E012 - Using Server-Side Tag Manager to Ensure Data Privacy Internationally for Hello Fresh with Alejandro Zielinsky

E012 - Using Server-Side Tag Manager to Ensure Data Privacy Internationally for Hello Fresh with Alejandro Zielinsky
Life After GDPR Episode 12 with Alejandro Zielinsky

Alejandro is the Global Digital Tracking/Measurement Lead @ HelloFresh.

This episode is a special collaboration with the DDMA and their Digital Analytics Summit where Alejandro will also be presenting! The Digital Analytics Summit is A great event fully dedicated to digital analytics. You can expect topics like Google Analytics 4, BigQuery and server-side measurement. But there will also be a privacy track and a track focused on company organization and culture around data teams. The Digital Analytics Summit will take place on October 13th, 2022 in Amsterdam.

If you want to learn more please go to https://digitalanalyticssummit.nl/ and use the code “LIFEAFTERGDPR” for a 20% discount in the checkout.

In this episode we discuss among other things:

  • How HelloFresh has implemented Server-Side Tag Manager over the last couple of years
  • How they handle privacy and marketing consent, making SS-GTM an essential piece of software
  • The challenges they run into, trying to be compliant with local laws working across the globe
  • And much more

You can follow our guest on:

Make sure you follow the show:

If you want to help us out, please share the link to this episode page with anyone you think might be interested in learning about Digital Marketing in a Post-GDPR world.

Talk to you next week!
-Rick Dronkers


Life After GDPR EP012 Transcript

Transcription Disclaimer PLEASE NOTE LEGAL CONDITIONS: Data to Value B.V. owns the copyright in and to all content in and transcripts of the Life after GDPR Podcast, with all rights reserved, as well as the right of publicity.

WHAT YOU’RE WELCOME TO DO: You are welcome to share the below transcript (up to 500 words but not more) in media articles, on your personal website, in a non-commercial article or blog post (e.g., Medi), and/or on a personal social media account for non-commercial purposes, provided that you include attribution to “Life After GDPR” and link back to the https://lifeaftergdpr.eu URL. For the sake of clarity, media outlets with advertising models are permitted to use excerpts from the transcript per the above.

WHAT IS NOT ALLOWED: No one is authorized to copy any portion of the podcast content or use the Life after GDPR Podcast name, image or likeness for any commercial purpose or use, including without limitation inclusion in any books, e-books, book summaries or synopses, or on a commercial website or social media site (e.g., Facebook, Twitter, Instagram, etc.) that offers or promotes your or another’s products or services without written explicit consent to do so.

Transcripts are based on our best efforts but will likely contain typos and errors. Enjoy.


[00:00:00] Rick Dronkers: Hey everybody. Thank you for tuning into the “Life After GDPR” podcast, where we discuss digital marketing in a post GDPR world. I'm your host, Rick Dronkers. And in today's episode, I get to interview Alejandro Zielinsky, Global Digital Tracking Lead at HelloFresh.

Today's episode is a special collaboration with the DDMA, the Dutch Data-Driven Marketing Association and their Digital Analytics Summit, which will take place on October 13th in Amsterdam. This event is fully dedicated to digital analytics and consists of three interesting tracks; the technical track where we focus on GA4, big query, service side tracking, then there's a more cultural track, which is about how to build your data analytics team and of course, a privacy track where we focus on all the things that we also discuss in this podcast.

[00:00:54] Speakers include today's guest Alejandro but also previous guests like Simo Ahava, Steen Rasmussen, and Melody Barlage. There are also many more other speakers from other great companies. You can get your tickets at digitalanalyticssummit.nl and with the code ‘LIFEAFTERGDPR’ in all caps, you can get a 20% discount on your ticket.

[00:01:17] Now let's dive in with today's episode with Alejandro Zielinsky from HelloFresh. Alejandro, Welcome to the podcast.

[00:01:24] Alejandro Zielinsky: Thank you Rick.

[00:01:25] Rick Dronkers: You are the Global Tracking Measurement Lead for HelloFresh.

[00:01:31] Alejandro Zielinsky: Yeah. That's a huge statement for sure. [Laughs]

[00:01:34] Rick Dronkers: What is it that you do? And how would you describe it?

[00:01:37] Alejandro Zielinsky: We take care of data connection pretty much. The team, what it does is just to set up the technology for making analysts being able to do their jobs in the end. I always say we collect data so you can have a job later and do whatever you want to do with that, of course, with a legal balance and everything we set up all the data collection for both marketing and program analytics.

