The dark side of server-sided tracking

Dear Data-Traveller, please note that this is a Linkedin-Remix.

I posted this content already on Linkedin in April 2022, but I want to make sure it doesn´t get lost in the social network abyss.

For your accessibility-experience and also for our own content backup, we repost the original text here.

Have a look, leave a like if you like it, and join the conversation in the comments if this sparks a thought!

Find the original post here

Screenshot with comments:

Plain Text:

Watch now: “I know what you have added to your cart but liked on Instagram last summer” – the new tv show: “FB CAPI Palo Alto” – Streaming live from all Shopify shops.

There good old equilibrium between “I need sooo much data to do my ads targeting” and “should we send our user’s emails and transactions to some random Ad servers” is swinging again.

I had an excellent episode some weeks ago.

In a project, we supported two teams to set up a new eCommerce marketing analytics setup. We were the coach on the sideline that helped with feedback but did not work operationally (we do this quite often, so if that is interesting for you, write me), so the teams could learn to do the setup.

In a catch-up call, we heard the conversation about adding marketing tags to the setup: “..consent for GA is added and working. We don’t need to spend some time handling Facebook because we already activated it in Shopify to send the conversions with the Conversion API”.

This got me thinking, and I stopped the conversation: “but how do we handle consent in this scenario?” – the first answer: “we don’t but do we need one for server-side conversions?”

Without any legal advice here – but yes, you need consent for server-side conversions.

This was not the team’s fault. The topic is complex, and it takes some experience.

What generated many concerns on my end was the implementation of the conversion API in Shopify. You get asked what kind of data you want to send to Facebook: Standard, Enhanced or Maximum.

And adding: “Maximum combines all data-tracking options to reach the highest amount of customers. It uses the Conversion API (bold)..”

What kind of option, my dear fellows, do you think a marketer will choose? (to Shopify’s defense – they warn you about checking your privacy policy).

But this gives us a first impression of what will come with server-side tracking (something my dear friend Philipp Baron Freytag von Loringhoven has been talking about for some time already).

Shady ways to send your customer data to external partners – dishonest because no one can see it from the outside.

And the Facebook conversions are kind of spooky. Because you don’t send any click ids that you have collected before back to them (what you do for Google Ads). No, you send back customer information like their email. Because by accident Facebook has many email addresses and uses them heavily for targeting (remember the similar audiences).

So today (my assumption), hundreds (prop. more) of Shopify shops send your email, the items you bought or added to your cart to Facebook even when you said that you don’t give consent. And you can’t check it. That’s the dark side of server-side tracking.

By the way – Shopify has a consent API that you can use to ask for consent or hook it up with your consent management system. So there are ways to handle it. Or implement it yourself with server-side GTM.