PrivacyEngineering:MeasureWithoutCookies,ConvertWithoutFines

GDPR fines have exceeded EUR 7.1 billion cumulative. Ad blockers affect 30-40% of your traffic. Client-side tracking is broken. We implement server-side tracking, CMPs and privacy-first analytics so you keep measuring without relying on third-party cookies.

EUR 7.1B Cumulative GDPR Fines
30-40% Traffic with Ad Blockers
Audit My Compliance View capabilities
Scroll

Privacy Engineering Services

Technical implementation, not legal advice.

CMP Configuration: implementation and setup of CookieBot, Didomi or OneTrust. Consent Mode v2 integrated with GTM.
Server-Side GTM: server container on Stape or Google Cloud. First-party cookies from your domain. Ad blocker bypass without violating privacy.
Privacy-First Analytics: implementation of Matomo, Plausible or Piwik Pro as an alternative or complement to GA4.
First-Party Data Architecture: custom data layer design, direct server-side capture, reduced dependency on third parties.
Conversion APIs: Meta CAPI, TikTok Events API, Google Ads Enhanced Conversions. Server-to-server event delivery without client-side pixels.
Technical Privacy Audits: cookie scanning, third-party scripts, cross-border data flows and GDPR gap analysis.

Service Deliverables

What you receive with every privacy engineering project.

  • Technical privacy audit (20+ page report)
  • CMP implementation with Consent Mode v2
  • GTM Server-Side container on your own subdomain
  • Conversion API configuration (Meta CAPI, TikTok, Google)
  • Compliance dashboard in Looker Studio
  • Technical documentation for DPO
  • Training for marketing and data teams
  • Monthly cookie and script monitoring (optional)

Client-Side vs Server-Side Tracking

Why traditional tracking is broken in 2026.

Client-side tracking depends on JavaScript in the browser: ad blockers eliminate it, Safari ITP limits cookies to 7 days and users reject consent. Server-side tracking sends data from your server: it doesn't depend on the browser, uses first-party cookies and you control exactly what gets shared with third parties. It's the foundation of any serious post-cookie measurement strategy.

gtm-server/privacy-config.yaml
# Server-side GTM — Stape
container:
type: server
domain: track.yourdomain.com
consent_mode: v2
cookies: first_party_only
endpoints:
- ga4_measurement_protocol
- meta_capi
- tiktok_events_api
First-party Cookies
Bypass Ad Blockers
Compliant GDPR

For the CEO

The real cost of non-compliance.

GDPR fines reached EUR 1.2 billion in 2025, totaling EUR 7.1 billion since 2018. But the fine isn't the biggest risk: it's lost data. If 30-40% of your traffic uses ad blockers and your tracking is client-side, you're making investment decisions with incomplete data.

The privacy services market is growing at 12.2% annually (from $4.5B in 2024 to $12.2B in 2033). Companies that implement privacy-first don't just avoid sanctions: they recover data they were losing and build trust with their customers.

Real-world case: a 12-person agency added privacy retainers at $300/month across 85 clients = $306,000 in annual recurring revenue. Privacy is not a cost center, it's a value-added service.

EUR 1.2B GDPR Fines in 2025
12.2% Privacy Market CAGR
+35% Data Recovered with Server-Side

For the CTO

Privacy technical architecture.

Server-side GTM via Stape or Google Cloud Run: the container runs on your infrastructure, data never touches third-party servers before you filter it. First-party cookies served from your own subdomain (track.yourdomain.com), immune to ITP and ad blockers.

Consent Mode v2 integrated: when the user rejects cookies, GA4 activates statistical modeling to estimate conversions without individual data. Conversion APIs (Meta CAPI, TikTok Events API) send events server-to-server, eliminating JavaScript pixel dependency.

For environments where GA4 isn't viable due to US transfers, we implement Matomo (self-hosted, data in the EU), Plausible (lightweight SaaS, no cookies) or Piwik Pro (enterprise, DPA included). All with bidirectional integration to your marketing stack.

Is It Right for You?

Privacy engineering makes sense if you run paid media in the EU or depend on data for marketing decisions.

Who it's for

  • Companies with active paid media (Google Ads, Meta, TikTok) losing data to ad blockers.
  • E-commerce or SaaS that need accurate conversion attribution while staying GDPR-compliant.
  • Organizations with strict compliance requirements (DPO, audits, regulated industry).
  • Teams looking to migrate from GA4 to EU-hosted analytics.
  • Businesses that have already received DPA warnings or want to get ahead of enforcement.

Who it's not for

  • Low-traffic websites where basic GA4 with Consent Mode is sufficient.
  • Companies that don't run paid media or depend on tracking for decisions.
  • Organizations looking for legal counsel (we're engineers, not lawyers).
  • Businesses without budget for server-side infrastructure (minimum $20-100/month).
  • If your only requirement is a cookie banner, you don't need privacy engineering.

Implementation Services

Five areas where we deliver.

01

CMP Implementation

Complete configuration of CookieBot, Didomi or OneTrust. Cookie categorization, custom legal texts, GTM and Consent Mode v2 integration. A/B testing of acceptance rates to maximize data without violating regulations.

02

Server-Side Tracking Migration

GTM Server-Side container on Stape or Google Cloud. Custom subdomain configuration, server-side tags for GA4, Google Ads and Meta. First-party cookies with controlled duration. Recover 30-40% of lost data.

03

Cookieless Analytics

Implementation of Matomo, Plausible or Piwik Pro as an alternative or complement to GA4. Self-hosted on EU servers. Equivalent dashboards. Goal and segment migration. No international data transfers.

