tealium
Home Resources Articles How Server-side tracking and consent management creates harmony between privacy and data

How Server-side tracking and consent management creates harmony between privacy and data

Managing user consent is no longer just an in-browser discipline. Evolving technology and legislation require brands to consider new consent management approaches.
Feb 16, 2022
tealium
Table of contents
Show more Show less
Book a demo
Learn how our consent management solution can improve privacy and user experience for your users.
Get your free data privacy audit now!

For many years, user tracking — as well as gathering and managing user consent — has been an in-browser discipline. Technology and legislation are evolving, and new ways to share different customer data with partners are arising. As a consequence, brands need to consider how to implement a more holistic approach to consent management that also allows for server-to-server data sharing.

Changes in technology and digital marketing environment

The digital marketing landscape is evolving. Besides all of the ongoing changes to company structures, platforms and consumer expectations, we see two major driving factors right now: data privacy legislation and technical changes in the last mile – the end-users’ devices or browsers.

 

Data privacy legislation

 

While the General Data Protection Regulation (GDPR) is probably the most well-known privacy law, many other countries have passed their own over the last few years. What’s common across most, if not all, of those is that users are and remain in control of their personal data.

 

This means that users have to give explicit and informed consent before their data can be processed or shared with any third party. The latter is important as the digital ad economy is all about sharing data to understand visitor behavior, serve the most relevant ads, and measure their reactions.

 

There are other common data subject rights as part of privacy laws as well, like right to access and right to be forgotten, which we will look at in future articles.

 

Technical changes to browsers and devices

 

More and more privacy enhancements are also making their way onto end users’ devices and browsers as well. Apple’s ITP and changes to in-app tracking, Firefox’s Enhanced Tracking Protection, as well as Ad Blocking and private browsing modes on all major browsers are limiting user tracking and attribution today.

 

Some of those will prevent any reliable identification of the visitor due to (extremely) short cookie lifespan capping. Others will block third-party tags altogether so that advertising partners lose visibility into activities and conversions happening on a site.

 

With Google Chrome being the most widespread browser, things will get much worse on this front once Chrome completely deprecates third-party cookies, currently announced for no later than 2023. We expect the privacy trend to continue, if not accelerate, and to see more privacy enhancements go live in all major browsers through 2022 and beyond.

 

The implication of all of these technical changes is twofold:

  • companies need to find a new way to identify customers and avoid relying on (third-party) cookies
  • companies need to find a way to share this data with their advertising partners that is not reliant (or is less reliant) on users’ browsers

All of that while obviously obtaining and respecting users’ consent choices.

A new way to identify customers

At the highest level, there are two major approaches to identifying users without relying directly on cookies: ID providers and personally identifiable information-based (aka PII-based) identification.

 

ID providers

 

A whole new set of ID providers has come to life recently to essentially provide user identification “as a service”. Unified ID 2.0, netID, ID5 and Acxiom are just a few examples. They all use very different approaches to identifying the user, spanning deterministic and probabilistic ways or a combination of both. Some offer additional benefits for their partners, like federated login (SSO), and allowing the user to share some PII, like name or email address, with the site they are visiting.

 

At this point in time it’s not clear which providers will manage to see widespread adoption, or, quite frankly, which ones will still be there in three years time.

 

PII-based identification

 

Identifying users based on personally identifiable information (PII) like email addresses is probably the safest bet for the future, although it comes with its own set of challenges and compliance requirements.

 

The idea is simple: many services across the internet require or strongly encourage the user to be logged in. Think about how you use Facebook, Amazon, YouTube, Pinterest, or Google search. Or, more recently, your favorite publishers and news portals. So if you advertise on those platforms or sites (and most of you will), PII — like an email address — is known at the time an ad is displayed.

 

On the advertiser or retail side, PII typically becomes known further down the funnel, once a user enters an email address as part of a checkout process. In addition to that, some users will be known or logged in throughout their whole session, which again makes PII available. By matching those email addresses (or phone number or other identifier) with the ones recorded as having seen an ad as per the above, user tracking and attribution becomes available again. Hashing is used with the aim of allowing third parties to match email addresses, but technically prevent them from adding new emails to their databases.

 

Again, users’ informed consent is required to share personal data, especially PII, with advertising partners. Platforms like Usercentrics help companies to do this in a legally compliant way.

A new way to share customer data with partners

With those solutions for user identification in a post-cookie (third-party) world on the table, advertisers are still relying on the user’s browser and tags to push events, customer identifiers and respective customer data to their advertising partners.

 

This does not only mean that some data isn’t going through due to browser restrictions, ad blockers, corporate firewalls or just connection problems making attribution more and more inaccurate. It also means that some personal data is shared with those partners without brands being in control of it.

 

This includes users’ full IP addresses, which includes their approximate location and provider, as well as information about the browser and device they are using. It also includes the full URL of the page that is currently being viewed. Whether that data is processed or even stored by the partner is a different question, but it is being shared in the first place, just because of the way the internet works.

