Back to Overview

Reliable Website Tracking with Server-Side Google Tag Manager

Header image for "Reliable Website Tracking with Server-Side Google Tag Manager"
5 min read
sGTMServer-Side TrackingPrivacy

Reliable website tracking is becoming increasingly difficult due to stricter preventive measures by browsers and additional anti-tracking tools. Since recently, the server-side Google Tag Manager offers the possibility to set up first-party tracking, where data is redirected through your own server. When properly configured, this can ensure that website tracking doesn't fall victim to the same measures as third-party scripts.

Why is tracking being blocked?

Similar to clearly privacy-violating scripts (such as the Facebook Pixel or other marketing tags), the call to a tracking script, such as analytics.js for Google Analytics, is now also prevented by Firefox or ad blockers. Safari also blocks such scripts under certain circumstances.

The reason for the similar treatment is also that Google itself admits to using the data collected this way to serve targeted advertisements. Technically, it's impossible to prevent the transmission of personally identifiable information (PII) with ordinary Google Analytics tracking.

However, a large portion of website operators probably don't use Google Analytics with the goal of acquiring advertising customers. Instead, website tracking primarily serves the purpose of capturing the reach of a website.

Using the new server-side Google Tag Manager, any amount of sensitive information can be removed from tracking requests before data is sent on to Google. This way, website tracking with Google Analytics can be maintained while ensuring data privacy at the same time.

What solution does server-side tracking offer?

The server-side Google Tag Manager enables sending tracking data to your own endpoint (aka a server), from where it is forwarded to the respective analytics tool - cleaned of sensitive data.

This overcomes a significant weakness of website analysis: When calling a page that is tracked with Google Analytics and the client-side Google Tag Manager, a request first goes out to https://googletagmanager.com to load the container script. Subsequently, a connection is established to https://www.google-analytics.com/ to retrieve the tracking script.

These addresses obviously have no relationship to the content of the page, but signal: Here something is supposed to be tracked. So anti-tracking tools and ad blockers simply prevent the retrieval of these scripts and thus protect users' privacy.

However, if a connection is established to an endpoint that has the same name as the domain name of the website, no difference to other content required for website display can be detected at first.

Thus, server-side tracking also captures calls that would have remained invisible under normal circumstances. (This can also capture unwanted "visitors" like bots and crawlers, which therefore must be detected and filtered manually.)

Responsibility for the data

With this gained control over the data also comes a higher degree of responsibility: Once we receive information about user interactions, it's our decision what we do with them - and especially, with whom we share them. Theoretically, users could be enriched with additional information on your own endpoint and shared with parties who otherwise wouldn't have access to them. Users would no longer notice any of this.

At the same time, we now get the opportunity to generalize the data so that it can be used for web analysis without concerns. Parameters of an ordinary tracking request contain sensitive information such as the IP address and user agent. If these parameters are removed, an individual tracking request no longer differs much from others - but can still be counted.

Summary

Since client-side scripts and cookies have been increasingly restricted in recent years, it was only a matter of time before alternative tracking methods would be offered for mass adoption. With Google's server-side Tag Manager, it's possible in just a few steps to set up a tracking infrastructure that defies most current tracking preventions. This way, the reach of a website can continue to be reliably captured.

From a data privacy perspective, this achieves greater sovereignty by the website operator, who can now independently anonymize data before sharing it with third parties. However, this is no longer visible to the user and is therefore intransparent.

Show all blog articles