GDPR-Compliant Tracking: What Is Allowed, What Is Not, and How to Get Both Right

The legal position is clear: no consent, no tracking. But between "track nothing" and "track everything and hope for the best" lies a space that most companies handle poorly. This guide explains which laws apply, what is technically possible, and how to build a setup that is both legally sound and delivers usable data.

The three regulations you need to know

Tracking in Europe is governed by three legal frameworks. All three apply simultaneously, and each has its own requirements.

GDPR (General Data Protection Regulation) governs the processing of personal data. Every IP address, every cookie ID, every browser fingerprint is personal data. Processing requires a legal basis — for tracking, that is typically consent (Art. 6(1)(a) GDPR). Legitimate interest (Art. 6(1)(f)) does not work for web analytics, even though some companies claim otherwise. Supervisory authorities disagree, and the fines speak for themselves.

ePrivacy Directive (implemented nationally as TDDDG in Germany, TKG in Austria, and similar laws across the EU) states: accessing information on a user's device — setting or reading cookies — requires consent. Exception: technically necessary access. Google Analytics is not technically necessary. The Meta Pixel is not technically necessary.

ePrivacy Regulation — exists as a draft but is not yet in force. Until it passes, the ePrivacy Directive applies through national implementations. Do not plan with the ePrivacy Regulation. Plan with what applies today.

What this means for you: every cookie and every tracking pixel requires active consent. Pre-ticked checkboxes do not count. "Continued browsing = consent" does not count. A cookie banner without a genuine reject option does not count.

What is allowed without consent

Technically necessary cookies do not require consent. This includes session cookies for login functionality, shopping cart cookies, CSRF tokens, and consent storage itself. Load balancing and CDN functions also qualify.

What does not qualify: anything that serves the site operator rather than the user. Analytics, A/B testing, heatmaps, remarketing, conversion tracking — all of these require consent. The line is simple: if the website works identically for the user without that cookie, it is not necessary.

Server-side tracking does not change this. Even when data processing happens on your server rather than in the user's browser, GDPR applies to the processing of personal data regardless of where it takes place.

Google Consent Mode v2

Google has required Consent Mode v2 for all EEA advertisers since March 2024. This is not an optional recommendation — it is a prerequisite for remarketing and conversion tracking through Google Ads.

Consent Mode works with four signals:

• analytics_storage — allows GA4 to set cookies and collect data
• ad_storage — allows Google Ads and Floodlight to set cookies
• ad_user_data — allows sending user data to Google for advertising purposes
• ad_personalization — allows personalized advertising (remarketing)

By default, all four are set to denied. Only after consent does your consent banner switch the relevant signals to granted. Google receives these signals and adjusts its behavior: with denied, no cookies are set and no personal data is stored. Instead, Google sends cookieless pings — requests without identifiers — used for modeled conversions.

What this means for you: even without consent, you do not lose all data. Google models conversions based on cookieless pings and data from users who did consent. The quality of this modeling depends on your consent rate — the higher the consent rate, the better the data.

Using server-side tracking correctly

Server-side tracking through a GTM Server Container moves data processing from the browser to your own server. This has three concrete advantages:

Data quality. Ad blockers and browser restrictions (ITP in Safari, ETP in Firefox) block or shorten third-party cookies. A server container sets first-party cookies through your own domain. Safari limits third-party cookies to 7 days and CNAME-based first-party cookies to 7 days, but server-set first-party cookies can last up to 400 days. This means you identify returning users more reliably.

Data control. In a client-side setup, the browser sends data directly to Google, Meta, and other third parties. You have no control over what data is included. In a server-side setup, every request goes to your server first. There you can filter, anonymize, or enrich data before forwarding it. Truncate IP addresses, remove PII, verify consent — all under your control.

Performance. Less JavaScript in the browser means faster page loads. Instead of five tracking pixels, the browser loads a single script. The rest runs server-side.

But: server-side tracking does not replace consent. You are still processing personal data, and that requires a legal basis. Server-side tracking is a tool for better data quality and more control — not a compliance workaround.

Building a first-party data strategy

The future belongs to first-party data. Third-party cookies are disappearing, browsers are becoming more restrictive, and dependence on platform data is a growing risk. First-party data is data you collect directly: email addresses, purchase history, newsletter signups, account data.

For your tracking setup, this means:

Use Enhanced Conversions in Google Ads. Hashed email addresses or phone numbers are sent to Google — with consent — to attribute conversions even when cookies are absent. Match rates are typically 15-25% higher than pure cookie-based tracking.

Deploy the Meta Conversions API (CAPI). Instead of relying on the Meta Pixel in the browser, send conversion events server-side to Meta. Same approach: first-party data (hashed email) for better match rates.

Build your own event tracking. GA4 custom events for the actions that matter to your business: signups, feature usage, checkout steps. This data belongs to you and is independent of third-party platforms.

Common mistakes

Cookie banners without real choice. If "Reject" is hidden, displayed smaller, or requires more clicks than "Accept," that is a dark pattern. Supervisory authorities are increasingly enforcing against this. The fix: present Accept and Reject with equal prominence.

Loading tracking before consent. Google Analytics or the Meta Pixel loads in the <head> and fires immediately — before the user has made a choice. Consent Mode v2 defaults must be set before any script loads. Scripts must not set cookies until consent is given.

Not versioning consent. When you add new tracking services, existing consent must be invalidated. The user consented to service A, not service A plus B. Version numbering in your consent banner handles this automatically.

Selling server-side as a compliance solution. Server-side tracking improves data quality and control. It does not replace consent. Anyone who claims otherwise risks fines.

Outdated privacy policy. Every tracking service must be documented in your privacy policy: provider, purpose, legal basis, retention period, affected cookies. If this is missing, consent may be legally invalid.

Recommended setup

A legally sound and data-effective tracking setup consists of four components:

1. Consent management. A consent banner that is GDPR-compliant: genuine choice, granular categories (Necessary, Statistics, Marketing), revocation option, versioned. Google Consent Mode v2 defaults are set before any script loads.

2. GA4 with server-side tagging. GA4 through a GTM Server Container, first-party cookies via your domain, server-side IP anonymization. Enhanced Conversions enabled for better attribution.

3. Meta CAPI. Conversion events sent server-side to Meta. Deduplication with the browser pixel. First-party data (hashed email) for higher match rates.

4. Google Ads with Enhanced Conversions. Conversion tracking through the server container. Hashed first-party data for conversion attribution even without cookies.

The result: you capture the data you need for decisions without taking legal risks. Users who consent deliver complete data. Users who decline generate modeled data via Consent Mode. And you retain control over every data point.