SignalBridge
Is server-side tracking GDPR compliant?
Server-side tracking is GDPR-compliant when implemented correctly. It is not inherently compliant or non-compliant — compliance depends on how you collect data, what legal basis you rely on, what data you send to third parties, and how you honor user consent choices.
The GDPR does not ban tracking or conversion measurement. It requires that personal data processing has a lawful basis, that users are informed, and that their rights are respected. Server-side tracking can satisfy all these requirements while recovering the 20–40% of conversions that browser-based pixels miss.
Why server-side tracking is better for GDPR compliance
Traditional browser-based tracking has a fundamental GDPR problem: once a pixel fires in the user's browser, you lose control over what data the third-party platform collects. Meta's pixel, Google's gtag, and TikTok's pixel all execute JavaScript in the visitor's browser, potentially collecting data you didn't intend to share.
Server-side tracking flips this model. Your server acts as an intermediary:
- You control what data is collected — your server captures events from your own infrastructure
- You control what data is shared — you decide exactly which fields to forward to ad platforms
- You can strip PII — remove or hash personal data before it leaves your server
- You maintain an audit trail — every event sent is logged and verifiable
- You can honor consent in real-time — only send events for users who have given consent
This data control is exactly what GDPR Article 25 (Data Protection by Design) envisions.
The legal framework for server-side tracking
Personal data under GDPR
Under Article 4(1), personal data is any information relating to an identified or identifiable natural person. For server-side tracking, the following constitute personal data:
| Data Point | Personal Data? | Notes |
|---|---|---|
| Hashed email | Yes | Pseudonymized, not anonymized — still identifiable |
| IP address | Yes | ECJ ruled IPs are personal data (Breyer v Germany, 2016) |
| Phone number hash | Yes | Same as hashed email |
| Purchase amount | Depends | Personal if linkable to an individual |
| Page URL visited | Depends | Personal if contains user ID or identifiable parameters |
| Event timestamp | No | Not identifiable on its own |
| Product category | No | Aggregate, not personal |
| Device type | No | Too generic for identification alone |
Even hashed data is personal data under GDPR. Hashing is pseudonymization (Article 4(5)), not anonymization. The original data can still be re-identified by the party that holds the mapping.
Legal bases for server-side tracking
You need one of these legal bases under Article 6(1) to process personal data through server-side tracking:
1. Consent (Article 6(1)(a))
- User explicitly agrees to tracking via a cookie banner or consent management platform
- Must be freely given, specific, informed, and unambiguous
- Can be withdrawn at any time
- Required for advertising cookies under ePrivacy Directive
2. Legitimate Interest (Article 6(1)(f))
- You have a legitimate business interest in conversion measurement
- The processing is necessary for that interest
- It doesn't override the individual's rights and freedoms
- You must document a Legitimate Interest Assessment (LIA)
- Typically valid for first-party analytics and basic conversion tracking
- Weaker legal basis for sharing data with third-party ad platforms
3. Contract Performance (Article 6(1)(b))
- Processing is necessary to fulfill a contract with the user
- Limited applicability — order processing and delivery tracking qualify, but ad optimization doesn't
The ePrivacy dimension
The ePrivacy Directive (soon to be replaced by the ePrivacy Regulation) adds another layer. Under Article 5(3):
- Storing or accessing information on a user's device requires consent (with narrow exceptions)
- This covers cookies, localStorage, and device fingerprinting
- Server-side tracking that doesn't access the user's device may avoid this requirement
This is where server-side tracking has a structural advantage: if your server receives a webhook from your payment processor saying "order completed," and forwards that event to Meta CAPI without ever storing anything on the user's browser, the ePrivacy cookie consent requirement may not apply to that specific data flow.
However, if you're using a JavaScript tag to capture the user's email or behavior before sending it server-side, ePrivacy consent requirements still apply to that initial collection.
