Event Tracking and Consent Mode: Engineering Data Collection Without Losing Performance

Introduction: Tracking Without Trust Is a Liability

The post-GDPR world is not a world without data. It is a world where data must be collected with care, consent and transparency, or risk regulatory action and user mistrust. In the UK, the ICO outlines strict standards for valid consent. In DACH countries, regulators enforce them even more tightly, particularly when it comes to event tracking, cookies and analytics.

I help clients build technical solutions that collect the signals they need for optimisation and attribution, while respecting the user's right to opt out. This article explains how I use Google Consent Mode, server-side Tag Manager, and fallback logic to achieve both compliance and marketing performance.


Understanding Consent Mode: The Core Idea

Consent Mode is a Google framework that lets you adjust how tags behave based on the user's consent state. If the user agrees to marketing or analytics cookies, everything fires normally. If not, tags still fire, but without setting or reading cookies, and without sending personal identifiers.

Instead of blocking tags entirely, Consent Mode signals:

  • analytics_storage: whether analytics cookies are allowed
  • ad_storage: whether advertising cookies are allowed
  • functionality_storage: whether non-essential UX cookies are allowed

You configure this through the gtag or Google Tag Manager layer:

window.gtag('consent', 'default', {
  'ad_storage': 'denied',
  'analytics_storage': 'denied'
});

Then update it once consent is granted:

window.gtag('consent', 'update', {
  'ad_storage': 'granted',
  'analytics_storage': 'granted'
});

Consent Mode ensures that your tag ecosystem respects the user's choice while still collecting anonymous, aggregate data that Google can use for modelling.


Why This Matters More in DACH

In Germany and Austria, regulators like the DSK and Austrian DPA (Datenschutzbehörde) demand:

  • Real opt-in before any tracking cookies
  • Equal prominence of accept and reject buttons
  • Full audit trail of consent (timestamp, scope, version)

In contrast, the UK ICO allows cookie walls in some cases and does not yet demand the same server-side safeguards. Still, I apply the DACH standard everywhere, because it future-proofs the setup and avoids reputational risk.


Server-Side GTM: A Privacy Upgrade

I implement server-side Google Tag Manager on most of my projects. Why?

  • Tags fire through your own subdomain (e.g. tag.yoursite.com), reducing third-party exposure
  • You can strip IP addresses, User-Agent or other identifiers
  • You control which data is passed to vendors, and which is suppressed

The architecture is simple:

  1. User browser sends event to your endpoint (e.g. via GTM client)
  2. That event hits your Tag Manager container running on App Engine, Cloud Run or your own server
  3. Server logic checks consent and filters event data accordingly

This reduces risk significantly. You are no longer blindly sending raw data to Google, Meta, or others, you inspect and control it first.


First-Party Event Tagging

For clients in Germany or Switzerland, I often bypass GA4 or Meta Pixel entirely for some flows and use custom endpoints to log user behaviour in first-party databases.

Example:

fetch("/events", {
  method: "POST",
  headers: { "Content-Type": "application/json" },
  body: JSON.stringify({
    event: "product_viewed",
    product_id: "1234",
    consent: localStorage.getItem("userConsent")
  })
});

These are stored in PostgreSQL or BigQuery, anonymised, and later joined with CRM or campaign data (only where lawful).


Fallback Modelling: Still Measuring When Consent Is Denied

When consent is denied, you lose user-level granularity, but not all signal. Google uses conversion modelling to estimate impact. I supplement this with server-side logic:

  • Count consent-denied sessions separately
  • Model conversion lag and attribution curves using observed data
  • Use cohort-level metrics (e.g. campaign → CTR → anonymous conversion) for optimisation

This lets my clients preserve directionally accurate data for decisions, without breaching rules.


Final Thought: Privacy-First Is Performance-Ready

You do not need to break the law to grow fast. With the right architecture, you can collect high-value signals, optimise campaigns and attribute results, while treating user data with respect.

If your tracking setup still relies on hope, tags and disclaimers, I can help you engineer a consent-aware, performance-optimised system that works in the UK, in DACH and beyond, and does not collapse at the next audit.