Privacy-Compliant Tracking Without Consent (Cookies) for GA4

Imagine this: you invest a significant amount of money in Google Ads, but in the end, you only see a fraction of the actual results. Why? Because up to 50% of your tracking data is lost due to declined cookie banners, ad blockers, and modern browser tracking preventions. The consequences? Your ROAS appears lower than it truly is, successful campaigns are underestimated, and critical insights into the customer journey are missing.

But there’s a solution! By combining Advanced Google Consent Mode with Server-Side Tracking, you can not only drastically reduce these data losses but recover nearly 100% of your data – all in a privacy-compliant and efficient way.

In this article, we’ll explain how these technologies work, why they are essential for your marketing strategy, and how they can make your advertising success visible. Stay tuned – because the success of your campaigns is at stake!

Privacy-Compliant Tracking Without Consent – What Does It Actually Mean?

There are various ways to track user data in a privacy-compliant manner, but only a few methods allow for tracking without explicit consent (cookies) while still adhering to privacy regulations. Many of these approaches may seem legally sound at first glance, but in practice, they often fail to fully meet all requirements.

The key lies in understanding privacy laws like the General Data Protection Regulation (GDPR), the Telecommunications and Digital Services Privacy Act (TDDDG), the ePrivacy Regulation, and the Digital Markets Act (DMA), and knowing how to implement these legal frameworks within your tracking methods. These regulations outline the specific requirements that must be met when processing data.

Tracking user data without consent doesn’t mean disregarding the privacy and preferences of your visitors. Instead, it’s about finding smart ways to operate within the bounds of privacy laws while optimizing your tracking efficiency. In the following sections, we’ll explore how you can achieve this in detail.

If you’d rather not dive into the specifics of privacy laws, feel free to skip the next section. However, we strongly recommend familiarizing yourself with the most relevant privacy regulations for Europe to better understand the legal framework we operate within.

The General Data Protection Regulation (GDPR)

The GDPR sets out the requirements for processing personal data. It focuses less on cookies and tracking technologies and more on the broader aspects of personal data processing.

A key principle is outlined in Article 5, which governs how personal data must be processed. Additionally, Article 6 defines the lawfulness of processing and provides six legal bases for doing so. One of these is point 1(a), which states that data processing is only lawful with the consent of the individual. Alternatively, points 1(b) to 1(f) outline scenarios where processing without consent is permitted—such as when it is necessary for contract fulfillment or legal obligations.

Understanding the GDPR also requires familiarity with the definitions in Article 4, which clarify essential terms, including:

• Personal Data: Information relating to an identified or identifiable individual, such as names, identification numbers, location data, online identifiers, or specific characteristics like physical, genetic, or economic attributes.
• Processing: Any operation involving personal data, including collection, recording, storage, retrieval, management, transmission, deletion, and even restriction of access.

One particularly debated term is "legitimate interest," mentioned in Article 6(1)(f). It states that processing is lawful if it is “necessary for the purposes of legitimate interests pursued by the controller or a third party, provided such interests are not overridden by the interests or fundamental rights and freedoms of the data subject.”

Companies may argue that processing data without consent is justified to protect their legitimate interests. However, whether this interpretation holds up in court often remains uncertain.

What Do GDPR Requirements Mean for You? 

If your company processes personal data of users in Europe, the GDPR mandates obtaining active consent from the affected individuals. This obligation applies to any company processing personal data of European users, regardless of whether the company itself is based in Europe.

Since processing encompasses virtually any operation involving personal data, there are few valid arguments to bypass the need for consent. However, as mentioned, there are limited exceptions defined in Article 6(1)(a) to (f), which only apply in specific cases.

For this reason, we recommend implementing a Consent Manager (also known as a cookie banner) to give visitors to your website or online store the opportunity to actively consent to data processing and to ensure that these consents are documented in a GDPR-compliant manner.

The Telecommunications-Telemedia Data Protection Act (TTDSG) and the Telecommunications-Digital Services Data Protection Act (TDDDG)

Try saying these terms quickly one after the other—it’s not easy! Just as tricky is navigating the web of privacy regulations and clearly distinguishing their differences. What’s clear, however, is that the TTDSG, originally enacted on December 1, 2021, was replaced by the TDDDG on May 13, 2024.

