Server-side tracking

Last updated

Server-side tracking is a method of data collection from websites or applications which differs from client-side tracking in that data is not collected directly from users' browsers via JavaScript and third-party scripts. [1]

Contents

In the context of digital analytics and marketing, this data includes events such as page views, button clicks, or transaction details. Data is usually first collected via front-end mechanisms, such as form submissions or tracking pixels. Instead of sending this information directly to external services like Google Analytics or Meta's Conversions API, the data is transmitted to an intermediary server. This server processes, validates, or enriches the data before forwarding it to the final data destination using server-to-server communication.

Background

Server-side tracking began in the 1990s alongside web analytics through the use of server log files. Back then, these logs recorded user interactions with websites, including data such as IP addresses, browser types, and timestamps. As we know the technology today, it was first introduced by Google in 2020, [2] but its application further expanded alongside the rising concern about user privacy and the ever-increasing use of ad blockers.

That’s why Google initially announced the gradual phase out from third-party cookies in 2022, [3] then pushed it forward to 2025, [4] and now it’s on hold.

In the European Union, the General Data Protection Regulation (GDPR), which came into effect in 2018, introduced strict rules governing the collection, storage, and use of personal data. [5] [6] Among its core principles are transparency, data minimization, and purpose limitation, all of which challenge the assumptions and practices underpinning traditional client-side tracking.

In parallel, the state of California enacted the California Consumer Privacy Act (CCPA) in 2020, offering similar protections to California residents. [7] Regulatory scrutiny was accompanied by technical developments from browser vendors. For example, Apple's Safari browser implemented Intelligent Tracking Prevention (ITP), limiting the lifespan of cookies and reducing third-party tracking capabilities. Mozilla Firefox followed with Enhanced Tracking Protection, [8] and Google Chrome announced the deprecation of third-party cookies as part of its Privacy Sandbox initiative. [9]

These regulatory and technical changes created operational challenges for businesses relying on third-party data collection. Server-side tracking emerged as one potential model to maintain data flow while enabling more direct control over compliance, consent, and data integrity.

Similarly, Brazil has reinforced the importance of compliant data practices by enacting the Lei Geral de Proteção de Dados Pessoais in 2018. Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) also regulates the collection, use, and disclosure of personal data in the private sector, emphasizing accountability and transparency. [10] [11]

All these laws introduced stricter requirements for the collection and processing of personal data while highlighting the need for businesses to adopt transparent and compliant data practices, complicating traditional client-side tracking methods. [12] [13] [14]

Technical architecture

Server-side tracking involves a multi-step workflow that begins on the user-facing interface but redirects the transmission of data through a backend layer.

  1. A user interacts with a website or application. Typical actions can be the submission of a form, a completed purchase, or the navigation in a new page.
  2. These events are captured by a data collection mechanism which forwards them to a custom or cloud-hosted server under the organization's control.
  3. The server processes the information. For example, it can transform them by filtering out personally identifiable information (PII), mapping event types to the required formats for third-party endpoints, or appending contextual metadata such as geolocation or session duration.
  4. Once the information is processed, the server communicates with designated endpoints, such as analytics or marketing platforms, through HTTPS API requests, authenticating the transmission by using credentials or access tokens. [15] [16]

References

  1. Iskandar, Taufan Fadhilah; Lubis, Muharman; Kusumasari, Tien Fabrianti; Lubis, Arif Ridho (2020). "Comparison between client-side and server-side rendering in the web development". IOP Science. doi:10.1088/1757-899X/801/1/012136.
  2. "Improve performance and security with Server-Side Tagging". Google. 2020-08-13. Retrieved 2025-05-11.
  3. "Building a more private web: A path towards making third party cookies obsolete". Chromium Blog. Retrieved 2025-05-11.
  4. "How We're Protecting Your Online Privacy - The Privacy Sandbox". Privacy Sandbox. Retrieved 2025-05-11.
  5. "Legal framework of EU data protection - European Commission". commission.europa.eu. Retrieved 2025-05-11.
  6. "The impact of the General Data Protection Regulation (GDPR) on artificial intelligence | Think Tank | European Parliament". Archived from the original on 2025-03-10. Retrieved 2025-05-11.
  7. "California Consumer Privacy Act (CCPA)". State of California - Department of Justice - Office of the Attorney General. 2018-10-15. Retrieved 2025-05-11.
  8. "Enhanced Tracking Protection in Firefox for desktop | Firefox Help". support.mozilla.org. Archived from the original on 2025-05-09. Retrieved 2025-05-11.
  9. "Third-party cookies". Privacy Sandbox. Retrieved 2025-05-11.
  10. "Lei Geral de Proteção de Dados Pessoais (LGPD)". Ministério do Desenvolvimento e Assistência Social, Família e Combate à Fome (in Brazilian Portuguese). Archived from the original on 2024-10-08. Retrieved 2025-05-11.
  11. Branch, Legislative Services (2025-03-04). "Consolidated federal laws of Canada, Personal Information Protection and Electronic Documents Act". laws-lois.justice.gc.ca. Retrieved 2025-05-11.
  12. "GDPR Compliance Guide: Updated for 2025". Compliance Hub Wiki. 2025-02-15. Retrieved 2025-05-11.
  13. "Art. 12 GDPR – Transparent information, communication and modalities for the exercise of the rights of the data subject". General Data Protection Regulation (GDPR). Retrieved 2025-05-11.
  14. "ePrivacy Directive | European Data Protection Supervisor". www.edps.europa.eu. Retrieved 2025-05-11.
  15. "An introduction to server-side tagging | Google Tag Manager - Server-side". Google for Developers. Retrieved 2025-05-11.
  16. Fraihi, Asmaa El; Amieur, Nardjes; Rudametkin, Walter; Goga, Oana (2024). "Client-side and Server-side Tracking on Meta: Effectiveness and Accuracy". Proceedings on Privacy Enhancing Technologies. ISSN   2299-0984.