We often receive the question what the differences are between server-side-tagging (or server-side-tracking) and Snoobi’s cookie-less analytics.
With server-side-tagging, data collection happens on a server, while cookie-less analytics uses the browser to handle the request for data. This article explains the main differences and how they relate to GDPR-compliancy.
Server-side tagging or tracking
Server side data collection is not non-compliant with GDPR by design. However, the way it is often implemented raises compliance concerns.
- GDPR requires that organizations obtain informed and explicit consent from individuals before collecting their personal data. With server-side analytics, data is processed on the server side, which means that users may not be aware of the data being collected about them and may not have given explicit consent. That server may also not be under the direct control of the owner of the website, but under the control of a partner or other third party. Under GDPR, any personal data should not be shared with third parties without appropriate safeguards. If personal data is shared with third parties, controls must be put in place to ensure that they also comply with GDPR requirements.
- Server-side data collection can also make it difficult for users to exercise their rights, such as the right to access, correct, or delete their personal data. The data is often processed on the server side and from there sent to other parties such as Google or Facebook, which means that individuals may not have direct access to their data. We often see that one of the so-called ‘great things’ about server-side analytics is that it circumvents ad blockers or similar technologies such as the Do-Not-Track option. That in itself means server-side data collection removes control from the user.
- If server-side tagging or tracking is used to collect personal data without adequate consent or without providing users with the ability to exercise their GDPR rights, it cannot be GDPR compliant. It is possible to implement server-side data collection in a GDPR compliant manner by ensuring that appropriate consent is obtained and that individuals have the ability to access and control their personal data. But this also adds complexity and requires a Data Processing Agreement with any third party that provides the service for the server-side tracking.
This is easier to implement and it is GDPR compliant if it is used in a way that respects the privacy rights of users and complies with other GDPR requirements. The information below reflects the manner that Snoobi Analytics has implemented cookie-less analytics.
- To be GDPR compliant, web sites using cookie-less analytics must (among other things) ensure that:
- Appropriate consent is obtained: Organizations must still provide clear and concise information to individuals about the data being collected and how it will be used, and obtain their explicit consent if any personal data is collected. Snoobi’s cookie-less analytics does not collect personal data but we we advise web site owners to inform how data is collected and used.
- Data collection is limited: Organizations must only collect data that is necessary for the purposes for which it is being processed, and must not retain the data for longer than necessary. If cookie-less tracking is used, Snoobi Analytics does not store or maintain any privacy-sensitive data.
- Individuals have the right to access and control their data: An organization must provide individuals with the ability to access, correct, or delete their personal data. If cookie-less tracking is used, it is impossible to link the analytics data with an individual or even the internet browser that was used. Therefore there is no data kept for any individual, and there is nothing to access, correct or delete.
In summary, it is easier for cookie-less analytics with Snoobi to be GDPR compliant. As with any analytics implementation it should be implemented in a transparent, responsible, and privacy-friendly manner that respects the rights of the user and complies with other GDPR requirements.