The law's name change was influenced by the emergence of the Digital Services Act (DSA), with the term “telemedia” being updated to “digital services.” Initially, the TTDSG was a merger of the Telemedia Act (TMG) and the Telecommunications Act (TKG). Quite the maze—no wonder it’s hard to keep track!

The Essentials

The TDDDG complements the GDPR’s data protection requirements and specifically applies to telecommunications and digital services. Its primary focus is on cookies and tracking technologies.

A key component is Section 25 TDDDG, titled "Protection of Privacy in End-User Devices." This section stipulates that:

• Storing information in the end user’s device, or
• Accessing information already stored

is only permitted if the end user has provided consent based on clear and comprehensive information. The standards set by the GDPR, particularly Article 6, serve as the benchmark for this consent.

When Is Consent Not Required?

1. Transmission of Communications

   What does this mean?
   If the sole purpose of data processing is to transmit a message via a public telecommunications network, no consent is required.

   Example:
   An internet provider temporarily stores data to ensure the delivery of an email, chat, or website. This technical storage is essential for communication and, therefore, does not require user consent.

2. Technically Necessary Functions for Requested Services

   What does this mean?
   When a function is absolutely necessary to provide a service explicitly requested by the user, consent is also not required.

   Example:
   An online shop uses a cookie to store products in a shopping cart, allowing the user to complete their purchase. This functionality is essential for the requested service: shopping.

Summary

Consent is not required when data is used solely for communication purposes or for essential functionalities of a requested service. However, for cookies or technologies used for analytics or marketing purposes, active consent is mandatory.

Interaction Between GDPR and TDDDG

Determining Which Law Applies:

1. No Personal Data Involved:
   If no personal data is processed when using technologies, only the TDDDG applies.

2. Processing Personal Data:
   If cookies or similar technologies are used to track user behavior (e.g., tracking cookies), both the TDDDG and the GDPR apply, as personal data is being processed.

This makes the scope of the TDDDG broader than that of the GDPR, as it covers all information collected during the use of digital services—not just personal data.

ePrivacy Regulation

Before the introduction of the TTDSG, there was significant uncertainty regarding the rules for cookie usage. Until then, the ePrivacy Directive from 2002 (commonly known as the "Cookie Directive") was in effect. Originally, the plan was to implement a new version of the ePrivacy Regulation alongside the GDPR. However, disagreements delayed the process, and negotiations have since stagnated. As of now, a new version of the regulation has yet to be adopted.

Goals of the ePrivacy Regulation

The new regulation aims to complement the GDPR by providing additional robust guarantees for the confidentiality and protection of all forms of electronic communication. Its main objectives include:

• Ensuring the confidentiality of electronic communications.
• Establishing stricter rules for data processing by businesses.

Once adopted, the ePrivacy Regulation is expected to play a key role in protecting user data and ensuring privacy in the digital age.

Digital Markets Act (DMA)

On March 6, 2024, the European Digital Markets Act (DMA) came into effect. Its goal is to establish fair competition in the online market. Why is this law significant? It specifically targets large, market-dominating platforms like Google, which are classified as so-called Gatekeepers. These Gatekeepers are now required to comply with rules designed to prevent the abuse of their market power.

The DMA also impacts data processing, as Google holds significant market dominance through its services like Google Ads and Analytics. Many businesses rely on these tools for user analysis and monetization.

To comply with the DMA, Google has announced that starting March 6, 2024, the Google Consent Mode will become mandatory for all companies operating within the European region. This consent mode ensures that businesses communicate their users' consent status regarding cookies or app IDs to Google. The Consent Mode works in tandem with your Consent Manager (cookie banner) to collect visitor consent (more on this later).

How Do Data Protection Laws Impact Consent-Free Tracking (Cookies)?

The goal of privacy-compliant consent-free tracking is to achieve a nearly 100% complete data set. The emphasis here is on compliance with privacy regulations, as even if we aim to collect user data without consent, it is essential to adhere to the requirements set forth by data protection laws.

Privacy-compliant consent-free tracking is not a free pass to indiscriminately collect user data without their consent (more on this later). However, with the right tracking setup, it is possible to create an opportunity to expand your data foundation. But what does this mean in practice?

Even with consent-free tracking, implementing a Consent Manager (e.g., a cookie banner) on your website or online store is mandatory. Furthermore, you must document user consents and rejections to comply with data protection requirements. Depending on your consent rate, you will only collect data from users who have explicitly agreed to data processing.

