Get in-depth insights
Get in-depth insights
How to protect sensitive user data and comply with the GDPR in EU
After the General Data Protection Regulation (GDPR) went into effect, Google Analytics users in Europe faced a problem. Google Analytics has become illegal to use for website operators in several countries due to decisions by European data protection authorities, as it does not comply with the GDPR.
The good news is that this problem has a solution. If you like the Google Analytics 4 data structure, you don’t have to give up on it. Instead, you can use server-side tracking in Google Tag Manager and map a custom domain to the server container endpoint.
This approach incorporates the server-side data collection endpoint into your first-party domain namespace, maintaining first-party context for browser tracking protections and setting first-party cookies. Additionally, you can use a special tag from OWOX to directly transfer data from your website to Google BigQuery without sending it to Google Analytics servers.
Note: This post was originally published in June 2022 and was completely updated in July 2024 for accuracy and comprehensiveness on Website analytics.
What is GDPR?
The General Data Protection Regulation (GDPR) is a landmark privacy law from the European Union that became enforceable on May 25, 2018. It's designed to empower individuals with greater control over their personal data while streamlining the international business regulatory environment by standardizing data protection laws across the EU.
GDPR introduces stringent data handling requirements for organizations, mandates clear consent for data processing, and offers individuals extensive rights, including access to, correction, and deletion of their data. Non-compliance can result in significant fines, making GDPR a critical consideration for businesses worldwide.
GDPR and Website Tracking: What You Need to Know?
GDPR significantly impacts website tracking by emphasizing the protection of personal data, including names, addresses, and even cookies, which could be considered PII (personally identifiable information). This regulation affects how websites collect, store, and transfer user data, aiming to protect privacy and limit data profiling by large ad companies.
To comply with GDPR, websites now use consent management platforms (CMPs) alongside tools like Google Tag Manager's consent mode. This setup ensures that cookies and trackers are only activated with user consent, respecting individual privacy preferences and legal requirements for cookie banners.
Furthermore, GDPR mandates explicit consent for promotional emails, distinguishing between essential communications and marketing messages. Compliance can be managed through backend processes for new users, highlighting the need for clear consent mechanisms in digital marketing practices.
Google Analytics and the GDPR — What's the Problem?
In 2020, the non-profit organization NOYB filed 101 complaints against websites operating in the European Economic Area (EEA) that applied Google Analytics or Facebook Connect. After this, EEA data protection authorities started issuing rulings forcing EEA website operators to stop using these services on the grounds that they do not comply with the General Data Protection Regulation (GDPR).
The problem is in the method of applying Google Analytics in Europe, as Google stores data gathered about EU residents (user behavior data) on a US-based cloud service. The sticking point was — and still is — that the safeguards taken by Google are insufficient to prevent US intelligence services from accessing the personal data of EU residents. According to European data protection authorities, these overseas data transfers violate the GDPR.
What Is Server-side Tracking?
Server-side tagging involves managing and executing tags (snippets of code for tracking and analytics) on a server rather than directly on a user’s browser. This approach enhances website performance, improves data privacy by controlling data sent to third-party vendors, and reduces the risk of ad-blocking software interfering with data collection. Setting up a server container in a Google Cloud environment creates a server-side tagging environment, which acts as a proxy between hits sent from browsers and devices and the actual endpoints where the hits are collected. It provides a safer and more effective approach to managing data and tracking user activity.
The 'Event Data' tab is crucial for debugging and understanding the behavior of tags and triggers, as it provides detailed information about the values parsed from incoming HTTP requests into an event data object.
How to Solve the Problem with GTM Server-Side Tracking and Google BigQuery
GTM server-side tracking is an alternative to the traditional client-side tracking method that solves the problem of sensitive data transmission, ad blockers, and page loading speed. Creating and connecting to a Google Tag Manager container for server-side tracking is essential for efficient data handling.
Configuring the server container URL is crucial for handling click events and forwarding requests to the server-side container.
To process data collected on the server side (server-side tracking), an intermediate destination is added (in the case of Google Tag Manager, this is a cloud server). From the client side, the request first goes to the cloud server, and then the cloud server processes this request and sends it to a third-party system. That is, instead of the client browser requesting the third-party system, that request is made by a cloud server.
Configuring the client-side GTM container to send data to a server-side container involves using the tagging server URL to ensure proper data routing.
