Privacy-Compliant Conversion Tracking

Tracking and Data Privacy: Not a Contradiction

The General Data Protection Regulation (GDPR) has fundamentally changed the rules for conversion tracking in the EU. Many store owners face the question: How can I effectively measure my ad campaigns without violating data privacy regulations? The answer lies in a well-designed approach that combines technology and compliance.

GDPR Requirements for Conversion Tracking

The GDPR sets specific requirements for processing personal data in the context of conversion tracking:

Legal Basis

Conversion tracking generally requires consent under Art. 6(1)(a) GDPR. This is confirmed by the ePrivacy Directive (transposed into national law): Setting and reading cookies that are not technically necessary requires informed user consent.

Transparency

Users must be clearly and comprehensibly informed about what data is collected and for what purpose (Art. 13 GDPR). The privacy policy must name and explain the tracking technologies used.

Data Minimization

Only data that is actually necessary for the purpose may be collected (Art. 5(1)(c) GDPR). For conversion tracking, this means: Only send the information that is genuinely needed for attribution.

Data Processing Agreements

When a third party (such as a tracking tool) processes personal data, a Data Processing Agreement (DPA) under Art. 28 GDPR is required. This governs the processor's obligations and the controller's rights.

Consent Management: The Foundation

A compliant cookie consent banner is the basis for privacy-compliant tracking. The requirements are clear:

• Consent must be actively given (no pre-checked checkboxes)
• Declining must be as easy as consenting
• Consent must be revocable
• No non-essential cookies may be set before consent
• Consents must be documented and verifiable

Server-Side Tracking as a Privacy-Friendly Alternative

Server-side tracking offers several privacy advantages over browser tracking:

Data Control

With server-side tracking, all data flows through your own server. The store owner has full control over what information is shared with which platform. Unlike browser pixels, which often send data to platform servers without oversight, the server-side approach allows filtering of every single data element.

PII Hashing

Personal data such as email addresses or phone numbers can be hashed before being shared with advertising platforms. Platforms can use the hashed data for matching without ever receiving the plain-text data. This aligns with the principle of data minimization.

Consent Compliance

Server-side tracking can respect the user's consent status. If a user hasn't consented to tracking, no events are sent to advertising platforms. This is more reliably enforced server-side than in the browser, where ad blockers or script errors can bypass consent checks.

No Third-Party Cookies

Server-side tracking works exclusively with first-party data and requires no third-party cookies. This is not only more privacy-friendly but also future-proof, as third-party cookies are being progressively restricted or completely blocked by all major browsers.

DPA: Contractual Protection

When a tracking provider processes personal data on your behalf, a DPA is mandatory. The DPA should cover:

• Nature and purpose of data processing
• Categories of data subjects and personal data
• Technical and organizational measures (TOMs)
• Sub-processor regulations
• Deletion policies and retention periods
• Support for data subject rights

Best Practices for Privacy-Compliant Tracking

• Consent-First: Only activate tracking after consent. Send no events before consent is given.
• Prefer Server-Side: Server-side tracking provides more control over data flows and enables privacy-by-design.
• Implement Data Minimization: Only send data that is genuinely required for attribution.
• Hash PII: Hash personal data before sharing it with advertising platforms.
• Use EU Servers: Tracking data should be processed on servers within the EU to avoid third-country transfer issues.
• Sign a DPA: Conclude a DPA with every tracking provider and keep it up to date.
• Define Retention Periods: Only store event data for as long as necessary.
• Document Everything: Document all processing activities in the records of processing under Art. 30 GDPR.

Conclusion

Conversion tracking and GDPR can coexist — with the right implementation. Server-side tracking, combined with proper consent management and well-designed privacy measures, enables precise conversion tracking while meeting all data protection requirements. The key is control: Those who control their data flows can ensure both privacy compliance and tracking quality.