For example: If your consent rate is 60%, you will only see the data of those 60% of users in Google Analytics. However, two methods can allow you to collect up to 100% of user data while still adhering to privacy regulations.

In the next step, we will take a closer look at how privacy-compliant consent-free tracking works.

How Does Privacy-Compliant Consent-Free Tracking (Cookies) Work?

Admittedly, the title might sound like an invitation to make a data protection officer's face cringe. But, as you may have guessed, this article is not about collecting user data in questionable ways or violating their privacy. Instead, we will explore how businesses can leverage valuable data for marketing, analytics, or business decisions—without relying on cookies or user consent.

The key takeaway is that personal data is not always necessary for effective marketing. What matters most is obtaining reliable information about how users interact with your website: Which buttons are clicked? How far do users scroll? How do they navigate through the site?

The challenge for businesses lies in striking a balance between complying with the stringent data protection laws we’ve outlined and implementing effective tracking to collect meaningful data. In simple terms, it’s essential to generate a high-quality data foundation through tracking, enabling data-driven decisions and strategies. These must, however, fully comply with privacy regulations while respecting the rights and privacy of your visitors. This can be especially challenging under strict frameworks such as the GDPR, which governs data processing across Europe and considers nearly all data collection a potential privacy risk.

To be clear: The GDPR is a crucial milestone in safeguarding user data, and its existence is undoubtedly beneficial. However, it does not currently offer a straightforward way to collect non-personal data for analytics and marketing purposes—such as through a clear provision allowing this without consent.

Since such an option is not yet available, businesses need to adopt alternative solutions to collect valuable data in a privacy-compliant, consent-free manner. Achieving this delicate balance between data protection and effective tracking can be accomplished through a combination of two methods: Google's Advanced Consent Mode and Server-Side Tracking (also known as Server Tagging) via Google's Server Tag Manager.

Let’s dive into these two methods in detail.

Google Consent Mode

Functionality and Impact

Google Consent Mode affects the behavior of Google Analytics, Google Ads, and third-party tools that rely on cookies. It dynamically adjusts based on whether a visitor has consented to data processing, ensuring that data confidentiality and security meet the requirements of the Digital Markets Act (DMA).

Google offers two versions of the Consent Mode: Basic Mode and Advanced Mode. Let’s take a closer look at their differences:

Google Consent Mode: Basic Mode

The Basic Mode is the standard version of the Consent Mode. It prevents Google Tags from loading until a visitor interacts with the Consent Manager (cookie banner). The goal is to ensure that no data is sent to Google before the user takes action.

By implementing Basic Mode, businesses can comply with privacy regulations while avoiding the premature collection of data, ensuring transparency and user trust.

Fig.: How Google's Basic Consent Mode works 

Funktionsweise:

• Erst nach Einwilligung des Nutzers laden die Google-Tags die Zustimmungsmodus-APIs und führen sie aus
• Die Tags senden dann die Informationen über den Einwilligungsstatus in folgender Reihenfolge:
  1. Standardeinwilligungszustände
  2. Aktualisierte Einwilligungszustände

Ohne Einwilligung:
Wenn der Nutzer keine Einwilligung erteilt, werden keine Daten an Google übermittelt, und die Google-Tags werden gar nicht erst ausgelöst.

Vorteil:
Google sichert sich durch diese Methode ab, dass Unternehmen Google-Dienste DSGVO- und DMA-konform nutzen können.

Conversion-Modellierung:
Google bietet eine Conversion-Modellierung an, um Datenverluste auszugleichen, wenn Besucher den Consent Manager ablehnen. Dies ermöglicht es Unternehmen, ihre Kampagnen weiterhin mit Basisdaten zu optimieren, auch wenn keine vollständigen Informationen vorliegen.

Google Consent Mode: Advanced Mode

The Advanced Mode operates similarly to the Basic Mode but includes several critical differences.

Fig.: How Google's Advanced Consent Mode works 

How It Works:

• By default, consent is denied unless specific default settings are configured. During this phase, Google Tags send cookie-less pings.
• Consent is updated only after the user interacts with the cookie banner.
• If consent is granted, Google Tags transmit complete measurement data.

