Last Updated on September 22, 2023 by Growth Hackers Sthlm

Why you should care

Privacy regulations such as GDPR , CCPA, HIPAA and efforts by Apple, courts and governments to regulate the usage of personal data is currently repainting the landscape of digital growth. And remember that Google is also sunsetting third part cookies in 2023.

Marketing, tracking and analytics are affected by these initiatives as well as some of our old and proven tactics. We are still in somewhat murky waters where compliance is up to interpretation and companies take different positions based on their legal department’s perspective rather than clear guidelines. 

This has caused a lot of uncertainty and has forced many of us to reconsider our tech stacks. 

As of July 2020 the agreement that allowed data transfer between US and EU was deemed insufficient by the EU so using tools with servers in the US also puts you in a legal grey zone. Are you using Facebook ads and tracking or Facebook connect on your website with the associated pixel? What about Google, or TikTok? Then you are likely exposed to these problems as auditors can put you under scrutiny (with Google but there are other options that could be like Piwik or Snowplow). 

Besides, there are some other valuable benefits you can gain with SST such as improved page speed which has been shown to improve both Conversion rate, decrease Goolge Ads CPC (via increased Quality Score) and SEO.

Server Side Tagging

Luckily, there is a new way to track user data that remedies some of these problems (but not all), namely Server Side Tagging (SST). In this article we will focus on Google’s SST since the most common use-cases we come into contact with are companies running Google’s Universal Analytics or GA4.

Here’s our article on GA4 and how it differs from Universal Analytics.

It is important to note that there is still a lot of debate going on as to what is deemed acceptable by GDPR regulations and what is not, so while SST (with Google but there are other options that could be like Piwik) might not be the answer to all problems it will help you take better control of your data and provide somewhat of a safety net. Besides, there are some other valuable benefits you can gain with SST such as improved page speed which has been shown to improve both Conversion rate and SEO.

So what is new about SST? As the name implies, it essentially moves the handling and distribution of data from the browser to a privately owned server under your own subdomain. It’s not complicated per se, as it basically just means introducing a proxy for all the data to pass through, but it can be a bit tricky, and if you implement it right the implications are great. An SST solution essentially gives you full control over all data you collect, such that you can guarantee no data leaks to 3rd party vendors.

Difference between Server Side Tagging and Client Side Tagging

To understand Server Side Tagging better, let’s first have a recap on the current way of doing things, CST.

Currently multiple tags are set up to track different kinds of data directly in the browser. This data is collected per vendor (FB, Google etc.) basis, so the data is sent from the browser to the vendor. 

Everything happens in the browser thanks to JS code loaded by the user’s browser.

The way SST works is that instead of having multiple tags on the browser, or in a client container, all data is instead sent over one stream to a server that you own. The data owner then parses the data and chooses what parts are relevant to send onward to vendors. The server acts as a proxy such that it is possible to remove all PII and further clean the data. 

This is what we mean by full ownership, since it’s completely up to us what data is distributed.

Besides gaining data ownership, this also means that functionality can be moved to the server instead of having JS code being run in the browser. In theory, this will make it faster to load your site, especially if it has a lot of things going on that takes time (looking at you, reCaptcha verification). Site speed is one of the most crucial factors when it comes to SEO, so this can have a great impact on your brand.

So, how is this done?

A basic SST implementation guide

Prerequisites:

• Google Tag manager
• Google cloud platform
• Domain + subdomain

For the basic setup we are going to go ahead and create a server container using GTM. This is where we will later create our tags to configure how we want to distribute our data.

Next, we are going to use Google Cloud Platform to set up and connect a tagging server, which is the part that holds the data. We used an automatically provisioned server through GCP, but it is also possible to connect your own server

You should be aware that using GCP will incur a monthly cost for hosting your data however. Here’s a calculator to estimate the cost based on traffic. With relatively normal amounts we are talking about around 1-200 euros/month.

Once the server is connected you will see a verification like this

Note that the default URL of your server initially points to a GTM-instance. We will need to change this so that the URL instead points to our own subdomain. This will convert the 3rd party cookies we add into 1st party cookies.

Next, we need to set up a subdomain and verify ownership of it in GCP.

Following the GCP wizard for SST you will get a token that you add as text to your site for verification. 

When verified, we can connect our subdomain to the server. We chose to call our subdomain ‘collector.growthhackers.se’.

Finally we have to update our DNS records to enable security. This is something your developer should easily be able to fix.

After some dev help we now have a verified subdomain. Just make sure to assign the correct server url when you set up your server container in GTM, like so:

And that’s it! Now we have our basic environment setup and can start building tags for processing and sending data. 

Other things to take into consideration

There is one more thing I’d like to touch upon in this post, and that has to do with browser protection and transparency. Privacy-friendly browsers and tracker blockers such as extensions primarily work by blacklisting a collection of URLs that are used for sending data to. These are URLs such as the one the Facebook pixel sends data to. 

Auditors frequently scan the web for URLs like this and use them to see where websites send data. This is done to ensure that websites don’t track users if they opt out of cookies, among other reasons.

Since we now use 1st party cookies and send all data to our own subdomain, tracker-blockers won’t be able to see where data gets sent anymore, so we practically become invisible. It also makes the auditors’ jobs much harder. 

This means that we can circumvent blockers or cookie-compliances if we want to or if we are not careful. It gives us more responsibility to heed a user’s request of not being tracked, and making sure our cookie-banners work as intended.

Finally, it should be noted that SST is still quite new and was released out of beta in September 2021 (https://blog.google/products/marketingplatform/360/bring-performance-and-privacy-together-server-side-tagging/), so there might still be some bugs, like with all new software. So far we have not found anything severe but it might be good to keep in mind if you choose to implement SST.

Summary – Pros & cons

Pros

• Ownership of data. Connection from browser to 3rd party services is completely removed
• More control, make sure data is scrubbed of PII if needed. Insurance against data leaks
• Replacement for 3rd party browser cookies that will die soon
• Less JavaScript run in the browser => Better load speeds => Great for SEO and Google ads Quality score
• More possibilities (e.g. data enrichment)

Cons

• New paradigm for tagging, bears childhood diseases
• More development resources
• Server costs
• Makes it possible to circumvent browser tracking protections such as privacy-friendly browsers. Very important to make sure opt-out mechanisms work and are aligned with user settings
• Any products by US based companies might still be problematic under GDPR as seen in Schrems II

Written by Oscar Beronius