#GTMTips: Get True IP Anonymization With Server-Side Tagging

With Server-side tagging, you can get unprecendented amount of control over the hits passed through Google Tag Manager to third-party platforms like Google Analytics and Facebook. In this article, I'll show you how to eliminate all traces of the user's actual IP address and User Agent from the outgoing hit to Google Analytics.

Since the release of Server-side tagging in Google Tag Manager, I’ve jumped at every opportunity to celebrate the tools it provides for improving end-user privacy and data security.

One of the biggest benefits is obfuscation-by-default. Since all hits are passed through the server-side proxy, the default view for any third-party tool (such as Google Analytics) is that of the server in the Google Cloud rather than the browser and device with which the user was browsing the site.

In other words, by using the Server container as a proxy, you are “hiding” the actual user, as all hits seem to come from the virtual machine rather than the user’s browser.

However, the Universal Analytics tag in the Server container copies the user’s IP address and User Agent into the outgoing Measurement Protocol request using the &uip and &ua parameters. This means that even though the outgoing HTTP request to Google Analytics originates from the virtual machine in Google Cloud, the Google Analytics data payload is updated to reference the user’s actual device and IP address.

In this article, I’ll show you how to override this behavior and prevent Universal Analytics from doing this copy-paste operation.

Thanks to Adam Halbardier of the Google team working on Server-side tagging for this tip!

Tip 118: Remove IP address and User Agent overrides from Universal Analytics tags

It’s very easy to accomplish this. In the Universal Analytics tag that fires in the Server container, you need to do the following.

First, check Enable overriding settings in this tag. This allows you to set individual fields in the tag which override those set by the Client.

Then, expand Override Fields to Set, and add the following two fields without any values (leave the value fields empty).

user_agent
ip_override

NOTE! These fields are not the same as analytics.js fields. They are fields established in the event model used in Server-side tagging. There is still a lack of exhaustive documentation about what fields are available, but digging into Debug mode in the Server container and exploring the Event Data tab will get you a long way.

By setting the fields empty, you are essentially preventing the tag from setting those fields with values from the incoming request, i.e. the user’s actual browser and device.

This is enough to prevent the override, and you can guarantee the actual user’s IP address and User Agent string are not passed to Google Analytics in any shape or size.

But what about if you want variable behavior. Prevent the override in some cases, but allow it in others?

Well, while we’re waiting for a Lookup Table variable type to be added to the Server container, there’s no way to set variable values for these fields based on, for example, the existence of the &aip (Anonymize IP) parameter.

So if you wanted to allow the IP and User Agent transfer except when the event data has anonymize_ip set to true (this is what the &aip parameter is turned into in the event object), you’d need two tags.

One sends the data to Google Analytics without the overrides (i.e. default Universal Analytics tag behavior without any overridden settings), and fires when an Event Data variable set for the key anonymize_ip is not true.

The other tag sends the data to Google Analytics following the instructions in this article. It needs to have the ip_override and user_agent fields set to blank values. The trigger for it is the reverse of the one for the other tag, so you need to check if anonymize_ip is actually true.

Yes, a Lookup Table variable would make this much smoother as you’d need just one tag and one trigger and set the value of ip_override and user_agent to blank or default values depending on whether the IP should be anonymized or not.

I hope you find this tip useful. At the very least, it should reinforce the notion that Google Tag Manager’s Server-side Tagging can be used to improve the prospects of user anonymization and obfuscation of personal data.