Server-side tagging for privacy: GTM server-side guide

Client-side tagging runs JavaScript tags (Google Analytics, Meta Pixel, ad conversion pixels) in the user's browser, sending data directly from the browser to third-party platforms. Server-side tagging intercepts this data on a server you control (typically a subdomain like analytics.yourcompany.com) before forwarding to third parties. The user's browser sends a single event to your server; your server processes it and routes appropriate data to each platform via server-to-server APIs. Key differences: server-side tags are not blocked by ad blockers (browser communicates with your first-party domain); you control what data is shared with whom; page performance improves (lighter client script); and first-party cookies can be set with longer lifespans not subject to Safari ITP.

Server-side tagging typically recovers 15–30% of conversion events that are lost with client-only tracking, though recovery varies significantly by audience. Audiences with higher ad blocker usage (tech-savvy B2B, younger demographics, European markets) see higher recovery rates. The recovery comes from two sources: ad blocker bypass (server-side requests to your own domain are not blocked); and ITP/ETP bypass (first-party cookies set server-side persist longer than 7 days imposed by Safari's Intelligent Tracking Prevention). Real-world case studies from ecommerce brands typically show 15–25% more purchase conversions attributed after implementing Meta CAPI + server-side GTM versus client-side pixel only.

GTM server container hosting on Google Cloud Run costs are based on actual request processing. For a medium-sized ecommerce site with 1 million monthly sessions generating approximately 5 million events/month, Cloud Run costs are typically $20–80/month depending on container configuration and region. This is significantly lower than alternatives like tagging server hosting on dedicated instances. The minimum recommended configuration is 2 instances minimum (for availability) with 1 vCPU and 256MB RAM per instance — Cloud Run minimum instances cost approximately $15–20/month. You can also host on App Engine Flexible or any container platform; Stape.io provides managed server-side GTM hosting for teams who don't want to manage cloud infrastructure.

Yes. Server-side tagging does not change your GDPR legal basis requirements. If you process personal data (IP addresses, device IDs, hashed email, user identifiers) for advertising or tracking purposes, you need valid consent. Server-side tagging improves your ability to enforce consent — you can implement consent-state filtering in the server container, ensuring that marketing tags only fire for users who have provided marketing consent, and analytics tags run in anonymised mode for users who have given only analytics consent. The advantage over client-side consent mode is more reliable enforcement — the server container processes consent state on the server where it cannot be bypassed by browser behaviour or consent mode inconsistencies.

Meta Conversions API (CAPI) is a server-to-server integration that sends conversion events (purchases, leads, add-to-cart) directly from your server to Meta, bypassing browser-based pixel tracking that can be blocked by ad blockers or restricted by ITP. Server-side GTM makes CAPI implementation accessible without custom server code — the Meta CAPI tag template in the GTM Server Tag Template Gallery allows configuration of CAPI event forwarding in minutes, using the same event data already flowing through your server container. Best practice is "redundant" implementation: client-side Meta Pixel + server-side CAPI, with deduplication via event_id to prevent double-counting. This hybrid approach maximises signal quality to Meta's ad delivery algorithms.

Safari's Intelligent Tracking Prevention (ITP) is an Apple privacy feature that limits the lifespan of cookies set by JavaScript to 7 days (or 24 hours if the user has not recently visited the site directly). This severely impacts attribution windows for ecommerce — a user who clicks a Google Ad and purchases 8 days later appears as a non-attributed visit under ITP. Server-side tagging addresses this by setting user identification cookies as HTTP-only, first-party cookies from your server, rather than from JavaScript. Cookies set server-side on your first-party domain are not subject to ITP's JavaScript cookie restrictions and can persist up to 13 months (the standard GDPR analytics cookie duration), restoring attribution accuracy for Safari users.

Yes. Google Cloud Run (the recommended hosting for GTM server containers) scales automatically from zero to thousands of concurrent instances, handling traffic spikes without pre-provisioning. Cloud Run's container-based autoscaling handles Black Friday traffic spikes as effectively as normal traffic. The server container processes are lightweight — each tag dispatch typically takes 10–50ms — so individual Cloud Run instances can handle hundreds of concurrent requests. For very high-traffic sites (hundreds of millions of events/month), configure a minimum instance count and appropriate concurrency settings to avoid cold start latency. Cloud Run supports up to 1,000 concurrent requests per instance, enabling efficient resource utilisation.

Server-side GTM and CDPs serve different purposes. Server-side GTM is a tag management and data routing layer — it receives events from your website, applies transformations, and forwards them to third-party platforms (GA4, Meta CAPI, advertising platforms). It is optimised for real-time event forwarding with low latency. A CDP (Segment, Rudderstack, Treasure Data) is a first-party data platform that collects, stores, unifies, and activates customer data — building unified customer profiles from multiple data sources and enabling audience segmentation, personalisation, and cross-channel activation. Many organisations use both: a CDP for profile unification and activation, with server-side GTM for real-time tag management and pixel forwarding. Segment and RudderStack also offer "destinations" that functionally overlap with server-side GTM for event forwarding use cases.