SignalBridgeWeb Tracking & Privacy:
A Complete Guide
Understanding GDPR, Consent Mode v2, first-party data, and how modern tracking technologies balance advertising effectiveness with user privacy.
Privacy Regulations Overview
Three major regulatory frameworks govern how websites can track user behavior. Each has different requirements, scopes, and enforcement mechanisms.
GDPR (EU)
General Data Protection Regulation (2018) — Applies to: EU/EEA residents
Key Requirements
- Explicit consent required before placing non-essential cookies or tracking pixels
- Users must be able to withdraw consent as easily as they gave it
- Data controllers must document lawful basis for processing personal data
- Right to erasure (right to be forgotten) applies to tracking data
- Data Protection Impact Assessments required for high-risk processing
ePrivacy Directive (EU)
Directive 2002/58/EC (Cookie Law) (2002 (updated 2009)) — Applies to: All electronic communications in the EU
Key Requirements
- Prior informed consent required before storing cookies on user devices
- Applies to all tracking technologies, not just HTTP cookies (pixels, fingerprinting, local storage)
- Exemptions only for strictly necessary cookies (session, security, load balancing)
- Each EU member state has national implementation with enforcement variations
CCPA / CPRA (California)
California Consumer Privacy Act / California Privacy Rights Act (2020 / 2023) — Applies to: California residents (businesses meeting revenue/data thresholds)
Key Requirements
- Right to know what personal information is collected and how it is used
- Right to opt out of the sale or sharing of personal information
- "Do Not Sell or Share My Personal Information" link required on websites
- Sensitive personal information requires opt-in consent for specific uses
- Businesses must honor Global Privacy Control (GPC) browser signals
Google Consent Mode v2
As of March 2024, Google requires Consent Mode v2 for all advertisers targeting EU/EEA users. This framework controls how Google tags fire based on user consent status.
What is Google Consent Mode v2?
Consent Mode is a Google framework (required since March 2024) that adjusts how Google tags behave based on user consent choices. It enables two new required parameters — ad_user_data and ad_personalization — that tell Google whether the user has consented to their data being used for advertising purposes.
Basic vs. Advanced Consent Mode
Basic mode blocks all Google tags until consent is given — no data is sent. Advanced mode sends cookieless, anonymized pings even before consent, allowing Google's AI to model conversions. Advanced mode preserves 70-80% of conversion modeling capability while respecting user choice.
Impact on Advertisers
Without Consent Mode v2, Google Ads loses the ability to attribute conversions from EU users, degrading campaign optimization. Advertisers who implemented Consent Mode v2 reported maintaining 85-95% of their pre-regulation attribution accuracy through conversion modeling.
Consent Mode v2 Parameters
| Parameter | Purpose | When Denied |
|---|---|---|
| analytics_storage | Controls analytics cookies (e.g., Google Analytics) | Cookieless pings sent (Advanced) or no data (Basic) |
| ad_storage | Controls advertising cookies (e.g., Google Ads conversion tracking) | No ad cookies stored, conversions modeled |
| ad_user_data | Controls whether user data can be sent to Google for advertising | No user identifiers transmitted to Google Ads |
| ad_personalization | Controls whether data can be used for remarketing/personalization | User excluded from remarketing audiences |
Tracking Methods Compared
Web tracking has evolved from third-party cookies to server-side APIs. Each method has different privacy implications, effectiveness, and regulatory requirements.
| Method | Privacy Risk | Status (2026) | Description |
|---|---|---|---|
| Third-Party Cookies | High | Deprecated/Blocked | Cookies set by domains other than the website being visited. Used for cross-site tracking and retargeting. Blocked by Safari (ITP), Firefox (ETP), and being phased out by Chrome. |
| First-Party Cookies | Medium | Active (with limitations) | Cookies set by the website domain itself. Still functional but subject to 7-day expiration in Safari (ITP) and 24-hour expiration for cookies set via JavaScript on tracked traffic. |
| Client-Side Pixels | Medium-High | Active (declining effectiveness) | JavaScript tags (Meta Pixel, Google Tag) running in the browser. Blocked by ad blockers (42.7% of users), affected by iOS ATT opt-outs, and subject to browser privacy restrictions. |
| Server-Side Tracking | Low-Medium | Active (growing adoption) | Events sent from a server to advertising platforms, bypassing browser restrictions. Data is processed in a controlled server environment where PII can be hashed/redacted before transmission. Still requires user consent under GDPR. |
| Conversion APIs (CAPI) | Low-Medium | Active (recommended) | Platform-specific server-to-server APIs (Meta CAPI, Google Enhanced Conversions, TikTok Events API) that send hashed first-party data directly to ad platforms. Considered the industry-standard privacy-respecting approach. |
The Shift to First-Party Data
The deprecation of third-party cookies and stricter privacy regulations have accelerated the transition to first-party data strategies. First-party data is information collected directly from your audience — purchase history, email addresses, site behavior — with their knowledge and consent.
Why First-Party Data Matters
- Higher accuracy — Data comes directly from your users, not inferred from cross-site behavior
- Regulatory compliance — Collected with explicit consent under your privacy policy
- Better ad performance — Platforms like Meta and Google optimize better with deterministic first-party signals (email, phone) than probabilistic cookie matching
- Resilient to browser changes — Not affected by ITP, ETP, or ad blocker restrictions
How Server-Side Tracking Enables First-Party Data
Server-side tracking processes conversion events on your server before sending them to ad platforms. This architecture enables several privacy-respecting features:
- PII hashing — Email and phone are SHA-256 hashed on your server before transmission
- Data minimization — Only necessary data fields are forwarded to each platform
- Consent enforcement — Server logic can check consent status before sending any data
- Audit trail — Server logs provide a verifiable record of what data was sent where