[00:02:02] The data that we collect can go from just a Facebook pixel or a Facebook conversions API to, I don't know, we need to collect how much people are selecting tomatoes in their recipes and stuff like that. [Laughs] So, it's a pretty wide range of things that we collect for sure.

[00:02:19] Rick Dronkers: And for the people that don't know HelloFresh. How would you, what’s your short pitch on what the company does?

[00:02:25] Alejandro Zielinsky: It’s a meal kit company. I would call it basically you select some recipes weekly on our platform and then you get those recipes on your door, in a box. A few days later, and with all the ingredients measured and you can just cook them and have whatever menu you want to have.

[00:02:44] If you want to have the same dish five times a week, or if you want to have five different dishes or set whatever you, you want to do with that. But yeah, it's pretty much what we do. We send food to you.

[00:02:56] Rick Dronkers: I'm a customer myself. So my cooking creativity is spawned by HelloFresh. I can imagine you guys have a, you have a large web platform, but also really large app platforms because personally I use app mostly.

[00:03:12] Alejandro Zielinsky: Yeah, actually it's so, something curious about it is most people actually buy their first box or their subscription through their website, either desktop or mobile. And then pretty much they manage their subscription through the app all the cancellation and, basically select and all of that. But yeah it's, typically that behavior, like all the purchase stuff happens on the web and then pretty much people just go through the app to manage their subscription.

[00:03:40] Rick Dronkers: So that's some interesting attribution challenges you've got right there. [Laughs]

[00:03:44] Alejandro Zielinsky: I mean, the good thing is that yeah, mostly the attribution, it, since it's web it's fine, or so far it's fine. You have more challenges for sure on apps like yeah, with Apple doing whatever thing, more Android soon will also follow up on that. So, yeah we have some challenges on the app for attribution, but it's mostly web at least for the purchase. Then you have other attrition for reactivations and cancellations and stuff like that.

[00:04:13] Rick Dronkers: On the Digital Analytics Summit on the 13th of October, you are gonna have a great talk about basically the immense setup you guys have built on service tech manager. I also wanna wanna talk about it with you, but we are gonna talk about the, perhaps one of the reasons why you guys chose to do that. So we're not gonna spoil everything that you're gonna talk about on the summit. But, maybe we'll cover some of those topics, but can you in a summary explain what you guys have built over the last, I think one and a half year now.

[00:04:45] Alejandro Zielinsky: Yes. And let's go into one and a half there to round up, So what we have done is, again, Google tag manager server it's what's in everyone's mouths lately. Especially since you have been working with tag manager in the past year. So server side tagging pretty much has helped us

[00:05:03] increase quality of the data that we are collecting. And we needed a platform pretty much that could help us measure everything or every hit that we were having, or the amount of traffic that we were having. We record something like 3 billion events per month across all the brands and all the countries, for sure.

[00:05:22] It's not a specific one but, yeah, it's something like a thousand hits per second. We needed a platform that could handle those things. Also connecting to APIs internally to enrich data and the other thing that we wanted to really have is improve browser performance. We were having a big issue with a lot of marketing

[00:05:42] tagging on the browser, on the client side and pretty much it was a jungle out there and every local market had its own, oh, let's install this. Oh, let's install that. It was a free market for everyone. And that was impacting performance a lot on the side that there wasn't anything stronger for sure.

[00:06:03] Rick Dronkers: So, you would have separate tag managers for HelloFresh Netherlands and HelloFresh Germany. And like all the countries would have their own container.

[00:06:11] Alejandro Zielinsky: Yeah. So right now we still have that for very specific things. We have a global container but for very specific things like some trackers, like Hotjar, stuff like that for tracking surveys or tracking some heat maps and stuff like that. We do that locally.

[00:06:31] But most of the data collection, Google Analytics or first party solutions or things like sending data to Ben marketing vendors, like Facebook, TikTok or Snapchat, whatever we are using commission injunction for affiliates and stuff like that. We do it through APIs right now and we do it on the server side using GTM server in this case.

[00:06:51] And that's the thing, like we can enrich data on the fly. We can redact data that they don't actually need. We can control what they actually get and what they not. Which is very important, especially in the context of Europe and also in Japan that we are, we opened recnelty.