Key Difference from Basic Mode:

Unlike the Basic Mode, where no data is transmitted without user consent, the Advanced Mode generates cookie-less pings that can be processed even without explicit consent. This approach allows businesses to gather limited, non-identifiable data while remaining compliant with privacy laws.

Advanced Mode provides a more flexible tracking solution, enabling companies to collect valuable insights while respecting user preferences and adhering to legal requirements.

Cookie-Free Pings in Consent Mode

Google's Consent Mode offers a privacy-compliant way to use tracking data—even when users decline consent. Here's how it works:

What happens when users give their consent?

When a website visitor consents, the respective tags operate as usual:

• Cookies are set to analyze the website or serve personalized ads.
• Tracking technologies can be used without restrictions.

What happens when users decline consent?

If users refuse consent, the tags prevent cookies from being set. However, it's still possible to send important information to Google's servers without using personal data, such as cookies or uniquely identifiable signals. This is achieved through so-called pings.

Types of Pings

1. Consent Status Pings
   • Communicate whether cookies for advertising (ad_storage) or analytics (analytics_storage) are permitted.
   • These pings are triggered on all pages where Consent Mode is activated.
   • If the user later changes their consent (e.g., through the cookie banner), the updated status is also transmitted.
2. Conversion Pings

   • Indicate that a conversion has occurred (e.g., a purchase or form submission).

3. Google Analytics Pings
   • Sent on pages where Google Analytics is implemented.
   • Log actions such as page views or events, but without any personal data.

What Data Do These Pings Contain?

The pings transmit only general and non-personal information:

Function-Related Information

• Timestamp: When the page was loaded
• Browser Information: User-Agent details
• Referrer URL: The address of the previous page

Aggregated/Non-Personal Data

• Whether the URL contains an ad click identifier (e.g., GCLID/DCLID)
• Consent status (e.g., "Yes" or "No")
• A randomly generated number for each page load
• Data about the Consent Management Platform (e.g., developer ID)

Why Does This Matter?

Consent Mode enables website operators to achieve marketing and analytics goals without compromising user privacy:

• The concept of pings ensures that no personal data is stored.
• At the same time, valuable insights can be gained to optimize website and campaign performance.

Server Side Tracking/Tagging

After the Google Consent Mode verifies user consent, the concept of Server-Side Tracking, also referred to as Tagging, comes into play.

There are two primary approaches for capturing user activity on the internet using tag management systems: Web Tag Manager (for client-side tracking) and Server Tag Manager (for server-side tracking). Both methods involve adding snippets of code to a website, enabling analytics tools like Google Analytics to collect and evaluate user data.

You might already be familiar with the Web Tag Manager, commonly used for client-side tracking. The Server Tag Manager extends this functionality by moving the tracking process to a dedicated server. The key difference between the two approaches is straightforward:

• Client-Side Tracking: Tags are executed on the user's device (e.g., in the browser).
• Server-Side Tracking: Tags are executed on a dedicated server. A proxy server is placed between your website or online shop and third-party services (e.g., Google services).

Funktionsweise von Server Side Tracking im Detail How Server-Side Tracking Works in Detail

Fig.: How server-side tracking works

1. Proxy-Server: The tracking code does not send data directly to third parties like Google Analytics. Instead, it first sends the data to your own server, such as via the Google Tag Manager Server Container.
2. Data Filtering: On this server, data can be reviewed, minimized, and pseudonymized before being forwarded to third-party providers.
3. Custom Identifiers: Instead of cookies, server-side generated IDs can be used to track pseudonymized user data.

Why Server-Side Tracking is Important

By offloading data processing to your own server, you not only gain greater control over your data but also meet privacy requirements more effectively. At the same time, you can still derive valuable insights into user behavior – all without requiring user consent.

Combining Google’s Advanced Consent Mode and Server-Side Tracking

If you want to use Google’s Advanced Consent Mode, you also need to implement server-side tracking to ensure compliance with data protection laws. Here’s why: When tracking without user consent and relying solely on Google’s Advanced Consent Mode, the IP addresses of your website visitors are transmitted during communication between your website and Google Analytics. This is not privacy-compliant.

For this reason, combining Advanced Consent Mode with server-side tracking is essential to process user data without requiring consent while remaining compliant with privacy regulations. With server-side tracking, a server acts as an intermediary between your website and Google Analytics. The key advantage is that your own server now acts as a mediator, ensuring that no personally identifiable information, such as user IP addresses, is shared with Google Analytics.

