Server-side GTM ≠ GDPR compliance

A lot of teams think they found a privacy shortcut: move Google Tag Manager from the browser to a server in Frankfurt, and the General Data Protection Regulation problem goes away. Google’s own docs say server-side tagging mainly changes where requests are processed and routed, not whether the underlying collection is lawful. (developers.google.com) Server-side Google Tag Manager is basically a mailroom. Your site sends measurement requests to your own server container first, and that container forwards them to tools like Google Analytics 4 or Google Ads. (developers.google.com) Google also pitches server-side tagging as a way to improve page performance, improve data quality, and add more privacy controls. Those are engineering benefits, but they are not a legal waiver. (developers.google.com) The legal question starts one step earlier: what data is being collected from the person’s device in the first place. The European Data Protection Board’s guidance on the ePrivacy rules focuses on access to information on a user’s device, which means the compliance problem can begin before your server ever sees the request. (edpb.europa.eu) Consent is the next trap. The European Data Protection Board’s consent guidelines say consent has to be freely given, specific, informed, and unambiguous, so a banner with a bright “Accept” button and a buried “Reject” link can still fail even if every server sits inside the European Union. (edpb.europa.eu) Google’s own consent mode docs make the same point in product language. Consent mode does not provide a banner, and it depends on a separate consent management platform to collect the user’s choice and pass that choice along to the server container. (developers.google.com) That means a server container only knows what your site tells it. If your consent banner records a “yes” that was nudged, bundled, or not truly optional, the server will faithfully automate a bad decision at scale. (developers.google.com) The transfer question comes after collection and consent. In July 2020, the Court of Justice of the European Union struck down the Privacy Shield arrangement in Schrems II and said personal data transfers to third countries need adequate protection or other valid safeguards. (curia.europa.eu) The European Commission adopted the European Union-United States Data Privacy Framework in July 2023, which created a new adequacy route for participating United States companies. But that framework does not magically bless every analytics setup, because companies still have to check which vendor receives the data, under what role, and with what onward transfers. (ec.europa.eu) This is why “host it in Europe” is too shallow a test. A server in Paris that forwards identifiers, internet protocol addresses, consent signals, and event data to outside vendors can still create the same legal questions as a browser script that did it directly. (developers.google.com) The real work is architectural. You have to decide which events are collected before consent, which fields are stripped or transformed, which destinations are allowed to receive each event, and which requests are blocked entirely when a person says no. (developers.google.com) So the practical change is not “move tracking to a server.” It is “turn privacy rules into routing rules,” because under the General Data Protection Regulation, the map of the data flow and the quality of the consent matter more than the postal code of the machine running Google Tag Manager. (developers.google.com)