How to implement GDPR-compliant server-side tracking
Step 1: Implement a Consent Management Platform (CMP)
Before any tracking, you need a CMP that:
- Displays a cookie banner to EU/EEA visitors
- Collects granular consent (analytics, advertising, functional)
- Stores consent records for audit purposes
- Integrates with Consent Mode v2 for Google services
Popular GDPR-compliant CMPs:
- Cookiebot — from €12/mo
- OneTrust — enterprise
- Usercentrics — from €9/mo
- CookieYes — free tier available
Step 2: Configure Consent Mode v2
Consent Mode v2 communicates consent decisions to Google services. Configure it to:
- Set
ad_storage,ad_user_data,ad_personalization, andanalytics_storagebased on consent - Use Advanced Mode for site-specific conversion modeling from cookieless pings
- Ensure your CMP automatically updates consent signals on user interaction
Step 3: Set up server-side tracking with consent gating
Your server-side tracking implementation must respect consent. There are two approaches:
Approach A: Only track consenting users
- Check consent status before sending any server-side event
- If user declined advertising consent → don't send events to ad platforms
- Simplest, most conservative approach
- Leaves 40-60% of EU conversions untracked (those who decline)
Approach B: Track all conversions, restrict data sharing based on consent
- Capture all conversion events on your server (first-party data you own)
- For consenting users → send full event with email, phone, IP to ad platforms
- For non-consenting users → send conversion event WITHOUT personal identifiers
- Ad platforms receive the signal "a conversion happened" but can't tie it to an individual
- Relies on legitimate interest for basic conversion counting
Approach C: Hybrid with Consent Mode v2 (recommended)
- Use Consent Mode v2 for Google services (handles their compliance requirements)
- Use server-side tracking for all events with consent-aware data sharing
- Consenting users: full first-party data enrichment (email hash, phone hash, IP)
- Non-consenting users: anonymized event (no PII, just conversion type and value)
- Document this approach in your privacy policy and LIA
Step 4: Configure data minimization
GDPR Article 5(1)(c) requires data minimization. For server-side tracking:
- Only send data fields that are necessary for the stated purpose
- Don't send raw email — send SHA-256 hashed email
- Don't send full IP — truncate the last octet (192.168.1.xxx)
- Don't send phone number unless required for match quality
- Set data retention limits (delete raw event logs after 90 days)
- Don't collect data "just in case" — every field needs a purpose
Step 5: Update your privacy policy
Your privacy policy must disclose:
- That you use server-side conversion tracking
- Which platforms receive data (Meta, Google, TikTok, etc.)
- What data is shared (hashed email, conversion events, purchase values)
- The legal basis for processing (consent and/or legitimate interest)
- How users can opt out or withdraw consent
- Data retention periods
- Any international data transfers (EU → US, covered by the EU-US Data Privacy Framework)
Step 6: Maintain a Record of Processing Activities (ROPA)
Under Article 30, document:
- Purpose: conversion tracking and ad platform optimization
- Legal basis: consent (advertising) / legitimate interest (analytics)
- Data categories: hashed identifiers, purchase events, page views
- Recipients: Meta, Google, TikTok (data processors)
- Retention: 90 days for raw events, 24 months for aggregate analytics
- Safeguards: SHA-256 hashing, TLS encryption, EU-US DPF adequacy decision
Server-side tracking vs. browser pixels: GDPR comparison
| Aspect | Browser Pixels | Server-Side Tracking |
|---|---|---|
| Data control | Low — third-party JS runs in browser, collects what it wants | High — you decide exactly what to send |
| Consent enforcement | Depends on tag manager blocking | Direct — don't send if no consent |
| Audit trail | Difficult — no log of what pixels actually transmitted | Complete — every event logged server-side |
| Data minimization | Hard to enforce on third-party scripts | Easy — strip fields before forwarding |
| International transfers | Hidden — pixel may send data to US servers without your knowledge | Transparent — you control the API calls |
| Ad blocker impact | 30-40% of data lost (blocked pixels) | Not affected (server-to-server) |
| ePrivacy compliance | Requires consent (accesses user's browser) | Partial bypass (server events from webhooks don't access device) |
Common GDPR mistakes with server-side tracking
Mistake 1: Assuming server-side = no consent needed
Server-side tracking still processes personal data. You still need a legal basis. The difference is that you have more control over what's processed and shared — but the obligation remains.
Mistake 2: Sending unhashed PII to ad platforms
Never send raw email addresses or phone numbers to Meta CAPI or Google Enhanced Conversions. Always hash with SHA-256 before transmission. Both platforms accept and expect hashed data.
Mistake 3: Ignoring consent for advertising data sharing
Even with legitimate interest for first-party analytics, sharing data with third-party ad platforms for advertising purposes typically requires consent under ePrivacy. Don't conflate "I can track" with "I can share with Meta."
Mistake 4: No consent record keeping
You need proof of when and how consent was obtained. Store consent records (user ID, timestamp, consent categories, version of consent text) for at least the duration of your data processing.
Mistake 5: Treating hashed data as anonymous
SHA-256 hashed emails are pseudonymized data, not anonymous data. GDPR still applies. Meta and Google can match hashes to real users — that's the entire point of Enhanced Conversions and Advanced Matching.
How SignalBridge handles GDPR compliance
SignalBridge is designed for GDPR-compliant server-side tracking:
- Consent-aware event delivery — configure whether non-consenting user events include PII
- First-party data control — all events flow through your own infrastructure first
- Automatic PII hashing — email and phone are SHA-256 hashed before delivery to platforms
- Custom first-party domains — events are sent from your domain, not a third-party domain
- Data retention controls — configure how long raw event data is stored
- Audit logs — every event sent to every platform is logged and queryable
- EU data residency — processing happens in the EU for EU traffic
- Consent Mode v2 integration — works alongside your CMP for Google compliance
SignalBridge acts as your data processor under GDPR. We process events on your behalf, following your instructions about what to send and to whom. Our Data Processing Agreement (DPA) covers the relationship.
