to all tags relevant for Google Ads Conversion Tracking (e.g. pageviews, conversion).
Step 2: Configuration of the Conversion Linker tag in the Server-Side Container
The Conversion Linker tag, which will store the Google click ID in a cookie, must then be created on the server. There is a template for the tag from Google, which can be used for this:
The Conversion Linker tag should be triggered with every pageview.
As the trigger should only be triggered if consent is given, a variable is needed that can read out the consent status for Google Ads from the GA4 request. The most suitable variable type for this is “Event Data”, which can read the consent status from the event. The name of the parameter defined in the web tag manager must be used as the key path.
Step 3: Configuration of the conversion tracking tag in the Server-Side Container
Another tag is needed to send the conversion to Google Ads. Google also offers a template for this. Conversion ID and conversion label must be configured in the tag settings. Optionally, a conversion value, currency, ecommerce information on product level (e.g. products sold, etc.) as well as customer- or user-provided data can be passed. The configured tag could look like this.
This time, an event with the name of the conversion is defined as the trigger, for example, “purchase” in the case of ecommerce. This trigger should also be restricted by the consent for Google Ads, so the same variable is used as for the Conversion Linker tag.
Review:
You should now have the following tags:
Web-Tag Manager:
- GA4 Pageview (with parameter for Google Ads Consent), triggered on every pageview
- GA4 Conversion (with parameter for Google Ads Consent), triggered on conversion
Server Tag Manager:
- Conversion Linker Tag, triggered on every pageview with consent for Google Ads
- Google Ads Conversion Tracking Tag, triggered on every conversion with consent for Google Ads
Preview mode on the server can be used to check whether the parameters from the GA4 tags arrive successfully on the server and whether the server tags are triggered as planned.
Further possibilities with server-side tagging
This article shows only one of many options that can be implemented with a server tag manager. There are a number of other popular use cases.
Conversion tracking with other advertising networks. Following the same logic, other vendors such as Meta (Facebook), AWIN or Trbo can also be connected to the server tag manager. However, by transferring data on the server side, the amount of Javascript in the web browser remains the same, which leads to improved core web vitals and thus better search engine placement.
(Basic) web tracking without consent / circumventing the Privacy Shield issue. By using a manual server hosted within the EU, personal information can be filtered out so that transmission to a vendor is possible without need for consent. In this way, together with Google Consent Mode, consent-free basic tracking can be made possible with GA4 or Universal Analytics, for example. Additionally, issues relating to the terminated Privacy Shield legal framework can be circumvented, as personal information can be cut off before sending data to the USA.
Usercentrics Web & Apps CMP are Google-certified, fully supporting Transparency and Consent Framework (TCF) and Google Consent Mode v2.
Enrichment of tracking data with additional information: On the server, not only can information be shortened, but also added. Tracking data can be enriched with additional information that is only available on the server side (e.g. customer IDs, technical website environment, etc.).
Tracking of Usercentrics consents in third-party analytics-tools: Usercentrics already offers a variety of analysis options in the CMP’s Admin Interface. However, with the help of a server-side tag manager, additional tracking of interactions can be done in third-party web analytics services.
Summary
In an ever-changing world that is shifting away from third-party data, server-side tagging can be the deciding factor in your data strategy. Server-side tagging provides more control over organizations’ own data and helps circumvent intelligent tracking prevention (ITP) and adblockers. It can also improve website performance and prevent unwanted data from being sent to third countries.
The client-side requests for consent for individual services and transmission to the server environment can be easily implemented with the Usercentrics CMP. By processing the consent on the server tag manager, organizations ensure that they always respect the users’ consent choices and are data compliant. This enables, for example, successful set up of conversion tracking in the server tag manager environment, and benefits from the many advantages of the technology.
Additionally, a specialized setup on a company’s server with a custom client can enable the enrichment of analytics data or preventing sending unwanted data to third countries (e.g. Privacy Shield issue). For individual setups, Usercentrics collaborates with experienced partners such as dwc, who use their knowledge of both server-side tagging and the CMP to provide the best possible advice and to raise customers’ tracking capabilities to the next level.
Contact our experts to learn how you can implement server-side tagging for your business.
For many years, user tracking — as well as gathering and managing user consent — has been an in-browser discipline. Technology and legislation are evolving, and new ways to share different customer data with partners are arising. As a consequence, brands need to consider how to implement a more holistic approach to consent management that also allows for server-to-server data sharing.
