Third-Party Trackeri — Google Analytics, Facebook Pixel i GDPR

Sta prikupljaju, Schrems II posledice, GDPR-compliant alternative i server-side tracking

86%
Sajtova koristi Google Analytics
2020
Schrems II presuda (CJEU)
€1.2B
Meta kazna za transfer podataka
0
Kolacica kod Plausible/Fathom

Sadrzaj

  1. Sta su third-party trackeri
  2. Najcesci trackeri i sta prikupljaju
  3. Schrems II i Google Analytics
  4. GDPR-compliant alternative
  5. Google Consent Mode v2
  6. Server-side tracking
  7. Kako detektovati trackere na sajtu
  8. Najcesce greske
  9. Reference i resursi

1. Sta su third-party trackeri i kako rade

Third-party trackeri su skripte i kolacici koje postavljaju trece strane (ne vas sajt) na uredjaj korisnika. Prikupljaju podatke o ponasanju, interesovanjima i identitetu korisnika — cesto na vise sajtova odjednom.

  • Korisnik poseti vasajt.rs → Google Analytics skripta se ucitava → salje podatke Google-u
  • Isti korisnik poseti drugiajt.rs → isti GA kolacic → Google zna da je ista osoba
  • Cross-site tracking: Facebook Pixel, Google Ads i LinkedIn prate korisnike KROZ sajtove za ciljano reklamiranje
GDPR perspektiva: Svaki tracker koji prikuplja licne podatke (IP, kolacici, device ID) zahteva informisanu saglasnost korisnika PRE ucitavanja. Ucitavanje GA ili FB Pixel-a pre consent-a je krsenje GDPR-a.

2. Najcesci trackeri i sta prikupljaju

TrackerKompanijaSta prikupljaKolaciciGDPR rizik
Google Analytics (GA4)GoogleStranice, dogadjaji, lokacija, uredjaj, demografija_ga, _gid (2 godine)Visok (Schrems II)
Google Tag ManagerGoogleSam ne prikuplja — kontejner za druge skripteZavisi od tagovaSrednji
Meta Pixel (FB)MetaPosete, konverzije, pretraga, dodavanje u korpu_fbp, _fbc (90 dana)Vrlo visok
HotjarHotjar (EU)Session recording, heatmaps, klikovi, scroll_hjSessionUser (1 god)Srednji (EU hosting)
Microsoft ClarityMicrosoftSession recording, heatmaps, klikovi_clck, _clskSrednji
LinkedIn InsightLinkedInPosete, konverzije, demografija profesionalacabcookie, li_sugrVisok
Google AdSenseGoogleInteresovanja, demografija za ciljane reklameMnostvo (IDE, DSID...)Vrlo visok

3. Schrems II presuda i Google Analytics

Schrems II (CJEU, jul 2020) je presuda koja je poniitila EU-US Privacy Shield — pravni okvir za transfer podataka iz EU u SAD. Posledice za Google Analytics:

  • Jan 2022 — Austrijski DPA: koriscenje GA je nelegalno jer podaci idu u SAD bez adekvatne zastite
  • Feb 2022 — CNIL (Francuska): isto zakljucenje, naredba za prestanak koriscenja GA
  • Jun 2022 — Garante (Italija): 90 dana rok za uskladjivanje ili prestanak koriscenja
  • Jul 2023 — EU-US Data Privacy Framework (DPF) usvojen — novi pravni osnov za transfer
  • 2024-2026 — DPF je na snazi ali pravna neizvesnost ostaje (moguc Schrems III)
Google-ov odgovor: GA4 nudi EU-only data processing (podaci ostaju u EU), Consent Mode v2 (obavezan od marta 2024), i data retention podesavanja. Ali pravna situacija je i dalje nestabilna.

