The impact of server-side tracking on privacy

Best practices and debunking myths

Article
Technical Web Analytics
Server-side tracking
Data collection compliance

Bram Ooms

Technical Web Analyst

4 min

22 May 2024

In the digital age, where data privacy has become a forefront concern, server-side tracking stands out as a crucial tool for organisations aiming to gather user insights responsibly. Despite its potential, numerous myths surround its use and compliance with regulations. This article dispels these myths, offering a nuanced view of server-side tracking, its compliance with privacy laws, and the role of consent in its execution.

Understanding client- versus server-side tracking

First, let's recap what server-side tracking entails. The main difference is in the way these technologies, feed data to end-points.

With client-side tracking, data requests are generated directly from the user's device to your designated endpoints. Conversely, with server-side tracking, requests are sent to a server environment managed by your organisation, which then distributes this data to different endpoints via a server-to-server connection.

If you want to read more about how to set-up a compliant server-side tracking implementation, this more technical blog will help you get started!

In case you want to dive more deeply into what server-side tracking is not, read this blog.

Server-side tracking

Server-side tracking is a method of collecting data about user interactions with a website or application directly on the server, rather than through the user's browser. This approach offers advantages in data privacy and security

Privacy regulations and server-side tracking

How you implement your privacy governance is not specifically bound to a client- or server-sidetracking mechanism. Especially for the GDPR, your mechanism for lawful processing of personal data is likely compatible and consistent between client- and server-side tracking.

Server-side tracking may help to reduce compliance risks by keeping certain personal data within your organisation. With client-to-server HTTP requests, information like IP addresses, User-Agent strings, and URLs is shared. This can be considered as personal data under GDPR. This data becomes more sensitive when shared with large organisations that receive similar data from other sources.

By using server-side tracking, this information remains internal, allowing full control of what is shared with whom. This reduces impact on users and provides control over its disclosure to third parties. This integration into your privacy strategy allows you to selectively share information that aligns with your privacy standards and goals.

Next, we'll address several myths related to consent in the context of server-side tracking:

Myth 1: “Consent is not necessary for server-side tracking”

Commonly heard misconceptions are: "We only ask for consent for cookies, and server-side tracking doesn't use cookies, so we don't need consent." Or "With server-side tracking, we can track 100% of all users without needing consent."

These statements are not true:

Legal Foundations: The ePrivacy Directive (incorporated into localised laws) relates to cookies and the use of device storage, requiring consent. The GDPR, on the other hand, requires valid grounds for processing personal data. Under the GDPR, the terms 'processing' and 'personal data' have broad definitions that may be more extensive than initially thought.

Examples:

If your website or application uses unnecessary cookies, local storage, session storage or other server-side tracking methods for user identification, you still need consent.
If your website or application modifies personal data before it is sent, such as anonymising it or sending it directly to the server, this is considered processing. The rules in Article 6 of the GDPR regarding the processing of personal data must then be followed.

Myth 2: Compliance Is unachievable with server-side tracking

Statements such as “Server-side tracking is never compliant as you are always processing data from an individual“ or “It is impossible to manage compliance with server-side since it lacks transparancy to the user” are the commonly heard statements.

Whilst it is true that there are challenges for obtaining a compliant server-side tracking implementation, they aren't that different from a client-side tracking implementation.

The key to ensuring compliance from the start is to filter information before sending it server-side, based on valid grounds like consent or legal obligation. Additionally, categorising data according to its purpose is recommended for maintaining transparancy and compliance.

Examples:

If a website or application sends IP addresses to the server-side, it should be transparent about the purpose for which it is processed. IP addresses may be processed and stored for registering consent preferences, but they should only be used for insights or activation with the appropriate consent level based on other attributes.
Clearly explain how and why specific data is processed. By categorising data attributes based on purpose and legal grounds, you provide transparency.
If different legal grounds are used for one or more data attributes, ensure that users are informed of their rights for each version of the data and how they can exercise those rights.
Implementing limitation of usage based on purpose at the initial data collection step helps minimise the risk of engaging in non-compliant practices.

Best practices for implementing compliant server-side tracking

In short, server-side tracking helps your organisation decide which data to share and when to share it. However, it doesn't fully address all the privacy rules your organisation must follow by itself.

Here is a list of the best practices for server-side compliancy:

Privacy by design: integrating privacy considerations early in the design process. Ensure that the default behaviour aligns with the principles outlined in privacy regulations.
Consent management integration: Implementing robust consent management processes on the client side to prevent unlawful data processing.
Regular audits and updates: Importance of ongoing checks and adaptations to remain compliant.