Changes in technology and digital marketing environment
The digital marketing landscape is evolving. Besides all of the ongoing changes to company structures, platforms and consumer expectations, we see two major driving factors right now: data privacy legislation and technical changes in the last mile – the end-users’ devices or browsers.
Data privacy legislation
While the General Data Protection Regulation (GDPR) is probably the most well-known privacy law, many other countries have passed their own over the last few years. What’s common across most, if not all, of those is that users are and remain in control of their personal data.
This means that users have to give explicit and informed consent before their data can be processed or shared with any third party. The latter is important as the digital ad economy is all about sharing data to understand visitor behavior, serve the most relevant ads, and measure their reactions.
There are other common data subject rights as part of privacy laws as well, like right to access and right to be forgotten, which we will look at in future articles.
Technical changes to browsers and devices
More and more privacy enhancements are also making their way onto end users’ devices and browsers as well. Apple’s ITP and changes to in-app tracking, Firefox’s Enhanced Tracking Protection, as well as Ad Blocking and private browsing modes on all major browsers are limiting user tracking and attribution today.
Some of those will prevent any reliable identification of the visitor due to (extremely) short cookie lifespan capping. Others will block third-party tags altogether so that advertising partners lose visibility into activities and conversions happening on a site.
With Google Chrome being the most widespread browser, things will get much worse on this front once Chrome completely deprecates third-party cookies, currently announced for no later than 2023. We expect the privacy trend to continue, if not accelerate, and to see more privacy enhancements go live in all major browsers through 2022 and beyond.
The implication of all of these technical changes is twofold:
- companies need to find a new way to identify customers and avoid relying on (third-party) cookies
- companies need to find a way to share this data with their advertising partners that is not reliant (or is less reliant) on users’ browsers
All of that while obviously obtaining and respecting users’ consent choices.
A new way to identify customers
At the highest level, there are two major approaches to identifying users without relying directly on cookies: ID providers and personally identifiable information-based (aka PII-based) identification.
ID providers
A whole new set of ID providers has come to life recently to essentially provide user identification “as a service”. Unified ID 2.0, netID, ID5 and Acxiom are just a few examples. They all use very different approaches to identifying the user, spanning deterministic and probabilistic ways or a combination of both. Some offer additional benefits for their partners, like federated login (SSO), and allowing the user to share some PII, like name or email address, with the site they are visiting.
At this point in time it’s not clear which providers will manage to see widespread adoption, or, quite frankly, which ones will still be there in three years time.
PII-based identification
Identifying users based on personally identifiable information (PII) like email addresses is probably the safest bet for the future, although it comes with its own set of challenges and compliance requirements.
The idea is simple: many services across the internet require or strongly encourage the user to be logged in. Think about how you use Facebook, Amazon, YouTube, Pinterest, or Google search. Or, more recently, your favorite publishers and news portals. So if you advertise on those platforms or sites (and most of you will), PII — like an email address — is known at the time an ad is displayed.
On the advertiser or retail side, PII typically becomes known further down the funnel, once a user enters an email address as part of a checkout process. In addition to that, some users will be known or logged in throughout their whole session, which again makes PII available. By matching those email addresses (or phone number or other identifier) with the ones recorded as having seen an ad as per the above, user tracking and attribution becomes available again. Hashing is used with the aim of allowing third parties to match email addresses, but technically prevent them from adding new emails to their databases.
Again, users’ informed consent is required to share personal data, especially PII, with advertising partners. Platforms like Usercentrics help companies to do this in a legally compliant way.
A new way to share customer data with partners
With those solutions for user identification in a post-cookie (third-party) world on the table, advertisers are still relying on the user’s browser and tags to push events, customer identifiers and respective customer data to their advertising partners.
This does not only mean that some data isn’t going through due to browser restrictions, ad blockers, corporate firewalls or just connection problems making attribution more and more inaccurate. It also means that some personal data is shared with those partners without brands being in control of it.
This includes users’ full IP addresses, which includes their approximate location and provider, as well as information about the browser and device they are using. It also includes the full URL of the page that is currently being viewed. Whether that data is processed or even stored by the partner is a different question, but it is being shared in the first place, just because of the way the internet works.
Server-to-server data sharing is solving a lot of those challenges. Instead of relying on a tag in the user’s browser, advertisers and retailers can connect their servers directly with their advertising partners to send relevant events and respective customer identifiers and data.
