Pavel Šabatka

Category: GTM

  • GTM in violation of the GDPR

    A court in Hanover, Germany, has ruled that the use of Google Tag Manager (GTM) violates the GDPR. This decision caught my attention because it does not concern a measurement or marketing platform, but GTM, which is supposed to be an “impartial trigger” for marketing codes.

    What exactly was the issue? And what impact will this have on measurement?

    The full text of the ruling is available on the Lower Saxony website. I am not a lawyer and I used Google Translate for the translation (I don’t speak German). Please do not take this article as legal advice, but as my view of the situation.

    How the website measurement was set up

    The exact solution is unknown, but it can be deduced from the defense:

    • The website used Google Tag Manager, which loaded immediately after the page was launched.
      GTM was set up to support Consent Mode 2. The default setting for all tags was “denied.”
    • A functional cookie bar was launched.
      I am not sure if it met the GDPR’s visual requirements for appearance (presence of all buttons, their size), but that is not the subject of this article.
    • Marketing and measurement codes were always triggered after consent was given.

    I would describe this as the “standard setting” according to Consent Mode 2.0 and Google’s recommendations. This is how most standard websites are set up.

    Between the lines…

    The ruling includes a relatively extensive argument as to why the current solution is unsatisfactory. Here I have selected a few key points (I have taken the liberty of shortening them and editing them slightly for readability). I have also added my own interpretation.

    Judgment: GTM is not a service expressly requested by website users, nor does it provide added value or functionality for the use of the website.

    GTM cannot therefore be considered technically necessary for the functionality of the website.

    Judgment: …GTM is necessary for economic reasons…, but this does not outweigh the rights of users…

    GTM cannot be loaded in the legitimate interest. The question is how the court would assess this if we were not talking about Google’s tag manager, but one from another provider.

    Judgment: Google Tag Manager is loaded from the domain www.googletagmanager.com

    Whenever you load anything from anywhere on the internet, you always transfer your IP address, cookies, and information about your device. This is part of the technology on which the internet is built, and it cannot be changed. In other words, if you load GTM from the domain www.googletagmanager.com, you are always providing personal data to Google. What’s more, you are sending data outside the EU. And you are doing so even before giving your consent.

    Judgment: The plaintiff uses the service for these purposes and claims that Google Tag Manager itself does not set or read cookies, but only the services managed by this tool.

    In my opinion, the plaintiff may be right in principle; GTM should not read cookies without consent. However, you cannot see its code and cannot say with certainty whether it actually does so or not.
    When GTM is loaded, IP addresses, cookies, etc. are definitely transferred.

    How to set up GTM

    Use Server-Side GTM (SGTM) or Google Tag Gateway? Another tool? What is the right way to do it?

    Unfortunately, the ruling does not specify this.

    Simply inserting GTM is not GDPR compliant, regardless of whether you have Consent Mode 2.0 set up or not.

    Let’s take a look at other options.

    Google Tag Manager

    We know that GTM is not technically necessary. We need a technical solution that will respect consent (first solution) or defend it as a legitimate interest (others).

    You have several options for working with GTM:

    1. Load GTM from the www.googletagmanager.com domain only after consent has been given.
      Block the script completely before consent is given. Some cookie bars allow this themselves. Or a programmer would have to help you with this.
      We respect the user’s consent to measurement.
      OK for me.
    2. Use of Google Tag Gateway
      GTG was created as a project by Google and Cloudflare. Technically, requests go from the browser through Cloudflare, where they are redirected to the Google endpoint. However, I have not found anywhere that Cloudflare removes the original IP address, cookies, etc.
      In the event of a dispute, I think this is rather indefensible, i.e., for me, rather NO.
    3. Using SGTM on Google Cloud
      If you host SGTM on Google Cloud Run, user data still goes to Google’s servers when GTM is loaded, even if it is your paid service.
      I’m not sure how the law would view this, but for me, it’s more of a NO.
    4. Using SGTM hosted outside the Google ecosystem
      Here, I assume that you are able to wrap SGTM with a firewall and have control over exactly what you send where.
      For me, it’s more of an OK.
    5. Use a proxy for GTM (or SGTM) and GTAG
      You can create your own “box” through which the request will flow, clean it up, and then pass the data on.
      OK with me.
    6. Use an alternative to GTM on your own hosting
      There are several alternatives to GTM, such as european-alternatives.eu or omr.com. If I use an alternative tool, ideally on my own hosting, I believe this may be in my legitimate interest.
      OK with me.