 

Server-to-server data sharing is solving a lot of those challenges. Instead of relying on a tag in the user’s browser, advertisers and retailers can connect their servers directly with their advertising partners to send relevant events and respective customer identifiers and data.

 

Benefits include:

  • more resilient data sharing with less or no reliance on browsers and other client-side factors (as listed above)
  • full control of the types and granularity of data that is being shared with partners
  • ability to enrich the data with PII or third-party identifiers (see ID providers above) that are not necessarily available in the frontend

The big players in the market have started to offer APIs for that exact purpose and are encouraging their advertisers to use a hybrid approach. The tag is left in place for now and an additional server-to-server connection is established. This not only enables a soft transition, it also enables incrementality studies, showing advertisers the impact that signal loss already has on their attribution.

 

In other words, how many additional conversions should be attributed to those platforms and what does this mean for budget allocation and the marketing mix? Examples for those APIs as part of a hybrid setup include Facebook’s Conversion API as well as Google’s Enhanced Conversions. Both aim to make sure that conversion events are captured and shared as those are the most important for attribution, as well as to inform the algorithms of what good prospects look like. The best prospects are those that make a purchase in the end.

Implementing server to server data sharing

While the goal for many of the server-to-server APIs is the same, there is no standard yet in terms of which data is supposed to be transferred, how it is formatted and how to interact with the API (format, authentication, error handling, etc.). Also most of those APIs are quite new and evolving, so there will be changes and enhancements that translate to future maintenance efforts.

 

Multiply that with the number of advertising partners, social platforms, affiliate networks, etc. that all require at least some form of conversion events to serve their purpose and you have made your IT team busy for the next couple of months.

 

To increase the complexity further, user consent has to be checked and respected as part of any of the API connections to be made, and this has to be kept in sync with what is happening in the frontend. If the user has not consented to sharing data with a specific platform or broader consent category (like “Social Platforms”) the tags must not be loaded, and at the same time all server-side API calls need to be suppressed. If the user makes changes to the privacy settings, this again has to be updated in the browser, and also for server-side connections.

Data API Hubs like Tealium EventStream help brands to streamline those integrations. The idea is that relevant customer data and events are shared with the API Hub only once and then passed on to all partners via standardized and configurable connectors. Brands get full control about what events and data to share with which partners, and what level of detail is supposed to be shared. The API Hub provider also maintains the connectors and with that takes away a lot of the ongoing maintenance effort.

 

When Usercentrics is used to obtain and manage user consent, an out-of-the-box extension for Tealium makes it easy to respect that consent not only for the tags in the browser (via Tealium’s Tag Management “iQ”), but also for any current and future server-to-server integrations. Apart from saving time, this also reduces the risk of misconfiguration and resulting legal proceedings.

Summary

In the rapidly evolving MarTech environment with a multitude of maturing privacy laws and ongoing major technology changes, brands need to have a strategy in place that is flexible enough to keep pace with those changes, while at the same time enabling marketers to connect with their customers and prospects in a reliable and measurable way.

 

The well-integrated combination of a CMP like Usercentrics’ and a Data API Hub like Tealium helps to achieve that without requiring a large amount of IT and planning resources. With a living roadmap, both also help ensure that new legal requirements, API changes, and more are built into the offering.

 

As a result brands get:

  • more accurate attribution data to manage their marketing mix, while
  • spending less time on integrating with third-party APIs and,
  • reducing the risk of not accurately respecting user consent

If you’d like to discuss holistic consent management across tags and server-side measurement for your organization, we’re happy to help. Contact one of our experts!

Outline (for reference)

  • Consent Management getting more and more important
  • At the same time the technical landscape is changing (Browser changes, Ad blockers, Privacy Enhancements)
  • Server-side measurement adopted more widely to respond to tech changes and send conversion data in a resilient way to Ad and Affiliate Networks and the big Social Platforms.
  • Brands need to have a strategy in place to respect user consent in this hybrid client-side and server-side world
  • UC helps to capture and manage user consent
  • API hubs like Tealium EventStream help to reduce implementation and management efforts for the multitude of integrations required while respecting consent

Outlook / further considerations

Outlook / additional topics we might want to touch on briefly or keep for a 2nd session:

  • Handling GDPR subject matter requests and identity in distributed environments
  • Adding offline / loyalty data to this while respecting consent
  • Improve attribution long term with consented first-party data, especially for returning visitors
  • Opt-outs stop fundamental data collection and analytics to impact tools for customer insight and activation.

Author

Tealium is the leader in real-time customer data orchestration solutions and enterprise tag management. As a Usercentrics’ Solution partner, Tealium’s vision is to create a world where businesses unify their data to intelligently engage and delight customers.

Related Articles

Opt-in IR

Consent Management for Customer Data Solutions

Using Data Warehouses and CDPs to store and manage customer data on companies’ own servers means opportunities and...

California Privacy Rights Act (CPRA) and the future of privacy law

California Privacy Rights Act (CPRA) enforcement is starting: what you need to know

The California Privacy Rights Act (CPRA) has been in effect since January 1, 2023. CPRA enforcement was delayed due...