Benefits include:
- more resilient data sharing with less or no reliance on browsers and other client-side factors (as listed above)
- full control of the types and granularity of data that is being shared with partners
- ability to enrich the data with PII or third-party identifiers (see ID providers above) that are not necessarily available in the frontend
The big players in the market have started to offer APIs for that exact purpose and are encouraging their advertisers to use a hybrid approach. The tag is left in place for now and an additional server-to-server connection is established. This not only enables a soft transition, it also enables incrementality studies, showing advertisers the impact that signal loss already has on their attribution.
In other words, how many additional conversions should be attributed to those platforms and what does this mean for budget allocation and the marketing mix? Examples for those APIs as part of a hybrid setup include Facebook’s Conversion API as well as Google’s Enhanced Conversions. Both aim to make sure that conversion events are captured and shared as those are the most important for attribution, as well as to inform the algorithms of what good prospects look like. The best prospects are those that make a purchase in the end.
Implementing server to server data sharing
While the goal for many of the server-to-server APIs is the same, there is no standard yet in terms of which data is supposed to be transferred, how it is formatted and how to interact with the API (format, authentication, error handling, etc.). Also most of those APIs are quite new and evolving, so there will be changes and enhancements that translate to future maintenance efforts.
Multiply that with the number of advertising partners, social platforms, affiliate networks, etc. that all require at least some form of conversion events to serve their purpose and you have made your IT team busy for the next couple of months.
To increase the complexity further, user consent has to be checked and respected as part of any of the API connections to be made, and this has to be kept in sync with what is happening in the frontend. If the user has not consented to sharing data with a specific platform or broader consent category (like “Social Platforms”) the tags must not be loaded, and at the same time all server-side API calls need to be suppressed. If the user makes changes to the privacy settings, this again has to be updated in the browser, and also for server-side connections.
Data API Hubs to streamline implementation and respect consent
Data API Hubs like Tealium EventStream help brands to streamline those integrations. The idea is that relevant customer data and events are shared with the API Hub only once and then passed on to all partners via standardized and configurable connectors. Brands get full control about what events and data to share with which partners, and what level of detail is supposed to be shared. The API Hub provider also maintains the connectors and with that takes away a lot of the ongoing maintenance effort.
When Usercentrics is used to obtain and manage user consent, an out-of-the-box extension for Tealium makes it easy to respect that consent not only for the tags in the browser (via Tealium’s Tag Management “iQ”), but also for any current and future server-to-server integrations. Apart from saving time, this also reduces the risk of misconfiguration and resulting legal proceedings.
Summary
In the rapidly evolving MarTech environment with a multitude of maturing privacy laws and ongoing major technology changes, brands need to have a strategy in place that is flexible enough to keep pace with those changes, while at the same time enabling marketers to connect with their customers and prospects in a reliable and measurable way.
The well-integrated combination of a CMP like Usercentrics’ and a Data API Hub like Tealium helps to achieve that without requiring a large amount of IT and planning resources. With a living roadmap, both also help ensure that new legal requirements, API changes, and more are built into the offering.
As a result brands get:
- more accurate attribution data to manage their marketing mix, while
- spending less time on integrating with third-party APIs and,
- reducing the risk of not accurately respecting user consent
If you’d like to discuss holistic consent management across tags and server-side measurement for your organization, we’re happy to help. Contact one of our experts!
Usercentrics and Tealium simplify tag management and consent management integration.
Outline (for reference)
- Consent Management getting more and more important
- At the same time the technical landscape is changing (Browser changes, Ad blockers, Privacy Enhancements)
- Server-side measurement adopted more widely to respond to tech changes and send conversion data in a resilient way to Ad and Affiliate Networks and the big Social Platforms.
- Brands need to have a strategy in place to respect user consent in this hybrid client-side and server-side world
- UC helps to capture and manage user consent
- API hubs like Tealium EventStream help to reduce implementation and management efforts for the multitude of integrations required while respecting consent
Outlook / further considerations
Outlook / additional topics we might want to touch on briefly or keep for a 2nd session:
- Handling GDPR subject matter requests and identity in distributed environments
- Adding offline / loyalty data to this while respecting consent
- Improve attribution long term with consented first-party data, especially for returning visitors
- Opt-outs stop fundamental data collection and analytics to impact tools for customer insight and activation.
Author
Tealium is the leader in real-time customer data orchestration solutions and enterprise tag management. As a Usercentrics’ Solution partner, Tealium’s vision is to create a world where businesses unify their data to intelligently engage and delight customers.