Eliya

Server-side Tracking - The Future Of Online Privacy And Efficiency

Writen by:
Saeed Omidi
18 min read

While transitioning from browser to server-side tracking is progressing for enhanced data control and privacy, concerns and key considerations still exist.

Server-Side Tracking - The Future of Online Privacy and Efficiency

Server-side tracking (SST) is an online tracking technique that transitions the tracking responsibility from the user's browser to a dedicated server. Rather than having the browser interact directly with third-party tracking domains, the browser transmits tracking information to the website's server, which subsequently transmits this data to the relevant third parties. This method contrasts with client-side tracking, where the user's browser directly interacts with third-party servers and retains cookies.

Before SST, the sole method for placing and executing tags was client-side tagging (CST). You might be asking, "Does server-side tagging replace client-side tagging?" The response is no, but it can significantly enhance and complement the operations carried out by client-side tags. Server-side tagging introduces an added layer of control between the user and the marketing vendor, enabling you to manage precisely what data the vendors receive.

Definition: Tagging refers to embedding code snippets into a website for tracking by a marketing team, partner, or tools like Google Analytics.

SST is built to circumvent tracking limitations posed by ad blockers and browser privacy settings that restrict third-party cookies. Because the tracking information originates from the website's server, it remains unaffected by these browser-centric restrictions.

Server-side tracking, a short history

Websites initially used first-party cookies for essential functions like remembering preferences. However, the advertising industry shifted to third-party cookies to track users across sites. This allowed advertisers to profile users and serve targeted ads, and it became the main source for attribution modeling.

As users became aware of online tracking, privacy concerns grew, leading to the use of technologies like ad blockers, VPNs, and privacy browsers. Major browser developers started eliminating third-party cookies, reducing client-side tracking effectiveness. For instance, Apple's Safari implemented Intelligent Tracking Prevention (ITP), while both Firefox and Safari block third-party cookies automatically.

These restrictions significantly impacted the ability of advertisers to track users effectively. As a result, the quality of such user data severely suffered, making attributions less reliable.

In 2020, Google introduced server-side tracking (SST) in response to these limitations. As a result, advertising platforms started promoting SST solutions. SST enables advertisers to send tracking data directly from their servers to advertising platforms, bypassing some of the restrictions of browser-based tracking.

How does Server-side tagging work?

A server container is a JavaScript application designed to operate in a Node.js server environment. This application is bundled as a Docker image, ensuring compatibility with various server environments and cloud services.

A Tag Manager server container operates alongside a Tag Manager web container or the gtag.js library. The client-side libraries are created to collect data from the web browser and transmit it to the server-side tagging system.

architecture of server-side tagging

If the tags you implement in an SST setup need to track user activities on a webpage or within an app, some tags must still operate in the browser or app. Since your server container functions solely in a server-side environment, it cannot access activities happening on a webpage or in an app. The container on your webpage or app relays information to the server container through network requests.

For instance, to gather data on user interactions on a webpage, such as clicking on the call to action button, scrolling, or form submissions, you still need the GA4 Configuration tag active in the web browser. This tag sends this data to the server-side tagging endpoint.

SST utilizes personal identifiers such as emails, phone numbers, and names, or fingerprinting data like IP addresses and user agents to connect website visitors with users' profiles.

What are the benefits of server-side tagging?

SST provides enhanced control over user data collection. It serves as a buffer between users and the vendors receiving this data.

Three primary reasons outline when and why to utilize server-side tagging:

  • Enhancing privacy settings
  • Boosting website or app efficiency
  • Elevating data quality

In this section, we highlight some of the key advantages of SST that marketers should consider when trying to understand the implications of this technology.

First-Party Context

The SST can employ first-party subdomains to disguise third-party trackers, creating the illusion that tracking originates directly from the site being visited. This technique permits SST to establish first-party cookies, which are not bound by the same limitations as other types of third-party cookies.

Navigating Browser restrictions

A major advantage of employing a first-party context for SST is its ability to circumvent certain privacy limitations set by browsers. Browsers generally impose stricter regulations on third-party cookies and tracking scripts compared to first-party cookies. For instance, browsers such as Safari automatically block third-party cookies, whereas they typically permit first-party cookies.

