Lifting the Veil: How to Mitigate Compliance Risks of Server-Side Tag Management

Lifting the Veil: How to Mitigate Compliance Risks of Server-side Tag Management
Estimated Reading Time: 5 minutes

With the deprecation of third-party cookies on the horizon, the advertising industry is shifting focus back to an old friend, first-party data. Ask anyone about strategies to mitigate measurement and targeting risks, and the response is likely to begin with “quality first-party data”. As organizations begin considering architectures to optimally collect complete and accurate first-party data, server-side tag management is a common solution proposed. 

Server-side tag management systems can confer some benefits: the ability to truly “own” data distribution, processing of data in-flight to correct inaccuracies, and data enhancement through the ability to pull from multiple back-end data sources. The first value proposition, the ability to “own” and control data from collection through distribution, can provide many compliance benefits. With server-side tag management, an advertiser has full control over exactly what data is sent to which third-party platforms, making it easier to enforce compliance policies. But there are some inherent compliance risks as well, namely the fact that server-side tag management reduces visibility into data flows. The opacity of data flows can make it very difficult to document a defensible position that compliance policies are being followed in practice. Visibility risk must be addressed when adopting server-side tag management. 

Traditional Tag Management

Traditionally, websites have used client-side tags for marketing and advertising collection. Client-side tags are third-party snippets of javascript code that compile data from a user’s browser and send to third-party platforms (information like pages viewed, buttons clicked, products added to a cart, etc.). Additionally, client-side tags set and access cookies, or small text files used to save information for later reference in the browser. The information stored in cookies, often for the use cases of device and user identification, is later collected as the user navigates the site over time and converts. 

With client-side tags, all of this data is sent directly from the user’s browser to third-party platforms like Google Analytics and Meta. The benefit of client-side tag management is the ease of implementation. Add a script to the page and you have a base-level of data collection, all controlled by the third-party. There’s an inherent risk with this approach due to the lack of control over exactly what data is collected and where it is ultimately sent. To make matters worse, there is no direct control over “piggybacking” or one third-party tag injecting a separate third-party tag onto the page. Piggybacking can result in data being collected by an entity the site owner is completely unaware of. While the site owner lacks control in this process, all of the behavior is at least fully visible in the browser. Data flows can be evaluated and documented with clear actions for the remediation of any issues apparent. 

Server-side Tag Management

Server-side tag management changes the traditional architecture of data collection by adding a step to the collection process. With server-side tag management, all information collected is first sent to a first-party (i.e. site owner/advertiser) owned collection server. Within that server (the Server-side Tag Management System), tags are configured to distribute data on to third parties. By adding the additional step of the owned first-party collection server, organizations can fully assert control over the data distribution process—defining exactly what data is sent to which platform. 

With the server-side approach, data can be manipulated before being passed on to third parties. For example, an organization could strip out identifiers (IP address, device IDs, etc.) before sending data on to advertising platforms. The full control offered can provide significant benefits for compliance. The drawback, however, is that data distribution from the server-side tag management system is hidden from view. Whereas before, all data sent is viewable in the user’s browser, now data flows are in the domain of server logs. This lost visibility and documentation for what data is sent where can present a challenge for compliance. 

Clear records of data collection are critical in proving that compliance policies are being followed in practice. If there is an action being brought against an organization, it is not enough to provide evidence of a policy being defined; proof of adherence to that policy is crucial. Clear records are also a requirement for proactive monitoring to identify potential compliance risks before a regulator does. Systems must be put in place to monitor and document data flows from all digital properties. 

Server-side Tag Monitoring

Luckily, Tag Inspector has a solution. Tag Inspector has been helping organizations create and maintain a defensible position for compliance in advertising and marketing data collection since 2018 with the onset of GDPR. New server-side tag monitoring functionality gives organizations visibility into all data sent to third-party platforms managed with Server-side Google Tag Manager. Tag Inspector reporting can provide documentation of data distribution in practice across any consent condition of a user, while policy monitoring helps highlight any violations of a defined tag compliance policy for proactive remediation. 

Server-side tag management is the future of data collection across the web. For enterprises, a big reason is the added control over the data distribution process to unlock opportunities for first-party data enrichment and utility. For compliance, it is critical to lift the veil on server-side data flows through systems put in place for visibility and record keeping. Organizations can lean on platforms such as Tag Inspector to solve for this critical need.

Interested in learning more about server-side monitoring with Tag Inspector?

Contact us today!
Originally Published On April 1, 2024
April 1, 2024