    Google Analytics 4 and Google Ads

    Without consent, GA4 and GAds send “anonymous pings” to Google servers in Consent Mode 2.0 by default. They do not place cookies. However, as mentioned above, whenever you send anything over the internet, the user’s IP address and other cookies valid for that domain are always transferred. As a result, anonymous pings are not anonymous.

    What to do next

    Google Tag Manager is not technically necessary for a website. And with the default settings, you won’t be able to play it off as a legitimate interest either.

    If you are a web analyst, keep in mind that Consent Mode 2.0 is no guarantee that everything is in order. And if you rely solely on this setting, then it may be time to rethink your approach. Especially if you manage measurements in Germany.

    If you are a website owner, check how exactly you have your measurements set up. Can you really defend the configuration if you receive a letter from the authorities?

    Need help with this?

    Write to me

  • What is server-side measurement?

    Have you heard of Google Tag Manager (GTM) measurement, which runs on a server? And did you know that it is the ideal way to speed up your website loading, increase your users’ privacy, or improve attribution evaluation for your marketing campaigns? Join us to find out what server-side measurement is good for and how it differs from classic measurement.

    How standard measurement works

    Most websites today use Google Tag Manager (GTM) to manage measurement. The GTM code is inserted into the HTML of the website, and when a user visits the website, the following happens:

    1. The client browser (i.e., the website visitor’s browser) downloads the GTM code.
    2. The browser processes the GTM code and runs other measurement codes from individual platforms (Facebook, Sklik, etc.) to which you want to send data from the website.
    3. Most of the measurement codes from individual platforms run in this way download their own JavaScript code, which then finds and processes the data it needs and sends it to its platform.

    Some measurement codes also wait for user actions on the website (such as downloading a file, scrolling, submitting a form) and then trigger further measurements.

    As mentioned above, all of this runs in the client browser, which puts a relatively heavy load on it. Even basic measurement codes on websites are at least 20 KB per platform, but Facebook, for example, downloads as much as 130 KB of data when loading a website.

    Processing takes some time, and sending increases the amount of data used by the page. This is a problem for many reasons – it slows down the loading of the website (especially on slower devices or mobile phones, the slowdown can be significant), it increases the volume of downloaded data (users with mobile phones with limited monthly data allowances will not thank you for this), it worsens your search ranking (speed is one of the key attributes for SEO), and measurement scripts have access to all information on the website and can theoretically do anything with it (even if it is personal data).

    What is server-side measurement?

    As the name suggests, server-side measurement is a way of using GTM where GTM is not part of the HTML page and does not run in the user’s browser. Instead, it runs on a server, such as Google Cloud. It is only on this server that the individual measurement codes are run.

    The standard GTM remains in the client browser, which sends data to the server-side GTM. Only then does it handle sending data to platforms such as Google Analytics, Facebook, etc.

    ‍To run server-side GTM, you always need a machine—either your own or one in the cloud. And you need to adjust your measurement settings.

    In addition to not forcing the user’s browser to download and send a lot of data, there are a number of other advantages that might interest you. Let’s take a closer look at them.

    What are the advantages of server-side GTM?

    Speed

    Speed is generally very important for websites. Google has been mentioning it for years as one of the factors that influence a website’s position in search results. Fewer measurement codes on a page means higher speed and thus better search rankings and more visitors. By the way, try testing how much time it takes to process measurement scripts on your website using PageSpeed Insights – look for information about third-party code:

    Example of how much time it takes to start loading measurement codes on a Alza.cz website

    Data protection

    If you enter sensitive data on a page (e.g., phone number, address, etc.), third-party scripts (Facebook, Sklik, etc.) embedded in standard GTM may have access to it. On the other hand, when measuring in server-side GTM, you can be sure that they will not access any data other than what you explicitly provide them with. This is because individual platforms only communicate with GTM on the server and cannot access the “raw” data collected by GTM in the client browser.

