Reliable website tracking is becoming increasingly difficult in view of stricter preventive measures by browsers and other anti-tracking tools. Recently, the server-side Google Tag Manager has offered the option of setting up first-party tracking, in which the data is redirected via a separate server. Configured accordingly, this can ensure that website tracking does not fall victim to the same measures as third-party scripts.
Why is tracking blocked?
Similar to scripts that clearly violate data protection regulations (such as the Facebook Pixel or other marketing tags), Firefox or AdBlockers now also prevent tracking scripts, such as analytics.js for Google Analytics, from being called. Safari also blocks such scripts under certain circumstances.
The reason for the similar treatment is also that Google itself admits to using the data collected in this way to place targeted advertisements. It is not technically possible to prevent the transmission of personally identifiable information (PII) during normal tracking with Google Analytics.
However, the majority of website operators probably do not use Google Analytics themselves with the aim of acquiring advertising customers. Instead, website tracking is primarily used to measure the reach of a website.
With the help of the new server-side Google Tag Manager, any amount of sensitive information can be removed from tracking requests before data is sent on to Google. In this way, website tracking with Google Analytics can be maintained and data protection guaranteed at the same time.
What solution does server-side tracking offer?
The server-side Google Tag Manager makes it possible to send tracking data to your own endpoint (aka a server), from where it is forwarded to the respective analytics tool after being cleansed of sensitive data.
This overcomes a major weakness of website analysis:
When a page that is tracked with Google Analytics and the client-side Google Tag Manager is accessed, a request first goes out to https://googletagmanager.com to load the container's script. A connection is then established to 'https://www.google-analytics.com/' to retrieve the tracking script.
These addresses are obviously not related to the content of the page, but signalize: Tracking is intended here. So anti-tracking tools and ad blockers simply block the retrieval of these scripts and thus protect the privacy of users.
However, if a connection is established to an endpoint with the same name as the domain name of the website, no difference can be detected at first from other content that is required for the website display.
This means that server-side tracking also records calls that would have remained invisible under normal circumstances. (This can also include unwanted “visitors” such as bots and crawlers, which must therefore be recognized and filtered manually).
Responsibility for the data
This additional control over the data also comes with a higher degree of responsibility: once we have received the information about user interactions, it is up to us to decide what we do with it - and, above all, with whom we share it. Theoretically, users could be enriched with further information on their own endpoint and shared with parties who would otherwise not have access to it. Users would no longer be aware of this.
At the same time, we now have the opportunity to generalize the data in such a way that it can be used for web analysis without hesitation. This is because the parameters of a normal tracking request contain sensitive information such as the IP address and the user agent. If these parameters are removed, a single tracking request no longer differs greatly from others - but can be counted.
Additional settings can also be used to completely dispense with cookies in order to further conceal the identity of a user.
Summary
As client-side scripts and cookies have been increasingly restricted in recent years, it was only a matter of time before alternative tracking methods were offered to the masses. With Google's server-side Tag Manager, it is possible to set up a tracking infrastructure in just a few steps that defies most current tracking conventions. This means that the reach of a website can still be reliably recorded.
From a data protection perspective, this gives website operators greater sovereignty, as they can now anonymize the data themselves before sharing it with third parties. However, this is no longer visible to the user and is therefore not transparent.