Pavel Šabatka

Category: GDPR

  • GTM in violation of the GDPR

    A court in Hanover, Germany, has ruled that the use of Google Tag Manager (GTM) violates the GDPR. This decision caught my attention because it does not concern a measurement or marketing platform, but GTM, which is supposed to be an “impartial trigger” for marketing codes.

    What exactly was the issue? And what impact will this have on measurement?

    The full text of the ruling is available on the Lower Saxony website. I am not a lawyer and I used Google Translate for the translation (I don’t speak German). Please do not take this article as legal advice, but as my view of the situation.

    How the website measurement was set up

    The exact solution is unknown, but it can be deduced from the defense:

    • The website used Google Tag Manager, which loaded immediately after the page was launched.
      GTM was set up to support Consent Mode 2. The default setting for all tags was “denied.”
    • A functional cookie bar was launched.
      I am not sure if it met the GDPR’s visual requirements for appearance (presence of all buttons, their size), but that is not the subject of this article.
    • Marketing and measurement codes were always triggered after consent was given.

    I would describe this as the “standard setting” according to Consent Mode 2.0 and Google’s recommendations. This is how most standard websites are set up.

    Between the lines…

    The ruling includes a relatively extensive argument as to why the current solution is unsatisfactory. Here I have selected a few key points (I have taken the liberty of shortening them and editing them slightly for readability). I have also added my own interpretation.

    Judgment: GTM is not a service expressly requested by website users, nor does it provide added value or functionality for the use of the website.

    GTM cannot therefore be considered technically necessary for the functionality of the website.

    Judgment: …GTM is necessary for economic reasons…, but this does not outweigh the rights of users…

    GTM cannot be loaded in the legitimate interest. The question is how the court would assess this if we were not talking about Google’s tag manager, but one from another provider.

    Judgment: Google Tag Manager is loaded from the domain www.googletagmanager.com

    Whenever you load anything from anywhere on the internet, you always transfer your IP address, cookies, and information about your device. This is part of the technology on which the internet is built, and it cannot be changed. In other words, if you load GTM from the domain www.googletagmanager.com, you are always providing personal data to Google. What’s more, you are sending data outside the EU. And you are doing so even before giving your consent.

    Judgment: The plaintiff uses the service for these purposes and claims that Google Tag Manager itself does not set or read cookies, but only the services managed by this tool.

    In my opinion, the plaintiff may be right in principle; GTM should not read cookies without consent. However, you cannot see its code and cannot say with certainty whether it actually does so or not.
    When GTM is loaded, IP addresses, cookies, etc. are definitely transferred.

    How to set up GTM

    Use Server-Side GTM (SGTM) or Google Tag Gateway? Another tool? What is the right way to do it?

    Unfortunately, the ruling does not specify this.

    Simply inserting GTM is not GDPR compliant, regardless of whether you have Consent Mode 2.0 set up or not.

    Let’s take a look at other options.

    Google Tag Manager

    We know that GTM is not technically necessary. We need a technical solution that will respect consent (first solution) or defend it as a legitimate interest (others).

    You have several options for working with GTM:

    1. Load GTM from the www.googletagmanager.com domain only after consent has been given.
      Block the script completely before consent is given. Some cookie bars allow this themselves. Or a programmer would have to help you with this.
      We respect the user’s consent to measurement.
      OK for me.
    2. Use of Google Tag Gateway
      GTG was created as a project by Google and Cloudflare. Technically, requests go from the browser through Cloudflare, where they are redirected to the Google endpoint. However, I have not found anywhere that Cloudflare removes the original IP address, cookies, etc.
      In the event of a dispute, I think this is rather indefensible, i.e., for me, rather NO.
    3. Using SGTM on Google Cloud
      If you host SGTM on Google Cloud Run, user data still goes to Google’s servers when GTM is loaded, even if it is your paid service.
      I’m not sure how the law would view this, but for me, it’s more of a NO.
    4. Using SGTM hosted outside the Google ecosystem
      Here, I assume that you are able to wrap SGTM with a firewall and have control over exactly what you send where.
      For me, it’s more of an OK.
    5. Use a proxy for GTM (or SGTM) and GTAG
      You can create your own “box” through which the request will flow, clean it up, and then pass the data on.
      OK with me.
    6. Use an alternative to GTM on your own hosting
      There are several alternatives to GTM, such as european-alternatives.eu or omr.com. If I use an alternative tool, ideally on my own hosting, I believe this may be in my legitimate interest.
      OK with me.