Advantages of GTM Server-side Tracking
- Business Logic Concealment: Server-side tracking allows you to hide the business logic of how your site interacts with third-party applications by moving it to the back end. That is, the data you transfer and the logic you use to transfer it will not be available to the user.
- Enhanced Privacy and Security: Sending data to third-party systems does not depend on the user’s browser since all requests are processed and sent on the server side and are not affected by ad blockers, as this method eliminates the possibility of detecting a script by identifying the domain sending the request.
- Ad Blocker Bypass and Secure Data Transmission: This tracking method is more secure, which means you can supplement user data collected on the client side with the necessary information without the risk of disclosure.
- Compliance with Data Protection Regulations: You have full control over the data that will be sent to third-party systems, enabling you to comply with existing GDPR, CCPA, and CSP requirements.
- Importance of Custom Subdomain Setup: Setting up a custom subdomain for GTM server-side tagging is crucial. It helps mitigate cookie restrictions like ITP by ensuring cookies are set on your own domain. This setup involves technical steps such as adding and verifying custom subdomains for GTM server containers, often using services like Stape.
To avoid sending data to Google Analytics, you can use Google Analytics 4 RawData to BigQuery Tag, which allows you to automatically redirect Google Analytics 4 events to a Google BigQuery table.
Advantages of the OWOX Tag for Server-side GTM
Google Analytics 4 RawData to BigQuery Tag is free. Anyone who uses server-side GTM can install it and get the following benefits of server-side tagging:
- GDPR compliance. Using our tag, you can configure GTM server-side so that data does not go to Google Analytics servers in the US at all but instead goes directly to the dataset with the location you specified in Google BigQuery. That is, the data does not go beyond the first-party contour of the business at all. Thus, the business itself guarantees 100% GDPR compliance.
- One-time setup. The tag only needs to be configured once. No need to go to settings and change the table structure in GBQ every time you add new GA4 events/parameters in site markup.
- Real-time data. Data is sent to GBQ in real time — no need to wait for a scheduled export.
- No restrictions. For example, you won’t run into the known 1 million hits per day limit that applies to native uploads from the free version of GA 4 to GBQ.
- The tag is free and available to anyone using GTM server-side tracking.
- Measurement Protocol. The measurement protocol can be used to handle measurement data from different devices and prevent spam, ensuring accurate and reliable data collection.
If you need a trustworthy analytics solution adapted to the GDPR and the world of privacy, sign up for a free demo.
Lower Adwaste, Save Time, and Grow ROI
Make smart decisions about your campaign optimization faster
How to Set Up the Collection of Raw Data from Google Analytics 4 to BigQuery with the Google Analytics 4 RawData to BigQuery Tag
You can use Google Analytics 4 RawData to BigQuery Tag if you have enabled Google Analytics 4 and configured GTM as the server-side tag manager for GA4 events. By utilizing the web container, you can configure tags, triggers, and variables for tracking with GTM. With this tag, you will get raw Google Analytics 4 data after each addition of a new event in the site markup, without first setting up a schema in BigQuery.
How to Add the Google Analytics 4 RawData to BigQuery Tag
Let's explore the initial steps to integrating Google Analytics 4 with Google BigQuery. Follow these steps to lay the groundwork for detailed analytics and deeper insights from your GA4 data.
Step 1: Create an appropriate table in your Google BigQuery
a) Create a dataset in a GBQ project:
b) Choose a location Type:
c) Create a table with the following schema:
Field name | Type | Mode |
rawDataOwox | STRING | REQUIRED |
createdAt | TIMESTAMP | REQUIRED |
The fastest way is to run the SQL code below in GBQ:
CREATE TABLE IF NOT EXISTS [project_name].[dataset_name].ga4RawDataOwox (rawDataOwox STRING NOT NULL, createdAt TIMESTAMP NOT NULL)
OPTIONS(description="GA4 Raw data transferred directly to GBQ from my server-side GTM using OWOX tag")
Note: In this SQL code example, you need to replace [project_name].[dataset_name] with the actual project and dataset names.
Step 2: Add the tag from the templates to your workspace
We've added the OWOX Tag to our Templates Gallery. You can now easily find it and add it to your Workspace with just a few steps.
a) Go to Templates → Tag Templates → Search Gallery in your server-side GTM container:
b) Find and choose the tag:
3. Add it to your workspace:
Step 3. Add the tag
Go to Tags and add this tag. Choose a trigger and set the path to your table in GBQ.
