GDPR-compliant conversion tracking:
measure on a sound legal footing, without losing data
GDPR and complete conversion data are treated as opposites. They are not. Consent, Consent Mode v2 and server-side tracking on German infrastructure - set up correctly, and still measurable.
GDPR-compliant conversion tracking means measuring conversions in a way that rests on a legal basis: active consent under Section 25 TDDDG, a complete privacy policy and a data processing agreement with every tracking provider. Server-side tracking and Consent Mode v2 then recover part of the lost data, without bypassing consent.
In a free initial consultation we look at legal basis and data loss together - and map what your current setup is costing you every month.
GDPR/TDDDG versus
complete conversion data
Two legitimate goals pull in opposite directions. Data protection demands restraint, performance marketing demands signal. Optimise only one side and you lose on the other.
The legal reality
Since 13 May 2024 the TDDDG requires consent before any access to the device. Violations can be fined up to 300,000 euros.
Enforcement is real: in 2025 the French CNIL fined Shein 150 million euros and Google 325 million euros for cookies without consent.
The data reality
In Germany around 40 percent of users reject cookies. Without countermeasures, 30 to 50 percent of conversion data is then missing from your tools.
Your Smart Bidding then optimises on a distorted basis - and burns ad budget on the wrong campaigns.
The way out is not a trick, it is architecture. Obtain consent cleanly, set Consent Mode v2 as the signal, let server-side tracking send only where a legal basis exists - and process as much as possible inside the EU.
Four building blocks that belong together
Legally sound conversion tracking does not rest on a cookie banner alone. These four elements must be present and wired together cleanly.
Active consent
A legally compliant cookie banner with no pre-ticked boxes. Rejecting must be as easy as accepting. Consent must be obtained before the first consent-requiring tag fires.
Privacy policy
The tracking services in use, their purposes and the data processing must be named transparently, including a note on possible third-country transfers.
DPA under Art. 28 GDPR
Google conversion tracking, GA4, Meta and others are processing on behalf of the controller. A data processing agreement with each provider is mandatory (e-recht24.de).
Section 25 TDDDG
Consent is required before any access to the device (cookies, identifiers). The authoritative German law since 13 May 2024, with fines up to 300,000 euros (cortina-consult.com).
How much you lose
to the cookie banner
A realistic rejection rate in Germany - and with every correctly placed banner it tends to rise rather than fall.
Without countermeasures this share is missing in GA4 and the ad platforms - your reporting shows a world that does not exist.
TDDDG violations can be fined up to 300,000 euros - the incentive to get it right cuts both ways.
The tricky part: both costs are invisible. You see neither the fine risk nor the burned ad budget directly in the dashboard. In a free initial consultation we make both visible - with a defensible euro figure.
Consent Mode v2 as
the consent signal
Consent Mode v2 has been mandatory since 6 March 2024 in order to keep using Google Ads and GA4 personalisation and remarketing features in the EEA - driven by the Digital Markets Act.
What it does
Consent Mode v2 tells Google in real time whether a user has agreed and controls, via four signals, which data is collected - including the new signals ad_user_data and ad_personalization.
In Advanced Mode, conversion modelling can, according to Google, reconstruct over 70 percent of the conversion paths lost to rejection.
The Basic vs Advanced trade-off
Advanced Mode sends cookieless pings even on rejection. From a data protection perspective this is contested - many DACH experts recommend Basic Mode for maximum legal certainty.
We treat this as a documented trade-off, not a verdict. Which variant fits you depends on risk appetite and industry. More on this on our page about GA4 Consent Mode v2.
Server-side: recover data,
respect consent
Server-side tracking is the most effective lever against data loss. But it is not a consent bypass. This clarification separates serious providers from dangerous promises.
Server-side tracking is an architecture in which events run to the platforms through your own server container rather than straight from the browser. That makes collection more resilient against ad blockers, Safari ITP and iOS restrictions - and gives you control over which data leaves the building at all. What it does not do: replace a missing legal basis.
The full, owned build of this infrastructure is described on our Server-Side Tracking page. This page covers the legal framing - that one covers how we build it.
Connecting the platforms the GDPR-compliant way
Vendor-neutral and on the same principle: data only on consent, processing inside the EU wherever possible.
Google Analytics 4 (GA4)
GA4 with a correctly wired Consent Mode v2 and server-side collection. Conversion modelling reconstructs part of the paths lost to rejection, in Advanced Mode only, and only as a documented trade-off.
Google Ads Enhanced Conversions
Hashed first-party data (email, phone) is passed to Google server-side, only where consent exists. This lifts the match rate and makes Smart Bidding reliable again.
Meta Conversions API (CAPI)
Server-side instead of pixel only: better Event Match Quality, redundant collection against browser blockers, clean deduplication. Here too, data is only shared on consent.
Matomo (consent-light)
A self-hosted Matomo instance can, depending on configuration, run in a particularly data-minimising way - an option for teams that value maximum data sovereignty over platform reach.
Deeper dives: setting up the Meta Conversions API and GA4 Consent Mode v2.