The tracking process bypasses these restrictions by sending tracking requests from a first-party subdomain, allowing it to continue even when third-party cookies are blocked.

Enhancing data quality with server-side tagging

As a result of bypassing Browsers' restrictions, the SST can collect higher-quality data, leading to a more accurate attribution.

By transferring data processing from the client to the server, marketers can leverage tools that improve data quality. For example, they can supplement the HTTP request with first-party data and personally identifiable information (PII) like full names, email addresses, and geolocation data. This leads to more possibilities and newer applications, such as lead scoring for B2B firms.

Enhancing data privacy, theoretically speaking

In contrast to CST, in SST, the data flows from the user's Browser to the company's server. In the server, marketers can control HTTP requests before sending them to third-party marketing vendors. This process brings the validation, parsing, and anonymization of the user's HTTP requests in-house and ensures higher privacy for your users.

The Server-side Tag Manager generally operates in a first-party context with the website from which it gathers data. This setup prevents vendors from utilizing third-party cookies within the server-side tagging environment. Additionally, it enables you to strengthen content security policies since the browser needs to interact with fewer third-party vendors, ultimately ensuring tighter privacy for your users.

Moreover, many commonly used fingerprint vectors, like IP addresses and various HTTP headers, can be concealed through server-side tagging. As a result, the vendor only detects a request from the server, not the actual user.

Difference between client-side and server-side tagging

Server-side tagging offers higher efficiency compared to client-side tagging

Web developers or website administrators are responsible for minimizing the website's load time on the user's browser. This leads to a better user experience and even improved search engine optimization (SEO).

Strong client-side performance is essential for any website aiming to capture user attention. However, marketing tags often lead to significant performance issues on the client side. The execution of diverse JavaScript code can compromise a website's performance and detract from the user experience.

With SST, the number of JavaScript code that runs on the user's Browser has significantly decreased. Developers only need to load the library that constructs the request, which, depending on the setup, will typically be the Google Tag.

The SST environment can integrate marketing-related libraries and resources. Utilizing the server as a Content Delivery Network (CDN) enables the addition of custom cache headers, compression methods, and temporary storage.

Server-side tagging: E-Commerce Case Study

Imagine your E-Commerce website bustling with activity, where users effortlessly add items to their carts and confidently make purchases. Your ultimate objective is to meticulously observe their actions, ensuring that there are no blind spots or interruptions in the process while keeping your website's performance efficient and minimizing privacy risks for your users. This is where SST becomes invaluable, offering a seamless and thorough understanding of user interactions while maintaining high performance, better security, and data privacy.

The SST process starts by routing event data, including adding items to the cart and finalizing purchases, from your website on the user's browser to your server container.

Your server gathers all purchase information. It may function as a server-side container within Google Tag Manager (GTM). Importantly, these data streams should be directed through your primary domain URL, guaranteeing your complete control over the process.

After the data arrives at the server, you must set up the destinations for this information. Destinations are where the data is finally directed. For example, you can set your server to transmit events and conversions to Facebook

Configurations could vary when using various channels. For instance, Facebook might require you to send both server-side events and client-side pixel events. However, other platforms may not require both forms of tracking.

Tracking is the collection and analysis of user interaction data. When an important event, like a purchase, happens, your server processes this data. It sends transaction details—items purchased, the amount spent, and user information—to the right analytics or storage service. This allows you to monitor consumer behavior, evaluate marketing effectiveness, and enhance customer experience using insights gained from the data.

Breakdown of setting up Server-side tracking

Setting up SST involves several steps, including initial configuration, implementation, and data management. SST aims to transfer tracking activities from the user's browser to a server, providing benefits like improved performance and better control over data.