    Google Analytics 4 and Google Ads

    Without consent, GA4 and GAds send “anonymous pings” to Google servers in Consent Mode 2.0 by default. They do not place cookies. However, as mentioned above, whenever you send anything over the internet, the user’s IP address and other cookies valid for that domain are always transferred. As a result, anonymous pings are not anonymous.

    What to do next

    Google Tag Manager is not technically necessary for a website. And with the default settings, you won’t be able to play it off as a legitimate interest either.

    If you are a web analyst, keep in mind that Consent Mode 2.0 is no guarantee that everything is in order. And if you rely solely on this setting, then it may be time to rethink your approach. Especially if you manage measurements in Germany.

    If you are a website owner, check how exactly you have your measurements set up. Can you really defend the configuration if you receive a letter from the authorities?

    Need help with this?

    Write to me

  • Cookie bars finally in the Czechia

    The Chamber of Deputies has passed an amendment to the Electronic Communications Act. This brings fundamental changes to the use of cookies on websites. Although the law is still awaiting the president’s signature, it is likely to come into force on January 1, 2022. What does this mean and what needs to be done before then?

    What exactly is changing?

    Until now, the Electronic Communications Act has applied the opt-out principle, which means that when a user visits your website, you notify them that you use cookies, but you start using them immediately after they arrive on the website. Typically, this takes the form of a banner stating “This website uses cookies. By using this website, you agree to this practice.”

    Users will now be required to give their explicit consent to the use of cookies, e.g., by clicking on the “I agree” button, etc. Only then can cookies and other similar technologies be used. This is how the idnes.cz server handles consent:

    Notes:

    • The law also applies to similar technologies, such as browser storage, etc. It is therefore not possible to simply replace cookies with another technology that stores data on the user’s computer.
    • The law does not apply to technically necessary cookies, such as those required for logging into a service or saving an e-shop shopping cart.

    What does this mean in practice?

    Cookies are used by many tools on the web. These include, for example:

    • measurement tools –⁠ Google Analytics, Hotjar, Smartlook, etc.,
    • remarketing platforms –⁠ Google Ads, FB pixel, Sklik Remarketing, etc.,
    • conversion codes –⁠ Google Ads, FB pixel, Sklik Remarketing, etc.,
    • affiliate measurement codes –⁠ CJ, AffilBox, etc.,
    • chat tools –⁠ SmartSupp, etc.,
    • videos embedded in websites –⁠ YouTube, Vimeo, etc.,
    • social media buttons for sharing or commenting –⁠ FB like box, etc.,
    • and more.

    All these platforms and tools will need to be modified so that they do not use cookies without users’ consent. If you manage a website or e-shop, you will almost certainly have a lot of work ahead of you.

    However, in addition to the technical adjustments themselves, the change will have other consequences. Some users will not give you their consent to use cookies (and you can assume that this will be more than 50%, which will have further consequences), and some of these consequences can already be predicted:

    • Drastic reduction in the performance of remarketing and RTB campaigns –⁠ you will not be able to target remarketing ads to users who have not given their explicit consent. In practice, this could be half of all users in the best-case scenario. Operators are trying to work around this, e.g., AdFom has introduced the concept of First-Party ID.
    • Inaccurate data in Google Analytics –⁠ even without cookies, you can run Google Analytics code, but users without consent will appear as single-page visits (bounces). Each additional page will be considered a new visit and a new user. It will therefore be quite difficult to evaluate conversion measurements even within sessions, and multifunnel will be almost impossible.
    • The end of campaign evaluation in marketing platform interfaces –⁠ the number of conversions recorded in conversion codes (Google Ads, Sklik, Heureka, Zboží, etc.) will be significantly distorted. Data for campaign optimization will be difficult to use in platforms.
    • Impact on affiliate platforms and their partners –⁠ they use cookies to credit the commission to the partner who brought in the conversion. So, in the best case scenario, partners should lose 50% of credited conversions. We expect them to switch to a different method of crediting conversions, such as using discount codes.

