Data protection-compliant tracking without consent with GA4

In an era where the internet and technological innovations are evolving relentlessly, data capture and analysis are increasingly becoming the key for businesses to gain profound insights into user behavior on websites and apps. This continuous digital evolution drives competition and necessitates that companies collect precise data on their target audiences to tailor their marketing strategies effectively. In this context, Google Analytics (GA4) has emerged as an indispensable tool that aids businesses in collecting, analyzing, and deriving strategic insights from user data to launch effective advertising campaigns through Google Ads.

However, technological advancement brings both opportunities and challenges, especially in data tracking and collection. Rising data protection requirements, increasing user awareness of how their data is used, and sophisticated browser mechanisms that complicate data exchange pose complex hurdles for businesses. How can a balance be achieved between necessary data protection measures and the need for comprehensive data analysis?

In our discussion, we explore how user data can be collected in compliance with data protection regulations and without requiring consent, while simultaneously preserving user privacy and security.

Why is tracking without consent (cookies) becoming increasingly important?

In today's digital landscape, data protection laws are becoming increasingly significant, especially in terms of the collection and use of personal data on the Internet. Across various countries, the implementation of a cookie banner (Consent Management Platform, CMP) is mandated by laws such as the General Data Protection Regulation (GDPR). This regulation details how personal data can be collected and used. In Germany, this regulation is supplemented by the Telecommunications Telemedia Data Protection Act (TTDSG), which sets specific requirements for the design of cookie banners to ensure their legal compliance.

Against this legal background, tracking without consent is becoming increasingly important. The reason: data is only shared with Google Analytics (GA4) if users agree to the cookie banner. A refusal means that no data is sent to Google Analytics. Therefore, the consent rate for the cookie banner becomes a critical factor for the data foundation. In Germany, the refusal rates are between 30-50%. This implies that companies using Google Analytics could potentially lose over half of their user data. A study by eTracker in 2021 demonstrates how different designs of cookie banners can influence consent rates, with designs compliant with GDPR achieving the lowest consent rates. This situation is particularly challenging, whether for small businesses that rely on every trace of their users' data or for large enterprises that invest significant sums in advertising channels.

Fig.: Comparison of non-privacy-compliant cookie banners vs. privacy-compliant in the EU

The challenges of data collection are further compounded by new browser features designed to prevent tracking, which often block data sharing with third parties like Google Analytics by default, even if users have consented via the cookie banner. This results in an even further reduction of the available data pool. Given these difficulties, tracking without consent is becoming increasingly vital for businesses utilizing Google services. It enables the collection of valuable data despite high rejection rates of cookie banners and the challenges posed by browser tracking prevention mechanisms.

What is cookieless tracking?

To fully grasp the concept of cookieless tracking, it is first necessary to understand the term "cookies." Cookies act as digital documents that document users' browsing behavior and personal information such as IP addresses. They enable operators of websites or apps to identify a user and track their activities over an extended period. Generally, there are two types of cookies: third-party cookies and first-party cookies. Both are set and stored in the browser when a user visits a website or app. While third-party cookies are generated by third parties like Google and enable cross-device and platform user tracking, first-party cookies are created directly by the visited website. They contain information solely about that domain and enable only the recognition of the user within that specific site.

Cookieless tracking, on the other hand, represents a method of data collection that does not rely on cookies. Various technologies are employed for cookieless tracking, all sharing the common goal of capturing visitors to a website or app without the use of first- or third-party cookies. By foregoing cookies, cookieless tracking circumvents the obstacles associated with cookie consent and opens new avenues for tracking user data in ways that potentially better protect user privacy. However, it is important to emphasize that not all these methods are necessarily compliant with data protection regulations!