Given the many benefits of server-side tracking from a value perspective as explained here, we recommend considering the extra controls and risk reduction as a benefit in favour of server-side tracking.

Need help implementing server-side tracking?

Let our Technical Web Analysts guide you through the process seamlessly! Contact us or schedule a meeting directly here.

This is an article by Bram Ooms

Bram started as a Technical Web Analyst in 2019, where he focused on data implementations at clients such as Univé, DPG Media, Boels and Vodafone. Through his experiences with the impact of legislation on enabling data flow he developed an interest in data privacy, which he is now actively pursuing within Digital Power.

Bram Ooms

Technical Web Analyst

Receive data insights, use cases and behind-the-scenes peeks once a month?

You might also like:

Transform your web- and app data into actionable insights with server-side tracking

Server-side tracking is the process of collecting and processing data through a server rather than on the user's device. By migrating your tagging implementation to a controlled server environment, you improve data accuracy and protect user privacy. Turn your data into actionable insights and gain a full understanding of your users' interactions.

What is Tagbird, what do you use it for, and what can you do with it?

Tagbird is a Chrome extension developed by Digital Power. You can download it from the Chrome Web Store and add it to your browser. It is a debug/visualisation tool that provides a simple and clear insight into, among other things, the data layer, tag management events and analytics requests of a website. So you can quickly and easily test your entire analytics implementation with Tagbird.

Third-party cookies: should I stay, or should I go?

In recent months there has been a lot to do about third-party cookies and their not-so-imminent-anymore end-of-life in the Google Chrome browser. Is this then much to do about nothing or should you brace yourself for a paradigm-changing shift? In this article we will lift the veil over this important topic. Also, we’ll share 7 hands-on tips to prepare yourself for what’s coming.

How good Is your web analytics implementation?

How confident is your company in its web analytics data? In this article, we’ll first explain why web analytics tools can never provide 100% accurate data and why that’s not necessarily a bad thing. Then, we’ll dive into the practical side of things: how reliable are most web analytics implementations?

Eneco becomes the owner of their web data streams using server-side tracking

Eneco has been working with us for years for the (client-side) tracking of their online traffic. When server-side tracking emerged at the end of 2022, it was a logical step for them to ask us to think about the business value of this tracking method. They wanted to compare their existing Google Analytics implementation with a tagging server on Microsoft Azure.

What is not server-side tracking?

Server-side tracking is becoming a hot topic among agencies, marketeers and analysts. A lot of information is available on the subject, but it is not always accurate. Server-side tracking has often been sold as a miracle solution against data loss, GDPR and other unethical challenges.

The impact of ITP on analytics and the user experience

Intelligent Tracking Prevention (ITP) was launched by Apple in 2017 in an effort to restore "the balance the balance between privacy and the need for on-device data storage". With Intelligent Tracking Prevention, Apple aims to reduce cross-site tracking (following users across websites) by limiting the use of cookies. Find out what this means for you.

How can you tell if your GTM tagging server works?

There are reasons abound for deploying a tagging server on your website. This blog will not be about why it makes sense (or why perhaps in your case it doesn’t) to use server-side tagging. Instead we will jump forward in time and ask ourselves another pertinent question: ‘how can you tell if your tagging server is doing what it is supposed to?’

Switching from Universal Analytics to Google Analytics 4 (GA4)

On 14 October 2020, Google launched the new version of Analytics: Google Analytics 4 (GA4). Soon after the launch, it became clear that a number of important functionalities from Universal Analytics (GA3) were missing, and therefore the time to switch seemed far away. Fortunately, we see that the development team on the side of Google has not been idle. Some nice features have since been introduced within GA4 that have narrowed the gap between GA3 and GA4. This article answers the questions that are increasingly being asked about GA4.

Integration web and app data contributes to a 360-degree customer view

Univé is a Dutch insurance company that offers insurance, financial products, and services to both consumers and businesses. The company is focused on providing high-quality service and helping customers make responsible financial decisions. Since 2014, we have been working closely with Univé.

Measure ecommerce events in GA4 and Universal Analytics with only the updated datalayer pushes

With our variable in the Google Tag Manager Community Template Gallery it is easy to start using all the new ecommerce analytics capabilities that Google Analytics 4 offers while fully supporting the 'old' enhanced ecommerce of Universal Analytics. Find out how the variable works.

How do I set up Google Tag Manager?

A tag management system such as Google Tag Manager (GTM) enables you to measure visitor behaviour on your website. You can also implement marketing pixels (such as Google Ads and Facebook) and cookie banners via this platform. This article gives you tips to keep in mind when setting up GTM. This allows you to collect reliable and usable data, and you will be less dependent on your web developers.