    The problem with campaign evaluation

    Google Analytics will have a problem with data in terms of how conversions from individual sources will be evaluated. Let’s imagine a situation where a user comes to the website from Google/CPC, browses through four pages, and makes a purchase on the website. This may now look something like this:

    Now (with cookies), we can see in GA where the user came from and how much they spent during that visit. But what will happen during the consent period? Let’s take two examples:

    User does not give consent

    In the same case where we display a cookie bar on the home page to the user, but the user clicks “I do not agree”:

    Google Analytics sends pings to the server, which carry information about whether consent has been given or not. If I don’t receive cookies, the entire session will not appear in Google Analytics.

    The user gives consent on the second page

    Okay, but what happens if the user agrees, but not immediately on the first page?

    In such cases, we still lose information about the original source. Consent must therefore be obtained as soon as possible. If the user does not give consent on the first page, this will have a significant impact on campaign evaluation.

    Google Analytics 4 can partially fill in the gaps in the data—for conversion tracking, it can assign some conversions to their sources based on conversion modeling estimates. Data on visitor behavior (which pages they viewed, website flow, etc.) will be missing. In Universal Analytics, all data will be missing.

    Co je třeba udělat?

    Čeká vás určitě několik základních kroků

    1. Mapování –⁠ je třeba si sepsat, jaké vlastně používáte nástroje a jaké tyto nástroje využívají cookies. Dále je třeba sepsat si interní procesy, které využívají tyto nástroje, a popsat jak se jich úpravy dotknou.
    2. Nasazení nástroje pro sběr souhlasů –⁠ můžete vybrat nějaký z existujících (většinou placených) nástrojů, nebo vytvořit vlastní.
    3. Technická úprava měření a marketingových platforem –⁠ bude třeba upravit spouštění marketingových platforem tak, aby respektovaly souhlas uživatele. Pokud používáte Google Tag Manager, bude to pro vás jednoduší. Pokud ne, doporučujeme s tím začít.
    4. Technická úprava webu –⁠ typicky se jedná a videa vložená na vašem webu, FB a jiná sdílecí tlačítka apod., která vkládají do webu přímo vaši programátoři. Bude třeba, aby to nedělali. A např. místo videa zobrazili statický obrázek, video pak načítali teprve po kliknutí uživatele.
    5. Úprava procesů –⁠ optimalizujete kampaně? Děláte reporty z Google Analytics? Zamyslete se nad tím, jak toto budete dělat nově.
    6. Papírování –⁠ doporučujeme při této příležitosti revidovat, jestli máte uzavřené smlouvy se subjekty, které zpracovávají vaše data (nebo k nim mají přístup).

    What needs to be done?

    There are several basic steps you need to take

    1. Mapping –⁠ you need to write down what tools you actually use and how these tools use cookies. You also need to write down the internal processes that use these tools and describe how the changes will affect them.
    2. Deploying a consent management tool –⁠ you can choose one of the existing (mostly paid) tools or create your own.
    3. Technical modification of measurement and marketing platforms –⁠ you will need to modify the launch of marketing platforms so that they respect user consent. If you use Google Tag Manager, this will be easier for you. If not, we recommend you start doing so.
    4. Technical modification of the website –⁠ typically, this involves videos embedded on your website, Facebook and other sharing buttons, etc., which are embedded directly into the website by your programmers. They will need to stop doing this. For example, instead of a video, they could display a static image and only load the video after the user clicks on it.
    5. Process modification –⁠ do you optimize campaigns? Do you generate reports from Google Analytics? Think about how you will do this in the future.
    6. Paperwork –⁠ we recommend taking this opportunity to review whether you have contracts with entities that process your data (or have access to it).

    Don’t wait!

    The regulation comes into effect on January 1, 2022, and setting up cookie bars is not a matter of a few minutes’ work. It will also take you some time to experiment and test how the data collected in the new way will look and which cookie bar formats bring you the highest opt-in rate. Get started as soon as possible!

    Contact me
    Share on LinkedIN