In simple terms: privacy-compliant tracking without consent is only possible when both methods are implemented.

The combination of Google’s Consent Mode and server-side tracking provides an efficient solution to collect valuable data while adhering to strict privacy regulations and addressing technical challenges. Three core functions play a vital role in this process:

1. Consent Validation: The Consent Mode determines which data can be processed – fully, anonymized, or not at all.
2. Server-Side Processing: Data is further anonymized and securely processed in the server environment. The filtering logic can be customized to meet specific privacy requirements.
3. Tracking Without Consent: Even for users who do not give consent, anonymized or pseudonymized data (e.g., conversion pings) can still be processed, ensuring no direct personal identifiers are transmitted.

Fig.: How to achieve a 100% complete database

Goal: Minimize Data Loss

This combination allows you to retain valuable data that would otherwise be lost due to cookie banner rejections, ad blockers, or browser tracking prevention mechanisms (e.g., Safari ITP, Firefox ETP). Let’s explore the benefits with a concrete example:

The E-Commerce Company “ShopPlus” and the Challenge of Incomplete Data

The fictional company “ShopPlus” faces the following challenges:

1. Consent Rate Challenges
   Only 60% of users accept the cookie banner, meaning that 40% of users decline it. This results in missing tracking data for these users.

2. Ad Blockers and Tracking Prevention
   Around 10-15% of users block data through ad blockers or browser-based tracking prevention tools.

3. Impact on Data Completeness
   Overall, “ShopPlus” loses an average of 50% of its data, which negatively affects key performance indicators (KPIs):

   • Conversions: Which campaigns are driving purchases?
   • Customer Journey: How are users navigating the website?
   • ROAS (Return on Ad Spend): Which ads deliver the best revenue?

The Current State Without Advanced Consent Mode and Server-Side Tracking

Declined Cookies: For users who do not provide consent, no data on conversions or traffic sources is collected.

Ad Blockers: Activities of users with ad blockers are completely blocked, even if cookies are accepted.

Browser Tracking Prevention: Data such as referrers, timestamps, or session information is lost due to cookies being deleted early or not being set at all.

The Consequences:

• 40-50% of data is lost, creating significant gaps in analytics.
• Marketing decisions rely on incomplete datasets, making them less effective.
• KPIs like ROI and ROAS are distorted, as many conversions remain invisible.

What's the Problem?

If “ShopPlus” invests heavily in paid ads like Google Ads, data loss caused by low consent rates, ad blockers, and browser tracking prevention mechanisms can have serious consequences. Calculations for conversions or ROI are based on incomplete data, leading to inaccurate conclusions about the effectiveness of marketing campaigns.

Example for Illustration:
A user clicks on a Google ad, rejects cookies, but still purchases a product. Without the Consent Mode, this conversion isn’t tracked. The system fails to identify the ad as a conversion driver and labels it as ineffective.

The Consequences of Incomplete Data:

1. Misguided Decisions:
   • “ShopPlus” might make the wrong call, such as reducing budgets or pausing campaigns that are actually effective.
2. Distorted Insights:
   • 50% of user data is lost, skewing customer journeys and audience analysis.
3. Underperforming Remarketing Campaigns:
   • Without complete data, creating comprehensive remarketing audiences becomes challenging.
4. Inaccurate Budgeting:
   • Budget decisions are based on flawed KPIs, like ROAS, because not all conversions are visible.

By not addressing these issues, “ShopPlus” risks underestimating the success of its marketing efforts and potentially misallocating resources, leading to missed opportunities and reduced overall performance.

The Solution: Combining Advanced Consent Mode and Server-Side Tracking

Using Google Consent Mode:

• Anonymized Tracking for Users Without Consent:
  Users who reject cookies are still tracked in an anonymized manner.
• Conversion Pings Instead of Cookies:
  Conversion events (e.g., "a purchase was made") are captured and sent as aggregated data to Google Analytics.
• Example:
  A user clicks on an ad, rejects cookies, but still purchases a product. This anonymized conversion is tracked and included in your data, ensuring the effectiveness of the ad is recognized.