Why you should think about cookieless tracking

The central idea behind the consideration of switching to cookieless tracking is based on the realization that effective marketing strategies do not necessarily require personal data. Instead, data about user behavior on a website or in an app, how visitors interact with the content offered, provides valuable insights. It is often more meaningful to analyze how a visitor navigates a website, which pages are visited, what content is clicked on, the intensity of scrolling, and at what point the visit is terminated, rather than knowing the actual name or IP address of the user.

In addition to the challenges already mentioned, such as data protection laws, increasing user privacy awareness, high rejection rates of cookie banners, and the privacy-protecting technologies of modern browsers, further difficulties arise. A particularly controversial issue is the transfer of personal data to third countries, such as the USA, by services like Google. This becomes problematic when there is no adequacy decision by the European Commission for these countries, guaranteeing a level of protection equivalent to that required by the GDPR. The original Privacy Shield agreement of 2016, which allowed data exchange between the EU and the USA based on an adequate level of protection, was invalidated in 2020 by the Schrems II ruling of the European Court of Justice. Although a new agreement, the Data Privacy Framework, now facilitates data exchange between the EU and the USA, questions about the permanence of such agreements remain, given their frequent changes.

What are the benefits of cookieless tracking?

The concept of cookieless tracking offers several significant advantages, making it an attractive option in today's increasingly privacy-conscious world. A key benefit is that it eliminates the need for cookies or server connections to third parties. This means there is no direct connection to third-party tracking software, which in turn makes the transmission of personal data, such as IP addresses, unnecessary.

Furthermore, cookieless tracking allows for increased control over data sharing. This particularly addresses the needs of users who reject the cookie banner, thus not consenting to the sharing of their personal data. Using a server container that not only captures user data but also records whether the user has consented or rejected the cookie banner, data can be completely anonymized in the event of a rejection. This process is fully automated, ensuring data protection-compliant handling of user data.

Another significant advantage is security. The integration of third-party code snippets on a website creates potential security risks. Often, website operators do not fully understand how these embedded code snippets function, posing a risk as third-party providers can alter the contents of these scripts at any time after their integration. Typically, these scripts are directly inserted into the context of the website (using the <script> tag) and are not protected by isolating mechanisms like <iframe>, making them vulnerable to security breaches. By avoiding the inclusion of external scripts, cookieless tracking effectively circumvents such risks.

In summary, Cookieless Tracking offers a forward-looking solution that not only respects user data protection and privacy, but also enables a complete database for Google Analytics (GA4) due to the anonymized data. These advantages make it an alternative worth considering for companies and website operators operating in an increasingly regulated digital landscape.

Is cookieless tracking without consent compliant with data protection?

Cookieless tracking without consent presents a range of challenges for businesses and raises important questions regarding compliance with data protection regulations. Although technically feasible, cookieless tracking requires extensive knowledge and technical expertise to ensure that the methods are compliant with data protection laws. Adhering to the General Data Protection Regulation (GDPR) and the Telecommunications Telemedia Data Protection Act (TTDSG) in Germany is crucial, as these laws stipulate that personal data can only be processed with the active consent of users.

With cookieless tracking without explicit consent, the following aspects must be carefully observed:

1. Data Anonymization: The collected data must not contain any personal information. It is critical that none of the information allows for the identification of the individuals from whom the data was collected. This applies to both the company processing the data and any third parties who may have access to these data. Pseudo-anonymization, often used in various technologies, is not permissible as it allows for the possibility of tracing back to the individual.

2. Avoiding Third-Party Interventions: The data must not be directly forwarded to third parties who could potentially see the user's IP address. Instead, the data should be routed through a proprietary first-party server to ensure control and security of the data.

3. Avoiding Cookies and Local Storage Technologies: To be fully compliant with data protection regulations, tracking should neither use cookies nor other local storage methods such as Local Storage or Session Storage.

Fortunately, there are methods available that enable cookieless tracking by effectively anonymizing user data. By removing personal information, these data do not fall under the stringent regulations of the GDPR. Such methods often utilize techniques like aggregating data for statistical purposes, which prevents the creation of individual profiles and maintains anonymity.