Here's a breakdown of the typical setup process, drawing from the sources:

  • Choosing an SST Method: Choosing between direct code integration or using no-code solutions.
    • Direct Code Integration: This requires utilizing a Software Development Kit (SDK) like the Facebook Business SDK for Python to establish a direct connection between a website's server and the targeted advertising platform.
    • No-Code Solutions: Several no-code options exist - see the "Server-side tagging solutions" section for some examples.
  • Configuration and Account Setup:
    • Registering as an Advertiser: To use SST with platforms such as Meta, you must register as an advertiser.
    • Setting Up Accounts with Data Collectors: When utilizing a Tag Management System such as Google Tag Manager, publishers must establish an account on the Data Collector's website.
    • Creating Unique IDs: The Data Collector assigns a distinct ID for every Tag and website combination.
  • Implementing the SST Connection:
    • Direct Link: The Conversions API creates a direct link between the website servers and the technologies of the advertising platform.
    • Utilizing Tag Management Systems (TMS): After selecting and configuring tags in GTM, a distinctive "GTM Web Container" is created. This is a JavaScript library housing all selected tags.
  • Data Collection and Transmission:
    • Choosing Events: Advertisers can send a variety of events, like click or scroll.
    • Adding Customer Details: SST allows for the inclusion of additional customer details that are not typically available in the browser, such as past purchases or personally identifiable information (PII).
    • Data types: SST can transmit data such as IP addresses, user agent details, geolocation, and first-party cookies set by client-side trackers.
    • Dispatching Tracking Data: SST enables the browser to send a single request to the SST server, relaying the tracking data to the appropriate third party.
  • Cloaking (Optional): To enhance data collection and bypass certain limitations, companies might implement a custom DNS setup that conceals their tracking server behind a first-party subdomain, like sst.site.com, instead of a third-party domain.
  • Consent Management: With Google Consent Mode, tags can modify their behavior based on a user's consent settings.
  • Verification and Testing: It is essential to implement website verifications to ensure that users can access the website correctly, such as on the appropriate type of device, using a compatible browser, and not using a VPN or filter lists.
    • Event Endpoints: Within the Event Manager, advertisers can establish event "Datasets," which function as endpoints for events transmitted from their websites.

After implementation, SST enables data to flow directly from the website’s server to a selected platform or service, circumventing some limitations associated with client-side tracking. Nonetheless, this approach also prompts concerns regarding transparency and user privacy.

Key considerations with server-side tagging

In this section, we highlight some of the important considerations, concerns and potentially disadvantages of SST.

Lack of Transparency

First-party SST obscures which third parties track users and auditors since requests aren't sent directly to third-party domains. This lack of visibility contradicts the transparency principle outlined in data protection regulations.

SST presents significant challenges for auditing and verifying its legality. With the introduction of legal frameworks like GDPR, it became feasible to ensure that the actions occurring on a webpage align with the declarations in a privacy policy. An auditor could simply use her browser and necessary tools to track various requests sent to third parties, allowing for remote checks. However, SST changes this narrative. Although it shares the same legal foundation as traditional tracking servers, the presence of an additional SST server fundamentally alters how regulators conduct audits and assess its legality.

Potential for False Matches

Server-side tracking can lead to false matches because it frequently depends on device fingerprinting. When matching relies on IP addresses and user agents, there is a risk of linking a website visitor to the wrong user profile.

Research indicates that the Pixel can attain a 100% match accuracy using third-party cookies. In contrast, server-side tracking—dependent on IP addresses, user agents, and IP address-based geolocation—only achieves an accuracy rate of 60% to 65%. This suggests that the Conversions API erroneously matches over one-third of our website visitors. Consequently, advertisers using server-side tracking with solely fingerprinting data risk wasting one-third of their retargeting ad budget (read the original research here)

Empowers third-party vendors

Unlike traditional tracking methods, SST empowers third parties, such as Google, by circumventing the Same-Origin Policy, which allows them to gather unprecedented amounts of data by serving as a conduit for other players in the advertising sector.

SOP is a security feature in web browsers. SOP usually restricts scripts from one origin from accessing resources of another origin. However, if a third-party service functions under a first-party subdomain, it can access cookies created by the primary domain, thus breaching SOP.

Therefore, even though third-party cookies are being largely eliminated in major Browsers, the shift towards user tracking within a first-party framework introduces numerous new challenges that the cookie phase-out aims to address.

Extra cost and overhead

Implementing API integration for server-side tracking requires developing additional systems, leading to increased costs and resource needs. Many platforms may hesitate to invest in this if their current client-side setup is already working effectively.

Evasion of Filter Lists

Trackers that were once blocked by filter lists can now bypass these measures by shifting to the server side. This complicates efforts to manage web tracking and safeguard user privacy via domain blocking.

