In the age of iOS restrictions, browser-level privacy controls, and regulations like GDPR/CCPA, client-side tracking is no longer sufficient. If you’re still relying solely on browser-based pixels, youβre losing attribution data, revenue insights, and campaign efficiency.
Server-Side Tracking (SST) bridges this gap by moving data collection and event forwarding to a secure, first-party environment. This guide walks you through how to implement a privacy-compliant, robust server-side tracking architecture using Google Tag Manager Server-Side (ssGTM) for platforms like GA4, Google Ads, Meta CAPI, and others.
π― What Youβll Learn
- Why SST is essential for modern attribution
- How to configure a server-side endpoint
- How to securely collect and hash first-party data
- How to send server events to GA4, Google Ads, Meta
- How to handle consent and deduplication
π§° Prerequisites
| Requirement | Purpose |
|---|---|
| Google Tag Manager (Web + Server) | Tag execution client/server side |
DNS Setup (gtm.yoursite.com) |
First-party server endpoint |
| GA4 / Google Ads / Meta Pixel | To receive the data |
| Optional: Consent Management Platform | For lawful user data usage |
π Why Server-Side Tracking is Critical
| Problem (Client-Side) | Solution (Server-Side) |
|---|---|
| Cookie blocking | First-party endpoint |
| Ad blockers | Server IP is not blocked |
| Short cookie lifetimes | Extend via HTTP headers |
| PII risk in browser | Server-side hashing |
| Loss of conversions | Direct server delivery |
𧱠Step 1: Deploy Server-Side GTM
- Go to tagmanager.google.com
- Create a Server Container
- Host on:
- App Engine or Cloud Run
- OR custom infrastructure
- Set DNS:
gtm.yoursite.comβ Server IP
β This creates your private server tracking endpoint.
π¬ Step 2: Send Events from Web to Server
Create a custom HTML tag in Web GTM:
<script>
fetch('https://gtm.yoursite.com/event', {
method: 'POST',
headers: {
'Content-Type': 'application/json'
},
body: JSON.stringify({
event_name: 'purchase',
transaction_id: '{{DL - transaction_id}}',
value: '{{DL - value}}',
currency: '{{DL - currency}}',
email: '{{DL - email}}',
phone: '{{DL - phone}}',
event_id: '{{DL - event_id}}',
user_agent: navigator.userAgent,
client_ip: '{{DL - client_ip}}'
})
});
</script>
β You are now forwarding conversion data securely to your server.
π Step 3: Sanitize and Hash PII
In your Web layer or backend (recommended), hash sensitive data using SHA-256:
$email = hash('sha256', strtolower(trim($user_email)));
$phone = hash('sha256', preg_replace('/\D/', '', $user_phone));
β This ensures compliance with Meta CAPI and Google Ads Enhanced Conversions.
π― Step 4: Setup Clients in Server GTM
Inside ssGTM:
- Enable:
- GA4 Client
- Google Ads Conversion Client
- HTTP Request Client (for custom requests)
- Preview incoming data via Server GTM Preview Mode
β Server GTM can now parse your event data.
π€ Step 5: Configure Server Tags for Each Platform
π °οΈ GA4 Event Tag
- Tag Type: GA4 Event
- Event Name:
purchase/lead/ etc. - Parameters:
transaction_id,value,currency,event_id, etc. - Measurement ID:
G-XXXXXX
π ±οΈ Google Ads Conversion Tag
- Tag Type: Google Ads Conversion
- Conversion ID / Label from Ads UI
- Include:
email,phone(hashed)transaction_idvalue,currencyevent_idfor deduplication
π ΎοΈ Meta Conversions API Tag
Use Metaβs CAPI template or HTTP request:
POST https://graph.facebook.com/v18.0/<PIXEL_ID>/events?access_token=<TOKEN>
{
"data": [{
"event_name": "Purchase",
"event_time": {{ timestamp }},
"event_id": "{{event_id}}",
"user_data": {
"em": "{{email}}",
"ph": "{{phone}}",
"client_ip_address": "{{client_ip}}",
"client_user_agent": "{{user_agent}}"
},
"custom_data": {
"currency": "{{currency}}",
"value": "{{value}}",
"transaction_id": "{{transaction_id}}"
}
}]
}
β
Add fbc and fbp cookies for improved match rate if available.
π§ Step 6: Deduplicate Events
Always use a unique event_id per conversion event and send it:
- In the client-side tag (browser pixel)
- In the server-side tag (CAPI or Ads API)
Platforms like Meta and Google will automatically deduplicate.
π‘οΈ Step 7: Handle Consent States
Use a CMP or your own logic to check consent before firing server events:
if (window.gtag && gtag.get('consent', 'ad_storage') === 'granted') {
// send fetch to ssGTM
}
You can also send a consent_granted: true/false flag to ssGTM and skip server tags conditionally.
π§ͺ Step 8: QA and Debug
| Tool | Use |
|---|---|
| GTM Preview | Validate Web + Server hits |
| GA4 DebugView | See real-time events |
| Meta Events Manager | CAPI Test Events |
| Google Ads Tag Diagnostics | Server conversion status |
π Example Use Case: Purchase Attribution
User completes purchase
β
Hashed email + phone sent to ssGTM
β
Server GTM sends events:
β GA4 (via Measurement Protocol)
β Google Ads (Enhanced Conversions)
β Meta CAPI
β
All use same `event_id` β deduplication & attribution
π Security Best Practices
- Hash PII before it leaves the client
- Use HTTPS and first-party domain (e.g.,
gtm.yoursite.com) - Log requests securely on your server for audits
- Rate-limit and secure endpoints with tokens if needed
π Optional Add-Ons
| Feature | Use |
|---|---|
| First-Party Cookies | For GCLID, FBCLID, etc. |
| Header forwarding | Capture UTM, IP, and User-Agent |
| Consent-aware flows | GDPR/CCPA safe |
| BigQuery Export | Raw event stream for analysis |
Related posts:
Server-side Tracking Facebook Conversions API (CAPI) with Event Match Quality
π‘οΈ Server-Side Tracking for Enhanced Attribution in a Privacy-First World
Preventing Duplicate Conversions in Server-Side eCommerce Setup
Data Governance and Consent Management in Server-Side Tagging
π OpenCart Server-Side Tagging: Capturing Email & Phone as First-Party Data
Set Up Server-Side GA4 Tracking for Enhanced Ecommerce tracking
Server-Side Tagging as a Strategy for Cookieless Marketing
π Facebook Pixel + Conversions API (CAPI) Setup in OpenCart via GTM (Web + Server-Side)