However, it is crucial for companies implementing such tracking methods to thoroughly understand the legal requirements and ensure that their procedures comply with data protection policies. This not only protects user privacy but also shields the company from potential legal consequences.

How server-side tagging makes cookieless tracking possible

Server-side tagging is an advanced form of data collection in digital marketing that plays a crucial role in cookieless tracking. This method relies on using a proprietary server that acts as an intermediary between the client (i.e., the user's browser) and external third parties such as Google Analytics. This offers significant advantages, especially in terms of compliance with data protection regulations.

Fig.: Simplified functionality of server-side tagging

Fundamentally, any form of tracking that collects and processes personal data requires explicit user consent. However, server-side tagging enables a form of tracking where cookie banner consent rates become irrelevant. This is because personal data such as IP addresses, names, or other identifiable information can be filtered and removed on the proprietary server before being forwarded to third parties. This is particularly relevant when users decline the cookie banner. In such cases, no information that allows personal identification is stored or processed.

By utilizing server-side tagging, companies can still gather valuable data on user behavior without conflicting with data protection regulations. This data includes metrics like page views, session duration, bounce rates, and other non-personal metrics that provide insights into user engagement and interactions on the website or app. These insights are crucial for optimizing websites and marketing strategies, while also allowing companies to respect their users’ privacy.

Thus, server-side tagging serves not only as a bridge to compliance with data protection standards but also as a powerful tool for cookieless tracking. It offers a solution where the collection and analysis of user data occur in a manner that meets both business objectives and the stringent requirements of data protection.

What needs to be considered to ensure that server-side tagging complies with data protection regulations?

Server-side tagging (SST) offers numerous advantages for data protection and efficiency in data processing. Nevertheless, special care must be taken in implementing SST to ensure compliance with data protection regulations and legal security.

Key aspects for data protection-compliant implementation of Server-Side Tagging:

1. Data Processing Transparency: A central aspect of the General Data Protection Regulation (GDPR) is transparency in the processing of personal data. Users who reject the cookie banner often have no way to understand the server-side processing of their data. Therefore, it is essential to maintain transparency through clear information provided in the privacy policy. This should comprehensively explain how data is collected, processed, and used.

2. Consent Management: Server-side tagging does not replace a cookie banner. To use Server-Side Tagging legally, effective consent management through a cookie banner is essential. Website and app operators must ensure that the cookie banner used complies with legal requirements. 

3. Secure Data Processing: When transferring data to third parties, it must be ensured that they do not allow any inference to individual persons. One method for this is the strict anonymization of data before its transfer. It must be ensured that no re-anonymization is possible by adding further identification features. Furthermore, it is not permissible to store or process individual user data in such a way that user paths can be tracked across individual sessions.

Interesting facts about server-side tagging

For even more information about server-side tagging, you can download our free PDF guide via this link

Who should consider implementing Server-Side Tagging? 

Server-side tagging (SST) represents an innovative solution for digital marketing and data analysis that can be particularly beneficial for businesses in certain scenarios. SST is especially relevant when:

1. Businesses rely on web analytics: For many companies, the continuous optimization of their website is crucial to enhance user experience and increase conversion rates. Server-side tagging allows for more precise and comprehensive data collection necessary for such optimizations. By anonymizing personal data server-side, valuable insights can be gained without compromising user privacy or exceeding legal limits.

2. Businesses that run digital advertising campaigns: For companies that advertise on platforms like Google Ads or Meta (formerly Facebook), tracking conversions across their websites is essential. Server-side tagging can help improve conversion tracking by providing more accurate data that are not affected by cookie restrictions or ad blockers. This leads to better allocation of advertising spend and campaign effectiveness.

3. Companies with low consent rates in their CMP: If the consent rate for cookies and tracking on the website is below 95%, businesses potentially lose valuable data crucial for market analysis and adjustment. Server-side tagging offers a way to capture and utilize relevant data, even when users do not consent to tracking. This is achieved by ensuring that the collected data remain anonymous and do not allow direct inferences about individual users.

