Balancing Analytics and Privacy: De Kindertelefoon Case

Creating a Privacy-First, Server-Side data collection set-up for De Kindertelefoon

Designing a digital analytics strategy today is never just about measuring clicks and conversions. In Europe, it has increasingly become a complex balancing act between compliance, data sovereignty, and user trust. This balance is particularly delicate for organizations operating in environments where privacy is not just a legal checkbox, but a must for user trust.

Our team recently partnered with De Kindertelefoon, the Dutch child helpline that provides a crucial lifeline for children in crisis. Partially government-funded and handling sensitive mental health issues, De Kindertelefoon required a data collection ecosystem that eliminated any potential third-party “Google footprint” for their core audience while still providing accurate metrics needed to manage volunteer recruitment and their adult content such as whitepapers and lessons.

In this article, we share the technical strategy and architectural decisions behind this project, designed as a look into our thought process, speedbumps along the way and crucial decision making crossroads.

The Goals and the Context

For an organization like De Kindertelefoon, visitor anonymity is the priority. If a child seeking support suspects their interaction is being tracked, profiled, or shared with commercial entities, the trust required to reach out disappears. Additionally, this works the same for the public opinion, is the data of our kids in need being safeguarded?

At the same time, the organization must run smoothly. To staff their phone lines and chat modules, they rely on recruitment funnels to find and onboard volunteers. To measure the effectiveness of these recruitment efforts, they require standard marketing metrics.

The challenge for us, slowly became clear: build a robust tracking infrastructure to measure volunteer recruitment on specific parts of the site, while guaranteeing absolute, uncompromised anonymity for children accessing the crisis support resources.

Understanding the “Google Problem” in the EU

To understand why a traditional analytics setup was not viable, we have to look at the current legal and technical landscape in Europe.

The Regulatory Privacy Landscape

European Data Protection Authorities (including the Austrian DSB, the French CNIL, and the Dutch Autoriteit Persoonsgegevens) are becoming more and more opinionated about the use of standard Google Analytics. Their rulings highlighted a crucial compliance issue: client-side, third-party tracking scripts transfer personal data, such as IP addresses and unique visitor IDs directly to US-based servers. This exposes EU citizens’ private data to potential surveillance in the US.

Even with the introduction of the EU-US Data Privacy Framework, many EU-based public and sensitive organizations prefer to remove this risk entirely by utilizing European-hosted analytics alternatives.

Standard Server-Side GTM Isn’t a Complete Solution

Many organizations attempt to solve this by moving to Server-Side Google Tag Manager (sGTM). In a standard sGTM setup, tracking scripts send data to a cloud server instead of directly to Google Analytics.

However, if that sGTM container is hosted on Google Cloud Platform (GCP) (even on servers physically located within the EU) a sovereignty issue still exists. As Google is a US-based corporation, its infrastructure remains subject to US legal jurisdictions. For a high-stakes platform like De Kindertelefoon, relying on a US-controlled cloud environment to process sensitive visitor data was a risk we needed to avoid.

The Target Architecture

To resolve the privacy, compliance and sovereignty challenges, we selected Piwik PRO as the core digital analytics engine. This is in line with the current standard of privacy-first data collection, utilized in multiple branches of the Dutch government. Piwik PRO provides robust first-party data collection built on “privacy-by-design” principles.

However, as with server-side analytics set-up, we still needed an orchestration layer to process and clean data before it reached any (analytics or advertising) destination. This led to an interesting technical paradox: still using Server-Side Google Tag Manager (sGTM) to build a “Google-free” set-up.

Overcoming the Irony of using sGTM

Using a Google product to go “Google-free” sounds contradictory and even seriously unlogical. The clarification lies in how the sGTM container is deployed and hosted:

1. European Hosting: Instead of deploying the sGTM container on Google Cloud Platform, we hosted it on TAGGRS, a European-owned, privacy-certified, EU-based server infrastructure. Doing this completely separates the physical data processing from US jurisdiction.
2. Transient Relay Design: We configured the sGTM container to act strictly as a headless, transient relay. It is a routing brain that processes, cleans, and forwards incoming requests in memory, without ever storing, saving, or persisting the data within the Google ecosystem.
3. The First-Party Bridge: The visitor’s browser only communicates with a secure first-party subdomain (me.kindertelefoon.nl). The sGTM container intercepts these requests, sanitizes them, and finally forwards the cleaned data directly to Piwik PRO Analytics, where the data can be analysed.

This means, the actual visitor data never touches a Google server.

Building the Solution: Key Technical Decisions

Executing this setup required solving several compatibility and structural hurdles:

File Proxying for Piwik PRO

Before the time of implementation, there were no native sGTM templates or clients designed for Piwik PRO. To bridge this gap, we started exploring ideas to configure our sGTM container to act as a file proxy.