Using Server-Side Tracking:

• Data Processing via Own Server:
  The tracking code sends data first to your own server, which validates, anonymizes, and forwards it to tools like Google Analytics.
• Bypassing Ad Blockers:
  Data originating from your own server is not detected or blocked by ad blockers.
• Minimizing Browser Tracking Prevention:
  Server-generated IDs allow for pseudonymous recognition of sessions and users, reducing data loss caused by browser restrictions.

The Result: A Complete Data Set

With this combination, “ShopPlus” can capture nearly 100% of relevant data, regardless of cookie consent or ad blocker usage:

1. Users Without Consent:
   Anonymized conversion data is still included in analytics, preserving critical insights.

2. Ad Blockers:
   Server-side tracking bypasses ad blockers by originating data from your own server, ensuring no interruptions in tracking.

3. Browser Tracking Prevention:
   Server-side IDs significantly reduce the loss of session and conversion data, maintaining the integrity of user journeys.

The Benefits for “ShopPlus”

Improved Metrics:

• ROAS: Every conversion is tracked, regardless of consent rate, enabling accurate ROI calculations.
• Customer Journey: Users without consent are analyzed pseudonymously, providing a complete picture of their journey.
• Attribution: All relevant conversions are captured, ensuring campaigns are not undervalued.

Reduced Data Loss:

• Up to 100% of relevant conversions can be modeled or captured.
• Data loss due to tracking preventions and ad blockers is significantly minimized.

Better Marketing Decisions:

• More accurate metrics allow for optimal budget allocation.
• Campaigns can be effectively optimized, leading to increased revenue.

Legal Compliance:

• All data is processed in full compliance with regulations, including GDPR, TTDSG, the ePrivacy Directive, and DMA.

Conclusion: Privacy-Compliant Tracking Without Cookies or Consent

The combination of Advanced Consent Mode and Server-Side Tracking enables privacy-compliant tracking without relying on cookies or explicit user consent. While approximately 50% of the data is anonymized, this is more than sufficient: companies like “ShopPlus” are not interested in individual users’ identities but in data that informs business-critical metrics.

This approach ensures all relevant privacy requirements are met, as no personal data is linked or cookies set without consent. At the same time, “ShopPlus” gains the necessary insights to make informed decisions and optimize its marketing strategy effectively.

The Optimal Tech Stack for Privacy-Compliant Tracking Without Consent (Cookies)

This section outlines the key components you need for an ideal tracking setup that collects valuable user data in a privacy-compliant manner—without relying on cookies.

1. Google-Certified Consent Management Platform (CMP)

To leverage Google’s Advanced Consent Mode, a Google-certified Consent Management Platform (CMP), commonly known as a cookie banner, is essential.

Google's certification criteria for CMPs include:

• Meeting IAB-TCF requirements.
• Seamlessly integrating with Google Consent Mode.

We recommend the Usercentrics CMP, a robust solution with one of the best Google certifications. In addition to consent management, it offers a wide range of features.

For a complete list of Google-certified CMPs, refer to: Google-Certified CMPs List.

2. Google Advanced Consent Mode

The Advanced Consent Mode is a cornerstone of a privacy-compliant tracking setup. It enables data collection through cookie-free pings, even when users opt out of consent.

Key Points:

• This method is GDPR-compliant.
• It requires technical expertise for proper implementation.

With the Advanced Consent Mode, you can gather basic user data, such as:

• Page views
• Click behavior
• Referrer URLs

3. Server-Side Tracking

Server-side tracking ensures a comprehensive and reliable data foundation. It bypasses limitations caused by ad blockers or tracking prevention mechanisms in modern browsers.

Requirements:

• Google Server Tag Manager (free).
• A dedicated server, e.g., via Google Cloud (cost-effective, depending on capacity).

Challenges:

• Integrating the Server Tag Manager into your tech stack requires technical expertise.
• Misconfigurations can result in data loss.

Your Advantage: A Reliable, Privacy-Compliant Tech Stack

By combining a Google-certified CMP, the Advanced Consent Mode, and Server-Side Tracking, you gain:

• Reliable and complete data, even without user consent.
• Privacy-compliant solutions meeting GDPR requirements.
• A future-proof tracking setup, unaffected by browser updates or ad blockers.

Need support integrating this tracking setup? We’re here to help. Contact us for a free initial consultation, and together, we’ll design the optimal solution for your business.