Which software should be used for server-side tagging?

We recommend using Google Server Tag Manager (S-GTM) for tagging and Google Analytics 4 for data transmission from the browser to the server. Our recommendation is based on the fact that these tools are free and offer comprehensive functionalities.

In comparison, alternative solutions offer fewer benefits and have lower compatibility with third-party software. Additionally, these alternatives incur extra licensing costs.

How time-consuming is the implementation? Do I need a service provider?

The implementation of Server-Side Tagging (SST) can vary in complexity depending on your team's technical expertise and the complexity of your requirements. Generally, setting up Google Analytics 4 with a Server Tag Manager is relatively straightforward. Google provides extensive documentation that enables you to deploy a tagging server quickly.

Key Considerations in Implementing SST:

1. Data Protection Compliance: It is crucial to understand that setting up the Server Tag Manager not only affects the success of your web tracking and online marketing but also the data protection compliance of your website. Incorrect configuration can lead to significant fines or cause critical errors that create large gaps in your tracking data.

2. Operational Costs: Operating the Server Tag Manager in the cloud also involves costs, which can escalate quickly if the service is not properly configured and secured in the cloud. Monitoring and optimizing cloud usage is therefore essential to avoid unexpectedly high costs.

Necessary resources

For a successful implementation of SST, you should assess whether your team possesses the necessary skills or if you need to bring in external service providers:

• Cloud Architect/Cloud Experts: Expertise in operating container applications in the cloud is required.
• Cloud Security Expert: Security measures in the cloud are crucial for safely managing data and meeting data protection requirements.
• Expert in Google Marketing Platform and Server Tag Manager Software: A deep understanding of these platforms is necessary to effectively utilize all features.
• Expert in Google Analytics 4 and other tracking/marketing services: Specific knowledge about the integration and configuration of these services is required.
• JavaScript Developer: For creating custom tags and "clients" within the Server Tag Manager container.
• IT-Savvy Data Protection Expert: An understanding of web tracking and server-side tagging from a data protection perspective is essential.

Conclusion

While the basic configuration of Server-Side Tagging can be relatively straightforward, the actual implementation depends on the complexity of your specific requirements. Engaging an experienced service provider can therefore be wise, especially if your internal team does not cover all necessary competencies. This not only ensures the technical and data protection correctness of your implementation but also optimizes the long-term operation and maintenance of the system.

Collaborating with DWC

DWC is a specialized agency for consent and data management, with a particular focus on consent management and advanced measurement technologies such as Server-Side and Cookieless Tracking. We have successfully participated in over 400 CMP projects across more than 25 countries and are pioneers in supporting Server-Side Tagging.

As a technology-agnostic consulting firm, we offer you customized solutions specifically tailored to your technology stack to achieve optimal results.

Steps of Collaboration: 

• Free Initial Consultation: We invite you to a non-binding initial consultation where we evaluate the potential for implementing Server-Side Tagging and thoroughly answer your questions.

• Project Phases After Agreement: Following a successful alignment, a detailed analysis of the status quo is conducted, followed by implementation, configuration, and continuous maintenance. The goal is to ensure that you fully exploit the potential of your data collection and that the solution is optimally tailored to your specific needs.

• Status Quo Analysis: In this phase, we evaluate which software solutions best fit your specific business processes. We provide detailed information about the planned project progression.

• Implementation: We carry out the implementation of the selected software, ensuring that it complies with current data protection standards and that you can realize the full potential of your data collection.

• Configuration: In this phase, we review and optimize every step within the process chain to ensure flawless functionality of the software and make adjustments where necessary.

• Maintenance: Our commitment does not end with the implementation. You can contact our expert team at any time. We are available for inquiries and continue our support until you are completely satisfied.