Legal and Regulatory Challenges

SST complicates the verification of compliance with transparency obligations. Since tracking occurs on the server side, auditors must access the SST server to identify existing trackers and determine if they align with the appropriate legal basis, thus complicating adherence to regulations like GDPR. This lack of transparency can also hinder end users from exercising their rights, such as the right to access their data, as it becomes ambiguous whom to reach out to for data access.

Server-side tagging solutions

In this section, we review two main SST solutions by Google and Meta.

Google Tag Manager

Google Tag Manager (GTM) is a Tag Management System (TMS) developed by Google that allows website publishers to install and manage various third-party JavaScript scripts, known as "tags," on their websites. GTM's SST allows marketers to move tag code off of their website or app and into the Cloud.

The Google Tag Manager API allows authorized users to access Tag Manager configuration data. Marketers can utilize this API to manage accounts, containers, container versions, tags, rules, triggers, variables, and user permissions.

Meta's Conversions API

Meta’s server-side tracking system, called the Conversions API (CAPI), creates a direct link between the servers of a website and Meta's technologies. Since it operates without relying on browser cookies, CAPI offers a strong tracking solution. Advertisers have the ability to send various events, from standard to custom ones. Moreover, they can improve tracking data by adding customer information that is generally unavailable through the browser, like previous offline purchases. To associate the tracking data from website visitors with the users, advertisers are able to transmit personally identifiable information (PII), including full names, email addresses, geolocation data, and even IP addresses.

Additionally, advertisers can utilize both the Meta Pixel and CAPI on their website. This allows them to send the first-party cookies set by the Pixel for each site visitor through server-side connections.

The future of Server-side tagging

The future of SST will be shaped by the decline of third-party cookies, new privacy regulations, and advances in tracking technologies. Here are potential future trends for SST based on the sources:

  • Increased Adoption: With third-party cookies being phased out, websites and advertisers are exploring alternatives to track users and measure ad effectiveness. SST offers a way to bypass browser restrictions on client-side tracking, leading to increased use of SST among companies to sustain their tracking capabilities.
  • Growing Sophistication: As SST spreads, techniques will advance. This includes hiding tracking servers behind first-party subdomains to evade detection. Methods like CNAME cloaking (masking third-party servers behind first-party subdomain servers) are already seen and may grow more sophisticated.
  • Emphasize First-Party Data: With third-party data harder to access, the focus shifts to first-party data from SST. This includes client-side and server-side data, supplemented by server details. Using first-party subdomains in SST masks third-party tracking as first-party, overcoming privacy limitations and enhancing data collection beyond client-side tracking capabilities.
  • Challenges for Privacy Tools: Traditional privacy tools like ad blockers struggle to block SST since tracking mechanisms move to the server side, making them less visible to browsers. Thus, new methods are needed to identify and prevent SST, possibly requiring collaboration among browser vendors, standards organizations, and regulators to formulate effective strategies for user privacy protection.
  • Enhanced Data Collection: SST gathers a broader range of data, including hard-to-track personally identifiable information (PII) and user activity. This results in more precise user profiles and better re-targeting opportunities. Techniques like fingerprinting may also enhance user identification.
  • Legal and Ethical Examination: The rise of SST likely brings increased legal scrutiny. The unclear purpose of cookies in SST complicates compliance with GDPR and the ePrivacy Directive. Moreover, hiding third-party trackers within first-party subdomains obstructs regulators' evaluation of data protection compliance.
  • Updated Auditing Techniques Needed: The SST transition requires innovative auditing methods to ensure compliance with privacy regulations. Traditional client-side monitoring may not verify SST legality. Therefore, regulators might need to inspect SST servers to identify current trackers and their compliance with data processing laws.

Conclusion

In summary, the main risks associated with SST stem from its ability to hide tracking activities, bypass conventional privacy measures, and create challenges for users and regulators alike to comply with data protection regulations. The shift to server-side tracking makes it more difficult to detect, manage, and verify the legality of online tracking methods.

The future of SST is complex and evolving. It offers advertisers benefits for data collection and overcoming tracking limitations, yet poses significant privacy and regulatory concerns. This field continually changes, with efforts to develop privacy-focused technologies and new tracking methods that could evade current protections. Users, researchers, policymakers, and website administrators must understand the opportunities and challenges of server-side tracking.

Featured Posts