How to implement Privacy by Design in server-side tracking

A step-by-step guide

  • Article
  • Technical Web Analytics
Implementing privacy by design (PbD)
Bram Ooms
Bram Ooms
Technical Web Analyst
8 min
15 Aug 2024

In our previous blog, we explored the significance of Privacy by Design (PbD) in server-side tracking to ensure compliance with data protection regulations such as GDPR. Now, we’ll dive deeper into a practical, step-by-step guide to help you implement these essential privacy practices. This ensures data privacy and security at every stage of the ETL process in tag management systems.

Read our previous blog about the significance of PbD here.

Example case “Organisation XYZ”

Organisation XYZ wants to combine data client-side and server-side tracking for their data collection, but wants to make sure their approach is privacy-centric. They have created a data inventory and linked applicable grounds. They now want to run the ETL process based on PbD to show what steps need to be taken. In this example, we choose to process IP addresses of users.

ETL process
ETL process

Step 1: Extracting user data with Privacy by Design principles

In the extract step, data is collected into the data layer from various sources, such as development, websites, applications, or stored data. User consent (or other legal grounds) determines what makes it into the data layer and what does not get processed.

Example: Organisation XYZ

XYZ uses IP addresses for several purposes: fulfilling legal obligations for registering consent, obtaining consent for marketing and analytics, and pursuing legitimate interests for fraud detection. Because XYZ always needs the IP address available regardless of consent, it is never completely removed from the data layer.

Extracting data

If you also wish to have an easy way to view your data layer, have a look at our Tagbird chromium extension for your browser. You can learn more about our free extension in this article.

Step 2: Transforming data securely to protect user privacy

In the transform step, you process and organise the data extracted into a usable format. At the beginning of this stage, the data layer contains only the data points that passed through the initial filter. By making your data layer's data points purpose-specific, you make it transparent which data points can be loaded for different purposes. Additionally, depending on the granularity needs, you can obfuscate data points to make them less sensitive if the use case allows.

transforming data

Example: Organisation XYZ

XYZ wants to split the purposes for personal data and make this clear in the data layer:

- Legal obligation: Create the data point “client_ip_address_legal_obligation”.

- Analytics and marketing: Populate “client_ ip_address_marketing” or “client_ip_address_analytics” only if users have given specific consent.

- Fraud detection: Create “client_ip_address_fraud” with only the first two digit pairs to remove unnecessary specific IP information.

The PbD pageview is ideally sent to the server-side solution, where there are more options to limit what data is transmitted server-to-server.

Step 3: Loading data responsibly in server-side tracking

In the load step, you move the transformed data to perform the purpose it was processed for. Whether you send data client-side or server-side, each load point should be configured with the correct purpose-specific data point to provide the correct dimension. Ensure that the endpoint storing the data can meet the retention period criteria of the data inventory.

loading data

Example: Organisation XYZ

XYZ configures each endpoint connector or tag with the specific data point, and consent preferences determine whether the data is loaded to the endpoint:

- Legal obligation: Send “client_ip_address_legal_obligation” to their consent registration server with a 13-month data retention period.

- Marketing and analytics: Send “client_ip_address_marketing” or “client_ip_address_analytics” to a server-side tag management system if the user has consented.

- Fraud detection (not pictured): Send “client_ip_address_fraud_obfuscated” server-side, where it is further obfuscated and translated to a country code, then sent to a fraud data lake with a 3-month retention period.

Conclusion

Implementing Privacy by Design (PbD) in tag management systems through the ETL process ensures robust data privacy and compliance. By integrating PbD principles into each step of the data lifecycle, organizations can create a privacy-centric approach that benefits both the organization and the individuals whose data is being processed. For a general overview of the importance of PbD in server-side tracking, read our introductory blog here.

This is an article by Bram Ooms

Bram started as a Technical Web Analyst in 2019, where he focused on data implementations at clients such as Univé, DPG Media, Boels and Vodafone. Through his experiences with the impact of legislation on enabling data flow he developed an interest in data privacy, which he is now actively pursuing within Digital Power.

Bram Ooms

Technical Web Analyst

Receive data insights, use cases and behind-the-scenes peeks once a month?


Sign up for our email list and stay 'up to data':

You might also like:

Transform your web- and app data into actionable insights with server-side tracking

Server-side tracking is the process of collecting and processing data through a server rather than on the user's device. By migrating your tagging implementation to a controlled server environment, you improve data accuracy and protect user privacy. Turn your data into actionable insights and gain a full understanding of your users' interactions.