[00:07:09] Rick Dronkers: Yeah. Cause what, what you just described is basically you have centralized data collection, right? Which is, I think for a lot of people who are actively working on this. They get excited about this idea of, wow, I can control all this mess and, and, and get it through one pipeline and make sure that, that, make sure that you measure the same way across all countries, which is, I guess, a really beneficial for you.

[00:07:34] Alejandro Zielinsky: Yeah. It was the main reason that we went for that also we wanted to replicate, like having a super low, late latencies and, and all of this, basically not depending on where Google decided to put the servers to serve some scripts or Facebook decided to put their scripts on physically. But yeah, basically we've served now everything from a local server in this case. Yeah.

[00:07:58] Rick Dronkers: So, I guess, in your talk at the Digital Analytics Summit, you're gonna dive deeper into the technical aspects and what you went through. But I think, yeah, there's also privacy aspect, a GDPR aspect to it.

[00:08:10] Alejandro Zielinsky: Yeah.

[00:08:11] Rick Dronkers: How, yeah what's, what's your take on that?

[00:08:14] Alejandro Zielinsky: We take care. We really take care of that. We really respect the user's choice in this case, which we even have the policy of, if you don't accept, basically we don't even send the hit to the server on what you are doing. Like, it's not that we get it first on the server. Then we decide if we send it or not, then based on your consent, so you of course get the cookie banner or whatever you wanna call it.

[00:08:42] Alejandro Zielinsky: The consent banner is this case. You get the consent banner and then from there we decide or you decide actually as a user if you want to be tracked or not, and on which category like performance or targeting cookies and stuff like that. I mean, by experience, most people either accept all or reject all.

[00:09:01] I can say this with that 99% of the people it works like that. Like, I have seen that on the cookie acceptance platform that we use. But, yeah, it's pretty much like this. So what we asked you to do is interact with the banner first and then interact with the site. Actually, we block completely the navigation before you accept or reject. We don't really mind what you choose but please choose something.

[00:09:34] Rick Dronkers: The way you have implemented it, you also refrain from actually loading any third party JavaScript in the browser. Right?

[00:09:44] Alejandro Zielinsky: Pretty much what we are doing with, so for example, with the GTM script the GTM.JS script and for example, we don't use the GTAG. We do use GTAG, for example, for GA4 and all of that, but we load those scripts directly from the GTAG server. So what we are doing is actually acting as a proxy between Google and

[00:10:11] the browser in this case. So yeah, we serve like a cache version of the script for about, I don't know, 10 minutes, five minutes, but pretty much, yeah. Google doesn't receive the request directly from the browser. So, I mean, of course, yeah, you can argue that you're still sending data to Google because it's Google tag manager and it's in the good cloud platform, but, yeah, it's a server that in theory we control and own it's a pay for it and we own infrastructure in that case, even if it's a cloud.

[00:10:45] Rick Dronkers: Yeah. And, yeah, we've had these discussions before on the podcast. Like if we go down that route, then a lot of the Internet's infrastructure will, we'll have to rebuild.

[00:10:57] Alejandro Zielinsky: For the top cloud providers in the world, are the US based. Are US headquarter.

[00:11:02] So let's park that discussion. We don't need to drag that one up, but I'm mostly interested in how you guys are handling it. So, for GA4 you are using the GTAG script, but I think for universal analytics, you were only using the measurement protocol.

[00:11:20] Alejandro Zielinsky: That's correct. So we have Google tag manager client, we have something that constructs or builds the measurement portable hit, measurement portable version one hit, and then we send that to the GTAG server. We don't use the Google Analytics stack itself with the transfer hero and all of this.

[00:11:39] But pretty much we build the hit ourselves, and then we send it to the server. And from there, we take it from.

[00:11:46] Rick Dronkers: I think currently that setup would not work for GA4 with the measurement protocol limitations, but.

[00:12:54] Alejandro Zielinsky: Yeah, it wouldn't work. We do use like I said, we do use GTAG, but GTAG server in this case from the server and not from Google directly. And also we construct the GTAG it's we, we actually don't use the GA4 tag inside Google tag manager, the flight. We actually also have a template that builds the GTAG parameters and all this.

[00:12:18] Rick Dronkers: If I simplify it for people that are like thinking, what are these two geeks talking about? Basically, you are taking a lot of steps to deconstruct and to control every aspect of what you are loading in the visitor's browser.

[00:12:34] Alejandro Zielinsky: Exactly. Yeah. We try to load as little as possible. I mean, there are cases that will, some vendors that we cannot control because they don't have the option and marketing needs them. But still we control the consent of what's being sent or not. So, if we don't have it on the server side, we have it on the client side, but both respect the consent in this case.