04

Conversion APIs

Implementation of Meta CAPI, TikTok Events API and Google Enhanced Conversions. Server-to-server delivery of purchase, lead and signup events. Deduplication with client-side events. Improved match rate.

05

Audit and Continuous Monitoring

Automated scanning of cookies and third-party scripts. Monthly compliance report. Early warning of regulatory changes. Cross-border data flow review. DPO documentation.

Implementation Process

From audit to compliance in 4-8 weeks.

01

Technical Privacy Audit

Cookie scanning, third-party scripts, data flows and current consent configuration. Report with GDPR gaps and prioritized fixes.

02

Server-Side Migration and CMP

Server-side container implementation, CMP configuration, Consent Mode v2 and first-party cookies. Dual tracking period to validate data.

03

Conversion APIs and Alternative Analytics

Meta CAPI, TikTok Events API, Enhanced Conversions configuration. If applicable, Matomo or Plausible implementation. Transition dashboards.

04

Validation, Documentation and Monitoring

Data integrity validation. Technical documentation for DPO. Alert configuration and automated cookie scanning.

Risk Mitigation

Transparency about what can go wrong.

Data loss during server-side migration

Mitigation:

Mandatory dual tracking period (client + server) for 2-4 weeks. Cross-validation of events before deactivating client-side.

Low consent rate that reduces available data

Mitigation:

A/B testing of consent banners to maximize acceptance. Consent Mode v2 activates statistical modeling for users who decline.

Regulatory change that invalidates the configuration

Mitigation:

Continuous monitoring of European DPAs. Modular architecture that enables adaptation without rebuilding. Regulatory change alerts.

Incompatibility with paid media platforms

Mitigation:

Conversion APIs are the official standard from Meta, TikTok and Google. Server-side improves match rate, it doesn't worsen it.

Unexpected server-side infrastructure costs

Mitigation:

Detailed cost estimate before starting. Typically $20-100/month on Stape or Cloud Run. Automatic scaling based on traffic.

Privacy That Generates Data, Not Destroys It

We've been implementing server-side tracking and CMPs since before it was a trend. Every project starts with a technical audit, not a generic checklist. We integrate privacy into the data architecture, not as a last-minute patch.

Data Recovered with Server-Side 35%
Average Consent Rate 82%
GDPR Compliance 100%

Why Invest in Privacy Engineering

Data that justifies the decision.

Fines avoided: EUR 1.2 billion imposed in 2025 alone. Prevention costs a fraction.
Data recovered: server-side recovers 30-40% of conversions that ad blockers eliminate.
No lock-in: the infrastructure is yours, the dashboards are yours.
Growing market: from $4.5B (2024) to $12.2B (2033). CAGR 12.2%.

Frequently Asked Questions

What our clients ask before getting started.

Is it legal to use GA4 in the European Union?

It depends on the implementation. Several European DPAs (Austria, France, Italy) ruled that GA4 with standard configuration violates GDPR due to US data transfers. With server-side tracking and IP anonymization before sending data to Google, you can comply. Alternative: Matomo or Piwik Pro self-hosted in the EU.

What exactly is server-side tracking?

Instead of the user's browser sending data directly to GA4, Meta, etc., data is sent first to your own server (GTM Server-Side container). From there, your server forwards only the data you decide to each platform. Benefits: ad blocker bypass, first-party cookies, full data control.

How much does implementing and maintaining a CMP cost?

CMP licenses range from $0 (CookieBot free, up to 100 pages) to $300-600/month (OneTrust, Didomi enterprise). Technical implementation (GTM integration, Consent Mode v2, cookie categorization) is a one-time project of 2-3 weeks. Maintenance is minimal with automated scanning.

Matomo vs GA4: which is right for me?

GA4: free, powerful attribution modeling, native Google Ads integration. Risk: US data transfers. Matomo: self-hosted in the EU, no transfer risks, 100% yours. Downside: fewer native integrations, requires your own server. We recommend Matomo if your country's DPA has already sanctioned GA4, or if your industry is heavily regulated.

Does server-side tracking affect my website performance?

It improves it. With server-side, you reduce JavaScript in the browser (fewer client-side tags). The server container processes data outside the user's browser. We typically see 200-500ms improvements in Time to Interactive when migrating heavy tags to server-side.

What GDPR fines apply to my industry?

Fines are proportional: up to 4% of global annual turnover or EUR 20 million, whichever is greater. In 2025, the largest penalties were in technology, telecommunications and financial services. But any company processing personal data of EU residents is subject to GDPR, regardless of size or industry.

How do I measure conversions without third-party cookies?

Three combined strategies: Consent Mode v2 (statistical modeling of conversions for users without consent), Conversion APIs (server-to-server event delivery to Meta/Google/TikTok), and first-party data (direct capture of emails, user IDs). The result is complete measurement without relying on third-party cookies.

How long does full implementation take?

CMP + Consent Mode v2: 2-3 weeks. Add server-side GTM: 4-6 weeks. Full implementation with Conversion APIs, alternative analytics and documentation: 6-8 weeks. Each phase is independently functional, so you start getting value from week 2.

Is Your Tracking GDPR-Compliant?

Free technical privacy audit. We scan cookies, third-party scripts and data flows. Report with gaps and priorities in 48 hours. No commitment.

Request Privacy Audit
No commitment Response in 24h Custom proposal
Last updated: February 2026

Technical
Initial Audit.

AI, security and performance. Diagnosis with phased proposal.

NDA available
Response <24h
Phased proposal

Your first meeting is with a Solutions Architect, not a salesperson.

Request diagnosis