Schrems II, the Data Privacy Framework
and the residual risk
Schrems II
The CJEU struck down the Privacy Shield. US data transfers became a permanent legal issue - many tracking setups suddenly stood on shaky ground.
Data Privacy Framework
The adequacy decision made transfers to certified US recipients possible again. A foundation - but a younger, unsettled one.
Schrems III?
Privacy advocates such as noyb have announced a challenge. The framework is considered unstable - those who can keep processing inside the EU.
German infrastructure as a
structural advantage
Most providers are either privacy lawyers without the engineering or tracking agencies without the legal depth. We are both - and we host in Germany.
Hosting in Germany
Server containers and data processing run on Hetzner infrastructure in German data centres - as little US path as technically possible.
ISO/IEC 27001:2022
Information security to a recognised standard. Data protection is not an add-on, it is anchored in the architecture.
GDPR-native
Data minimisation, IP truncation and EU processing are the default, not a retrofit.
You own the setup
No vendor lock-in. We build the infrastructure; the code and the configuration are yours.
Why we go up against standard SaaS tracking stacks is laid out in the SaaS Graveyard. What tools really cost you over time is calculated by the Cost-of-Software calculator.
Legal note
This article offers a professional opinion from tracking and infrastructure practice and does not replace legal advice. For a binding assessment of your specific setup, please consult a law firm specialising in data protection or your data protection officer.
Frequently asked questions
GDPR-compliant conversion tracking - the key points
Is conversion tracking allowed without consent?
Generally no. As soon as tracking accesses information stored on a user's device or stores information there (cookies or comparable identifiers), Section 25 of the German TDDDG requires active consent. This applies to classic conversion tracking via Google Ads or the Meta Pixel and to most server-side setups alike. Exceptions are narrow (strictly necessary operations). Fully consent-free measurement is realistically only conceivable with strongly data-minimising, cookieless methods such as a suitably configured Matomo instance, and even that is a case-by-case assessment. This is a professional opinion, not legal advice.
What legal basis does conversion tracking need in Germany?
Three pieces belong together: first, active consent via a legally compliant cookie banner (no pre-ticked boxes, rejecting as easy as accepting); second, a privacy policy that names the tracking and the services in use; and third, a data processing agreement (DPA) under Art. 28 GDPR with providers such as Google. Google conversion tracking counts as processing on behalf of the controller, so the DPA is mandatory (e-recht24.de).
Do I need a data processing agreement with Google?
Yes. Anyone using Google services such as GA4, Google Ads conversion tracking or the server-side Tag Manager with Google tags processes personal data on behalf of the controller and needs a data processing agreement under Art. 28 GDPR. With Google, the relevant Data Processing Terms are accepted when the account is created and stored in the account. The same principle applies to Meta, TikTok and other platforms.
Is server-side tracking automatically GDPR compliant?
No. This is the most common misconception. Server-side tracking improves data quality, stability and control, but it does not replace a legal basis. If a user rejects consent in the banner, a server-side container may not pass personal data to Google, Meta or TikTok without consent either, not even in anonymised or hashed form. Server-side is not a consent bypass. Set up correctly, it enforces consent on the server and collects more complete data only where a legal basis exists (tobiasbatke.com).
How much conversion data do I lose to the cookie banner?
In Germany, realistically around 40 percent of users reject cookies. Without countermeasures, roughly 30 to 50 percent of conversion data is then missing in GA4 and the ad platforms (konzept54.de). This gap optimises your bidding algorithms on a distorted basis, so you pay twice: once in data protection exposure and once in wasted ad budget. Consent Mode v2 plus server-side recovers part of it in a legally compliant way.
Is the EU-US data transfer (Data Privacy Framework) safe?
Since the adequacy decision of July 2023, transfers to the US under the EU-US Data Privacy Framework are in principle possible again where the recipient is certified. The framework is, however, considered unstable: privacy advocates such as noyb have already announced a challenge along the lines of Schrems II, a possible Schrems III (jentis.com, taggrs.io). Anyone who wants to reduce the residual risk keeps as many processing steps as possible inside the EU, which is exactly where German infrastructure comes in.
What does the TDDDG change for my tracking?
The TDDDG (the German Telecommunications Digital Services Data Protection Act) replaced the TTDSG on 13 May 2024 and is the authoritative German law for cookie consent. It requires consent before any access to the device and complements the GDPR. Violations can be fined up to 300,000 euros (cortina-consult.com). In practice this means the banner must sit in front of every consent-requiring tag, and consent must be passed cleanly to all downstream tools at a technical level.
What is the difference between Consent Mode and server-side tracking?
Consent Mode v2 is a consent signal: it tells Google in real time whether a user has agreed and thereby controls which data is collected and whether conversions are modelled. Server-side tracking is an architecture: events run through your own server container instead of straight from the browser, which makes them more resilient against ad blockers and ITP and gives you data sovereignty. The two complement each other. Consent Mode governs the whether, server-side governs the how and where. Only together do you get a legally sound and technically complete setup.
Measure on a sound footing,
without losing data.
In a free initial consultation we look at legal basis and data loss together - and map what your current setup is costing you every month. The direct entry point to GDPR-compliant, complete tracking.