Note: Check the checkbox “Enable logging” only for debugging.
As long as your server container runs in the same GCP project with the BigQuery table, you're all set. You don't need to do anything in terms of authentication, as the default service account of App Engine has complete access to any BigQuery tables added to the project.
Step 4. Publish the container with a new tag
Submit and Publish the changes, then test the flow in Preview mode. If everything is correct, you’ll see Google Analytics 4 RawData to BigQuery Tag under Tags Fired:
And you will see the data in the Google BigQuery table:
Uncover in-depth insights
Google Tech Stack and GDPR Compliance Checklist
Download nowBonus for readers
How to Use This Data
Write SQL code to use this data in a convenient structure for your reports.
Example:
SELECT
JSON_EXTRACT_SCALAR(rawDataOwox, '$.page_referrer') AS page_referrer,
JSON_EXTRACT_SCALAR(rawDataOwox, '$.page_title') AS page_title,
JSON_EXTRACT_SCALAR(rawDataOwox, '$.event_name') AS event_name,
JSON_EXTRACT_SCALAR(rawDataOwox, '$.user_agent') AS user_agent
FROM `[project_name].[dataset_name].ga4RawDataOwox`
If you have enabled Google Analytics 4 and need to import cost data to Google BigQuery or need to build cross-channel reports, book a demo with OWOX.
Our specialists will show how you can use OWOX BI products (and our professional services) to achieve your goals and transform raw data into business-ready data.
Gain clarity for better decisions without chaos
No switching between platforms. Get the reports you need to focus on campaign optimization
FAQ
-
Is server-side tagging GDPR-compliant?
Server-side tagging can be GDPR-compliant if implemented correctly. It must ensure that personal data is handled according to GDPR principles, including obtaining user consent before collecting and processing data. Transparency and user control over their data are key to compliance.
-
Do you need consent for server-side tracking?
Yes, consent is required for server-side tracking under GDPR. Before collecting or processing any personal data through server-side methods, explicit consent from the user is necessary. This respects the user's privacy rights and complies with legal requirements.
-
How does server-side tagging work?
Server-side tagging works by processing tracking requests on a server instead of the user's browser. When an event occurs on a website, the data is sent to a server where the tags are triggered. This method reduces the client's workload, enhances data security, and improves site performance by offloading processing to the server.
-
What is the process to set up GTM server-side tagging for GDPR compliance?
Setting up Google Tag Manager server-side tagging for GDPR compliance involves creating a server container in Google Tag Manager, configuring your domain to route data through the server, and implementing consent management. This setup requires integrating a consent management platform (CMP) to manage user preferences, ensuring that only data with explicit consent is processed and sent to third-party services, thereby aligning with GDPR requirements.
-
Is GTM server-side tagging an effective solution for GDPR challenges?
Google Tag Manager server-side tagging is an effective solution for GDPR challenges as it offers enhanced data control and privacy. Processing data on the server minimizes the exposure of personal data to third parties and reduces reliance on client-side cookies. This approach helps in obtaining and managing user consent more effectively, ensuring compliance with GDPR's stringent data protection standards.
-
How does GTM server-side tagging improve data privacy under GDPR?
GTM server-side tagging improves data privacy under GDPR by offering a more secure way to handle data. It shifts data processing from the client side to the server side, reducing the risk of data leakage and unauthorized access. This method allows for better control over the data collected and shared, ensuring that only anonymized or consented data is processed, thereby enhancing user privacy and trust.
-
Difference between server-side tagging vs. client-side tagging
Server-side tagging processes data collection and management on a server, offering enhanced data security and privacy. It reduces browser load, bypasses ad blockers, and provides better control over data handling, ensuring compliance with regulations like GDPR. Conversely, client-side tagging involves executing tags directly in the user's browser, which can increase page load times, is more vulnerable to ad blockers, and poses higher risks for data privacy breaches due to direct exposure to third-party scripts.
-
What types of data should be considered when ensuring GDPR compliance?
Any personal data that is collected or processed by your business should be considered for GDPR compliance, including name, email address, location information, and IP address. -
How can I ensure ongoing compliance with GDPR regulations
Regular reviews of data processing practices, implementation of appropriate technical and organizational measures, and ongoing employee training are all important for ensuring ongoing compliance with GDPR regulations.
Get in-depth insights
Get in-depth insights
How to protect sensitive user data and comply with the GDPR in EU