However, as time went on, the native Piwik PRO server-side Client and Tag templates became usable, making the process more off-the-shelf, and less prone to breaking due to complex custom scripts. This is why under our current architecture, the website requests the script directly from the secure first-party subdomain: me.kindertelefoon.nl. The TAGGRS server fetches the script from the source in the background and serves it directly to the visitor. This ensures that the initial script load remains entirely within a first-party context, shielding the connection from ad-blocker heuristics and preserving data integrity.

Preventing “Consent Leakage”

A known failure point in privacy compliance is “consent leakage”. This is what happens when tracking scripts initialize and fire before a user has actively interacted with a cookie consent banner.

To prevent this, we established a strict, deterministic execution order:

• The Cookie Information CMP (Consent Management Platform) is hard-coded directly into the <head> of the website’s source code.
• The Piwik PRO container is placed lower in the execution stack, immediately after the opening <body> tag.

This creates a synchronous barrier. The tracking infrastructure remains entirely inactive until the CMP has been fully loaded and for non-anomized tracking, waits for signals that consent has been granted.

Contextual Partitioning for Minors

To make the website even more privacy-friendly for minors, for sections of the website specifically dedicated to this group, we implemented a programmatic override:

• Consent on these pages is denied by default.
• Tracking is forced into a strictly anonymous mode.
• The configured Piwik PRO privacy settings strip all data of personal identifiable information, such as IP-addresses and more.

On this part of the website, no consent banner is being shown. This means minors are unable to accept cookies, thus being protected from their private information being collected. On the volunteer and adult sections of the website, the consent banner does appear. Currently, we have an experiment running that reports on the traffic going from an adult/volunteer section of the website to the minor section. If this spillover becomes significant, we will enforce an automatic consent denied update even when previously accepting cookies. This intricate but extensive configuration allows De Kindertelefoon to monitor resource usage and help-module interactions without ever creating a traceable profile for a child.

Key Learnings

Building a highly customized, privacy-first tracking relay highlighted several valuable industry lessons that are worth considering for your own setup:

Navigating the Ecosystem Takes Time: With countless combinations of hosting providers (TAGGRS, Stape, Jentis, AWS, Azure) and tag managers, finding the right alignment of tools requires navigating extensive documentation and continuous testing. This is where understanding the wants and needs of the client is crucial to combine this with technical recommendations.

We Can’t Completely “De-Google” Yet: While we successfully eliminated the Google data footprint, we still rely on the GTM user interface for its routing capabilities and tag management efficiency. There are currently privacy friendly substitutes for this, such as Jentis. However, due to the scope and timeline of this project, this was not an option.

Perceived Privacy vs. Actual Privacy: True compliance goes beyond having a cookie banner on your homepage. It requires looking at where data is physically processed, who owns the underlying servers, and how identifiers (like session hashes versus session cookies) are managed under the hood.

The Debugging Trade-off: There is an ongoing reality in privacy engineering: if debugging is difficult, your setup is likely highly privacy-friendly. When you actively mask IP addresses, strip user-agent strings, and sanitize headers, standard debugging and real-time validation tools become limited. Transitioning to a privacy-safe architecture requires a shifting of expectations from granular, individual-level tracking to aggregate, trend-based metrics.

The Business Impact

While the primary objective of this implementation was to protect children’s data and strict privacy compliance, this project proved that data ethics and marketing performance can successfully coexist. By implementing this headless relay, we delivered three distinct advantages for De Kindertelefoon:

• Zero PII collection: By moving the tracking logic to the server and removing the consent banner on kids pages, the organization can understand volunteers and adult pages’ traffic without collecting personal kids data.
• Recovered Recruitment Visibility: On the adult and volunteer sections, routing requests through the first-party proxy (me.kindertelefoon.nl) bypassed ad-blockers. This allows us to get visibility into the volunteer recruitment funnels, ensuring the organization can staff its helplines.
• Future-Proof Data Sovereignty: With all data processing now held on EU-based TAGGRS infrastructure before hitting Piwik PRO, De Kindertelefoon is now safe from any future changes in EU-US data transfer rulings.

We transformed the previous setup into a privacy-first data one that protects the children who need it most, while empowering the organization that serves them.

Looking to Implement a Privacy-First Setup?

As privacy regulations become more strict and are being proactively enforced across Europe and web browsers continue to restrict third-party tracking, owning your data stream is becoming a necessity. Not just for your own data completeness and accuracy, but as your duty to handle private information with care.

Interested in exploring a similar privacy-first architecture for your organization? Contact our team at Marketing Engineers for an introductory meeting to help you identify what you need!