Server-Side Tracking (Matomo) vs Client-Side Cookies: GDPR Audit Guide
With third-party cookies crumbling and ad blockers becoming more aggressive, many marketing teams are moving to server-side tracking using tools like Matomo or Google Tag Manager Server-Side. While this is great for data quality and security, it introduces a dangerous myth: "Server-side tracking automatically solves GDPR compliance." This is false. Server-side tracking can still violate GDPR if the client-side data collection happens before the user gives consent.
How server-side tracking actually works
In traditional client-side tracking, the user's browser sends data directly to third-party servers (e.g., Google, Meta, TikTok). In server-side tracking, the browser sends data to your own secure server (e.g., a Matomo instance or a GTM server container). Your server then processes the data and forwards it to the third parties.
The problem? To link multiple page views into a single session, your server-side setup still needs an identifier. In most cases, this identifier is stored in a first-party cookie set by your own domain.
The GDPR trap: First-party cookies still need consent
The ePrivacy Directive does not distinguish between first-party and third-party cookies when it comes to consent. If a cookie is used for analytics or marketing, it requires explicit, prior consent. It does not matter if the cookie is set by `analytics.yourdomain.com` (server-side) or `google-analytics.com` (client-side).
If your Matomo tracking script or your GTM client container loads and drops a session cookie before the user clicks "Accept" on your consent banner, you are committing a GDPR violation.
How to audit a server-side setup
Auditing server-side tracking is trickier because the network requests go to your own subdomain, not a recognizable third-party tracker. Here is how to verify compliance:
- Open an Incognito window and launch Chrome DevTools.
- Go to the Application tab -> Cookies. Make sure it is completely empty.
- Load your website. DO NOT interact with the cookie banner.
- Look for first-party cookies with randomized IDs. Matomo often uses `_pk_id` and `_pk_ses`. Server-side GTM might set `FPID` or `_ga`.
- If these cookies appear before consent, your server-side tracking is misconfigured and leaking data illegally.
The ultimate verifier: ConsentScope
Because server-side trackers disguise themselves as first-party requests, manual audits are prone to error. You need a tool that can classify cookies regardless of their origin domain.
ConsentScope acts as the ultimate frontend verifier. It does not care if the cookie came from Matomo, an edge server, or a third-party script. It monitors the browser's storage APIs directly. If a non-essential cookie appears before the consent signal is registered, ConsentScope flags it immediately.
Verify your server-side setup instantly
Do not rely on assumptions. Install ConsentScope to automatically detect hidden first-party analytics cookies firing before consent.
Get ConsentScope FreeConsentScope Team
Verified authorPrivacy Engineers & Chrome Extension Developers
We build tools that help developers, agencies and privacy advocates detect GDPR cookie violations automatically. Our team analyzes consent banners, cookie behavior and third-party scripts across thousands of websites every month.
Related articles
How to Check If Cookies Are Set Before Consent (Complete GDPR Audit Guide)
Learn how to check if cookies are set before user consent. Step-by-step GDPR audit guide for developers, agencies and privacy professionals.
GDPR Cookie Audit Checklist [Free PDF Download]
Download our free GDPR cookie audit checklist. Step-by-step checklist for developers, agencies and DPOs to verify cookie compliance before the next release.
How to Audit Website Cookies for GDPR Compliance (Step-by-Step)
Step-by-step guide to auditing website cookies for GDPR compliance. Built for developers, agencies and privacy professionals who need a repeatable process.