4. GDPR-compliant alternative

AlternativaHostingCenaKolaciciConsent potreban?Open source
PlausibleEU (Nemacka)Od €9/mesecNulaObicno ne*Da
MatomoSelf-hosted / EU cloudBesplatan (self) / od €19OpcionoZavisi od konfig.Da
FathomEU processingOd $14/mesecNulaObicno ne*Ne
Simple AnalyticsEU (Holandija)Od €9/mesecNulaNeNe
UmamiSelf-hostedBesplatanNulaNeDa
PostHogEU opcijaBesplatan tierDaDaDa

* "Obicno ne" jer ne koriste kolacice i ne prikupljaju PII, ali strogo pravno, neke jurisdikcije mogu zahtevati consent cak i za cookieless analytics (IP adresa je licni podatak).

Preporuka: Za GDPR-najsigurnije resenje: Plausible (EU hosting, bez kolacica, open source) ili Umami (self-hosted, potpuna kontrola, besplatan). Za napredne potrebe sa session recording: Matomo self-hosted.

5. Google Consent Mode v2

Obavezan od marta 2024 za sajtove sa Google servisima i EU korisnicima. Detaljnije u nasem Cookie Consent vodicu.

  • Bez Consent Mode: Google ne obradjuje EU podatke, remarketing ne radi
  • Sa Consent Mode + denied: Google koristi "modeling" (procenjuje podatke bez PII)
  • Sa Consent Mode + granted: puno prikupljanje podataka
  • Obavezni signali: ad_storage, analytics_storage, ad_user_data, ad_personalization

6. Server-side tracking

Server-side tracking (SST) je pristup gde se podaci salju VASEM serveru prvo, pa vas server prosledjuje filtrirane podatke trecim stranama.

Kako radi

<!-- Tradicionalno (client-side) -->
Browser → Google Analytics (direktno)
Browser → Facebook Pixel (direktno)
Browser → Hotjar (direktno)
(Korisnik vidi sve skripte, ad-blocker ih blokira)

<!-- Server-side -->
Browser → Vas Server (first-party)
  → Server filtrira/anonimizuje podatke
  → Server salje Google-u (samo ono sto zelite)
  → Server salje Facebook-u (samo konverzije)
(Korisnik vidi samo zahtev ka vasem serveru)

Prednosti SST

  • Kontrola nad podacima — vi odlucujete sta se salje trecim stranama
  • Anonimizacija — mozete ukloniti IP, User-Agent pre slanja
  • Ad-blocker otpornost — zahtevi idu ka vasem domenu, ne ka google-analytics.com
  • GDPR uskladjenost — lakse dokazati da kontrolisete tok podataka

Implementacija

  • Google Tag Manager Server-Side — Google Cloud Run + GTM server container
  • Stape.io — managed SST za GTM (od $20/mesec)
  • Custom endpoint — vas FastAPI/Express server koji prima events i prosledjuje GA4 Measurement Protocol-u
Paznja: Server-side tracking NE eliminise potrebu za consent-om. Cak i kad podaci idu preko vaseg servera, i dalje prikupljate licne podatke. SST je za KONTROLU, ne za zaobilazenje GDPR-a.

7. Kako detektovati trackere na sajtu

  • Web Security Scanner — automatski detektuje poznate trackere (GA, FB, Hotjar, Clarity, LinkedIn) na vasem sajtu
  • Chrome DevTools — Network tab → filtrirajte po "google-analytics", "facebook", "hotjar"
  • Blacklight — skenira sajt za trackere, kolacice i fingerprinting
  • Ghostery / uBlock Origin — browser extensioni koji prikazuju sve trackere na stranici
  • Cookiebot Scanner — detektuje sve kolacice i trackere, mapira ih po kategorijama

8. Najcesce greske

  • Ucitavanje trackera pre consent-a — #1 greska. GA/FB skripta u <head> se ucitava odmah. Koristite Consent Mode ili blokirajte skriptu do consent-a.
  • "Nama ne treba consent jer koristimo GA4" — GA4 i dalje prikuplja licne podatke (IP). Consent je obavezan.
  • Zaboravljen Hotjar/Clarity — Session recording prikuplja SVE sto korisnik radi, ukljucujuci osetljive podatke u formama. Zahteva consent + konfiguraciju da maskira osetljiva polja.
  • Facebook Pixel bez LDU — Meta nudi Limited Data Use za EU ali ga morate eksplicitno ukljuciti.
  • Ne navodite trackere u Privacy Policy — GDPR zahteva da navedete SVE primaoce podataka.
  • Server-side tracking = "ne treba consent" — NETACNO. SST menja KO salje podatke, ne DA LI se prikupljaju.