Read more
privacy by design (PbD)

Understanding Privacy by Design in server-side tracking

In the digital age, organisations increasingly rely on data to drive decision-making and improve user experiences. That’s why data protection and GDPR compliance is more critical than ever. Privacy by Design (PbD) is an essential approach for embedding data privacy into every step of your IT and business practices, especially within tag management systems for web and app tracking.

Read more

The impact of server-side tracking on privacy

In the digital age, where data privacy has become a forefront concern, server-side tracking stands out as a crucial tool for organisations aiming to gather user insights responsibly. Despite its potential, numerous myths surround its use and compliance with regulations. This article dispels these myths, offering a nuanced view of server-side tracking, its compliance with privacy laws, and the role of consent in its execution.

Read more
third-party-cookies - image of a cookie

Third-party cookies: should I stay, or should I go?

In recent months there has been a lot to do about third-party cookies and their not-so-imminent-anymore end-of-life in the Google Chrome browser. Is this then much to do about nothing or should you brace yourself for a paradigm-changing shift? In this article we will lift the veil over this important topic. Also, we’ll share 7 hands-on tips to prepare yourself for what’s coming.

Read more
what is not server-side tracking

What is not server-side tracking?

Server-side tracking is becoming a hot topic among agencies, marketeers and analysts. A lot of information is available on the subject, but it is not always accurate. Server-side tracking has often been sold as a miracle solution against data loss, GDPR and other unethical challenges.

Read more
Eneco header

Eneco becomes the owner of their web data streams using server-side tracking

Eneco has been working with us for years for the (client-side) tracking of their online traffic. When server-side tracking emerged at the end of 2022, it was a logical step for them to ask us to think about the business value of this tracking method. They wanted to compare their existing Google Analytics implementation with a tagging server on Microsoft Azure.

Read more

How can you tell if your GTM tagging server works?

There are reasons abound for deploying a tagging server on your website. This blog will not be about why it makes sense (or why perhaps in your case it doesn’t) to use server-side tagging. Instead we will jump forward in time and ask ourselves another pertinent question: ‘how can you tell if your tagging server is doing what it is supposed to?’

Read more

Measure ecommerce events in GA4 and Universal Analytics with only the updated datalayer pushes

With our variable in the Google Tag Manager Community Template Gallery it is easy to start using all the new ecommerce analytics capabilities that Google Analytics 4 offers while fully supporting the 'old' enhanced ecommerce of Universal Analytics. Find out how the variable works.

Read more
unive blog

Integration web and app data contributes to a 360-degree customer view

Univé is a Dutch insurance company that offers insurance, financial products, and services to both consumers and businesses. The company is focused on providing high-quality service and helping customers make responsible financial decisions. Since 2014, we have been working closely with Univé.

Read more

Switching from Universal Analytics to Google Analytics 4 (GA4)

On 14 October 2020, Google launched the new version of Analytics: Google Analytics 4 (GA4). Soon after the launch, it became clear that a number of important functionalities from Universal Analytics (GA3) were missing, and therefore the time to switch seemed far away. Fortunately, we see that the development team on the side of Google has not been idle. Some nice features have since been introduced within GA4 that have narrowed the gap between GA3 and GA4. This article answers the questions that are increasingly being asked about GA4.

Read more

How do I set up Google Tag Manager?

A tag management system such as Google Tag Manager (GTM) enables you to measure visitor behaviour on your website. You can also implement marketing pixels (such as Google Ads and Facebook) and cookie banners via this platform. This article gives you tips to keep in mind when setting up GTM. This allows you to collect reliable and usable data, and you will be less dependent on your web developers.

Read more

The impact of ITP on analytics and the user experience​

Intelligent Tracking Prevention (ITP) was launched by Apple in 2017 in an effort to restore "the balance the balance between privacy and the need for on-device data storage". With Intelligent Tracking Prevention, Apple aims to reduce cross-site tracking (following users across websites) by limiting the use of cookies. Find out what this means for you.

Read more
web analytics quality

How good Is your web analytics implementation?

How confident is your company in its web analytics data? In this article, we’ll first explain why web analytics tools can never provide 100% accurate data and why that’s not necessarily a bad thing. Then, we’ll dive into the practical side of things: how reliable are most web analytics implementations?

Read more

What is Tagbird, what do you use it for, and what can you do with it?

Tagbird is a Chrome extension developed by Digital Power. You can download it from the Chrome Web Store and add it to your browser. It is a debug/visualisation tool that provides a simple and clear insight into, among other things, the data layer, tag management events and analytics requests of a website. So you can quickly and easily test your entire analytics implementation with Tagbird.

Read more