Why server-side tracking in a US cloud can worsen your legal problems
Server-side tracking is considered the future. Online marketers and analysts largely agree that server-side tracking provides access to raw data and significantly improves data quality.
But there is another crucial advantage. Server-side tracking can also help improve legal compliance, as recently confirmed by the French data protection authority CNIL.
However, caution is required. To actually benefit from this legal advantage, certain conditions must be met. In addition to correct consent settings, the choice of the hosting provider is especially critical. Even with the best intentions, selecting the wrong cloud provider can completely undermine your legal compliance.
Why the choice of the cloud provider is crucial
Server-side tracking allows data from your website to be collected and sent directly to a server, which then forwards this data to various endpoints such as Google Analytics, Matomo, Bing, and others. This server acts as the central control unit and is therefore critical to the entire setup.
If this server is hosted in the cloud of a US company, compliant tracking is no longer possible. From a legal perspective, it is irrelevant whether a US cloud provider operates servers in Europe or in the United States. US surveillance laws such as FISA (Foreign Intelligence Surveillance Act) and the US Cloud Act allow US authorities to access data held by US companies. As a result, compliance with the GDPR is not possible when using a US cloud provider.
An example
Imagine you are using a privacy-friendly analytics tool such as Matomo or Piwik Pro to track data in a GDPR-compliant way. If these tools are hosted on European servers operated by a European company, everything is set up correctly. At this point, your tracking is compliant.
After some time, you may want to further improve data quality and website performance and therefore switch to server-side tracking. If, in doing so, you host your data in the cloud of a US provider, you immediately lose your legal compliance, even if that US company operates its servers in Europe.
This is because, once again, the physical location of the servers does not matter. What matters is the company operating them. US authorities have access to all data held by US companies.
Conclusion
When choosing a server-side tracking solution, make sure to pay close attention to two key aspects:
- The technology provider is a European company
- The servers hosting the solution are located in the EU and are owned by an EU company
.webp)
_compressed.webp)