9. Reference i resursi

Proverite trackere na vasem sajtu →

Third-Party Trackers — Google Analytics, Facebook Pixel & GDPR

What they collect, Schrems II consequences, GDPR-compliant alternatives and server-side tracking

86%
Sites use Google Analytics
2020
Schrems II ruling (CJEU)
€1.2B
Meta fine for data transfers
0
Cookies in Plausible/Fathom

Table of Contents

  1. What are third-party trackers
  2. Common trackers and data collected
  3. Schrems II and Google Analytics
  4. GDPR-compliant alternatives
  5. Google Consent Mode v2
  6. Server-side tracking
  7. Detecting trackers
  8. Common mistakes
  9. References

1. What are third-party trackers

Third-party trackers are scripts and cookies set by external companies on user devices. They collect behavioral, interest, and identity data — often across multiple sites.

GDPR: Any tracker collecting personal data (IP, cookies, device ID) requires informed consent BEFORE loading.

2. Common trackers and what they collect

TrackerCompanyCollectsGDPR risk
GA4GooglePages, events, location, device, demographicsHigh (Schrems II)
Meta PixelMetaVisits, conversions, search, add to cartVery high
HotjarHotjar (EU)Session recording, heatmaps, clicksMedium
ClarityMicrosoftSession recording, heatmapsMedium
LinkedIn InsightLinkedInVisits, conversions, professional demographicsHigh

3. Schrems II and Google Analytics

Schrems II (CJEU, July 2020) invalidated EU-US Privacy Shield. Multiple DPAs declared GA illegal. Google responded with EU-US Data Privacy Framework (2023) and server-side processing. Legal uncertainty remains.

4. GDPR-compliant alternatives

AlternativeHostingPriceCookiesOpen source
PlausibleEU (Germany)From €9/moNoneYes
MatomoSelf-hosted/EUFree (self) / €19+OptionalYes
FathomEU processingFrom $14/moNoneNo
UmamiSelf-hostedFreeNoneYes
Recommendation: For safest GDPR compliance: Plausible (EU, no cookies, open source) or Umami (self-hosted, full control, free).

5. Google Consent Mode v2

Required since March 2024. Without it, Google won't process EU data. Details in our Cookie Consent guide.

6. Server-side tracking

Data goes to YOUR server first, then your server forwards filtered data to third parties. Advantages: data control, anonymization, ad-blocker resistance. But does NOT eliminate consent requirement.

7. Detecting trackers on your site

  • Web Security Scanner — auto-detects known trackers
  • Chrome DevTools — Network tab, filter by tracker domains
  • Blacklight — scans for trackers and fingerprinting
  • Ghostery / uBlock Origin — browser extensions

8. Common mistakes

  • Loading trackers before consent — #1 mistake
  • "GA4 doesn't need consent" — wrong, still collects personal data
  • Forgotten session recording — Hotjar/Clarity records EVERYTHING including sensitive form data
  • Not listing trackers in Privacy Policy — GDPR requires listing all data recipients
  • "Server-side = no consent needed" — FALSE, SST changes WHO sends, not WHETHER data is collected

9. References and resources

Check trackers on your site →
GDPR vodicGDPR Guide Cookie ConsentCookie Consent Privacy PolicyPrivacy Policy Prava korisnikaUser Rights GDPR KazneGDPR Fines Politika privatnostiPrivacy Policy