    And by the way, whether we like it or not, platforms always see at least the user’s IP address. If you use server-side GTM, platforms cannot access it unless you provide it to them.

    Reasonably set Content Security Policy

    Your website can use Content Security Policy (CSP) security settings. This typically applies to websites that work with sensitive or personal data. This setting tells the browser which domains (Facebook, Google Analytics, Sklik, etc.) it can download and run scripts from. And you have to list them all here. Can you see the problem? If you use multiple platforms, your CSP settings might look like this:

    And if you happen to forget to update something, oops…

    In such cases, managing all domains is complicated, and it is easy to forget to add or remove something. By using GTM on the server, the list of domains is shortened, saving you some of the hassle.

    Security

    If you deploy a script on your website, it can do a lot of things to your website. Including unpleasant things such as changing the content of the website, redirecting it to another website, or sending sensitive data from the website to China. This can happen by mistake or through negligence. And believe us, we’ve seen plenty of similar things. This cannot happen with server-side GTM because the codes are on the server and cannot reach the user’s browser at all.

    Data validation or enrichment

    If you want to validate and correct data in some way, you have extended options in server-side GTM. This is also a suitable solution if you want to enrich data, e.g., with margins on specific products. Typically, you do not want to send this to platforms from client-side GTM, where anyone can access such information.

    Data retention for attribution evaluation

    If you are a marketer dealing with attribution over a longer period of time, switching to server side may be an advantage for you. Some browsers (Safari or Firefox) typically aggressively delete cookies that are not httpOnly (i.e., it is clear that they are intended for marketing purposes and not for the technical functioning of the website) after 1 or 7 days. On the server side, you store such cookies yourself, so you don’t have to worry about losing data from customers using stricter browsers.

    100% data measurement

    If you wish, you can send data to server-side GTM directly from the server rather than from the client browser (see image below). This allows you to access virtually all data.

    Please note, however, that when processing personal data, you must still comply with GDPR and respect the user’s wish not to be measured. In other words, it is not appropriate to bypass user consent by downloading data directly from the web server.

    Why not server-side GTM?

    Of course, there are also disadvantages to using server-side measurement.

    • Price – as mentioned above, in order to run server-side GTM, you always need a machine – either your own or in the cloud. Both approaches cost money. With Google Cloud, for example, the price will most often range from free (for small websites) to $1,000 per month (for websites with tens of thousands of visits per day). On top of that, you have to add the costs of commissioning and more complex measurement adjustments, which require a programmer or analyst.
    • It does not work for all platforms—not all platforms currently support server-side measurement and require browser execution, such as Sklik. Among frequently used platforms, server-side measurement is supported by Google Analytics, Facebook, Mailchimp, and several others. So you often end up in a situation where only part of the code is in the server container, while the rest remains in classic GTM. However, even just part of the measurement running on the server side may make sense for you – consult with your analyst.

    We assume that in the future, support for the platform will bem přibývat a server-side bude dávat čím dál větší smysl.

    Does this make sense to me?

    Can’t imagine if this is for you? We think it definitely is if:

    • You send data to a large number of platforms (most often different GA accounts), which slows down your website.
    • You need to work with extremely sensitive data (e.g., social security number, ID card number, etc.) and want to protect it.
    • Many of your visitors use Safari or Firefox, which complicates long-term attribution.
    • You need to operate with product margins in your evaluations.
    • You need server measurement codes (typically for affiliate platforms), but you don’t want to bother programmers with it all the time.

    Do you see yourself in some of these cases, but you’re still not sure if a server-side solution is right for you?

    Let us know! We will discuss the pros and cons in your case with you, and if it makes sense, we will be happy to help you set up server-side measurement.

    Contact me
    Share on LinkedIN