GDPR compliance checklist for server-side tracking
Use this checklist before going live with server-side tracking for EU audiences:
- CMP installed and configured (Cookiebot, OneTrust, Usercentrics, etc.)
- Consent Mode v2 active for Google services
- Privacy policy updated to disclose server-side tracking
- Legal basis documented (consent for advertising, LIA for analytics)
- Data Processing Agreements signed with all platforms receiving data
- PII is hashed (SHA-256) before transmission to third parties
- Consent status checked before including PII in events
- Data minimization applied (only necessary fields sent)
- Retention periods defined and enforced
- Record of Processing Activities (ROPA) updated
- International transfer mechanisms in place (EU-US DPF, SCCs)
- User rights process documented (access, deletion, portability)
- Regular audits scheduled (quarterly review of data flows)
The business case: GDPR compliance AND better data
GDPR compliance and better tracking aren't in conflict. Server-side tracking actually improves both:
Without server-side tracking (browser pixels only):
- 40-60% of EU users decline cookies → zero data from them
- Ad blockers block another 30-40% → more lost data
- Net result: you may have data from only 30-40% of actual conversions
- Ad platforms optimize on incomplete data → higher CPA
With GDPR-compliant server-side tracking:
- Consenting users: full first-party data enrichment → maximum match quality
- Non-consenting users: anonymized conversion signals → still counted for measurement
- Ad blockers bypassed entirely → all consenting user events delivered
- Net result: 80-95% of conversions captured compliantly
- Ad platforms optimize on much more complete data → lower CPA
The brands that implement server-side tracking with proper consent management don't just avoid fines — they outperform competitors who are flying blind on EU traffic.
GDPR enforcement trends (2024–2026)
| Year | Notable Fine | Amount | Reason |
|---|---|---|---|
| 2023 | Meta (Ireland) | €1.2B | EU-US data transfers without safeguards |
| 2023 | TikTok (Ireland) | €345M | Children's data processing |
| 2024 | Criteo (France) | €40M | Tracking without valid consent |
| 2024 | Multiple (various) | €10-50M | Cookie consent violations |
| 2025 | Various DPAs | Ongoing | Server-side tracking without legal basis |
The trend is clear: enforcement is intensifying, fines are growing, and tracking without proper consent is a top target. Proactive compliance through server-side tracking with consent management is cheaper than reactive compliance after a DPA complaint.
FAQ
Does server-side tracking require cookie consent?
It depends on how you collect data. If you use a JavaScript tag on the user's browser to capture events and then send them server-side, you still need ePrivacy consent for that initial browser-side collection. However, if your server receives conversion data from backend systems (like a payment processor webhook) without any browser-side data collection, the ePrivacy cookie consent requirement may not apply to that specific flow. GDPR consent or legitimate interest is still needed.
Can I track non-consenting users with server-side tracking?
You can capture that a conversion occurred (for your own records under legitimate interest), but you should not send personal data (email hash, phone hash, user-identifiable IP) to third-party ad platforms without consent. You can send anonymized conversion events (just event type + value, no PII) depending on your legitimate interest assessment.
Is hashed email GDPR personal data?
Yes. Under GDPR, hashed or pseudonymized data is still personal data because it can be re-identified by the party holding the original data or the mapping. SHA-256 hashed emails are pseudonymized, not anonymized. All GDPR obligations still apply.
Do I need a DPA with my server-side tracking provider?
Yes. If your server-side tracking provider processes personal data on your behalf, they are a data processor under Article 28, and you need a Data Processing Agreement covering security measures, data handling instructions, sub-processors, and breach notification obligations.
How does Consent Mode v2 work with server-side tracking?
They're complementary. Consent Mode v2 handles browser-side Google tag behavior based on consent (blocking cookies, sending cookieless pings). Server-side tracking handles reliable event delivery to all platforms. Together: Consent Mode ensures legal compliance with Google services, while server-side tracking ensures events actually reach platforms regardless of ad blockers.
What happens if a user withdraws consent?
Under Article 7(3), consent withdrawal must be as easy as giving consent. When a user withdraws consent, you must stop sending their personal data to ad platforms. Server-side tracking makes this easier — you can immediately stop including PII in events for that user. Already-sent data to platforms is governed by the platform's own retention policies and your DPA with them.
Related Articles
What is Consent Mode v2? (GDPR Tracking Without Data Loss)
Consent Mode v2 lets you track conversions even when users decline cookies — legally. Learn how it works, the difference between Basic and Advanced mode, and how it pairs with server-side tracking for complete GDPR-compliant attribution.
Client-Side vs Server-Side Tracking: Complete Guide (2026)
Client-side vs server-side tracking: understand how each method works, where each fails, and why hybrid tracking is the only reliable approach for e-commerce and lead gen in 2026.