[00:12:57] And then on the server, we do some things like, for some reprocessing of the data, like redacting the AP address, removing the last update or removing the email addresses actually, I mean, they are hashed and all and all one, but basically, yeah, the hash is just transforming the data in the end.

[00:13:17] If you have Google or Facebook, if you have a list of emails, you can pretty much hash them yourselves and then compare and know who this person is. But yeah, in GDPR countries we actually don't send the email at all to vendors basically.

[00:13:32] Rick Dronkers: Okay. So, let's walk through that. So, I visit hellofresh.nl, the Dutch website, for instance it's GDPR country. You set like basically based on the website URL, you set that it's GDPR country. So when it comes into service tag manager, you are aware like, Hey, this hit needs to be processed in this certain way. That's how you've set it up.

[00:13:53] Alejandro Zielinsky: Pretty much we detect, Hey this request comes from this top level domain. And that top level domain actually needs to have the data redacted in some manner. So every single field that we have pretty much compares to that look up table. And then it says when it needs to be done.

[00:14:10] Rick Dronkers: And then in that case, for instance, for the Facebook conversion API that is loading, you decide not to share my hashed email address,

[00:14:18] Alejandro Zielinsky: Exactly. Yeah. And that's actually the only, well, it depends on, on your definition of PII, depending who you are, but Facebook typically asks you to send like your first name, last name, phone

[00:14:30] numbers, and stuff like that. Everything about you. We actually don't even have that available on the transaction itself.

[00:14:38] I mean, we do have your address because we need to send you the box, the HelloFresh first that has that. But the data layer that we use we pretty much don't expose that to the public. We only have your email in there and then we hash it. And if we are in a different country that is not GDPR then we send it not pretty much we do it.

[00:14:58] Rick Dronkers: So I think you guys also have brands in the United States. So in the United States, perhaps you share the hashed email address with Facebook.

[00:15:05] Alejandro Zielinsky: Google, et cetera. Yeah. We do this pretty much in all brands.

[00:15:09] Rick Dronkers: I think this is, this is really interesting for like people listening that have the same challenge of serving multiple countries because that introduces complexity, right? Because you will have marketing teams in multiple countries. And so I have a couple of clients that serve both US and EU. And always the people in the US are like, Hey I want to share more data with Facebook cuz I wanna get better performing campaigns. How would you go about this challenge if you had only one top level domain? Right? So everything was being served from something.com.

[00:15:45] Alejandro Zielinsky: We would probably have some kind of parameter in the background to see where this client is from. So this customer is, I mean, like I said, we still need your address to deliver you the box. So in the end we would somehow find out, okay, this is a US customer. We cannot do that with this person.

[00:16:04] Of course, we just still have the challenge before they sign up. Or if they even registered to the site, I'm guessing some kind of IP address comparison, sort of like what Google nalytics to that. Basically they find out the CT where you're in, based on that database of IP addresses, we would have to pay extra money to do that for sure to have access to that database. But yes, it would be based on the approximate location of that user.

[00:16:29] Rick Dronkers: Yeah, this, always this situation always gets me confused a bit because on one end you are They don't want you to use the IP address for identifying, but then on the other end, you will need to use the IP address to identify if the user is a Europe is entering the website from the European union. Right. [Laughs]

[00:16:48] Alejandro Zielinsky: This is my interpretation for sure. You can still use the AP address not to send it to a third party. I think that's what the European Union is trying to make you do. Don't send it to a, you can still use that to process and decide what to do with the data as a first party.

[00:17:05] And of course, with the consent of the user. But I mean, the consent in this case, if you enter to the side, you're still loading the assets from us. So we have our server will have the IP address if we decide to use it that's another question, but that's how internet works and how servers communi and into the end, either on I IB four or IBV six, it doesn't matter. It said IP address and, you need to know the server needs to know where to send the data back. So it means at some point.

[00:17:34] Rick Dronkers: But especially for the geo lookup. Right? So, even in the setup that you have where you use the top level domain, you could still argue that if a US citizen who is browsing, who is at that moment in the US is going to hellofresh.nl, then GDPR does not apply to them so that that makes it really complex.

[00:17:56] Alejandro Zielinsky: Actually the rules that we have right now, or the rules to set up that banner is if you come from the US, we don't show up the banner, keep you visit. I think that also the main thing is that typically we don't have customers in there left that visit from the US, mostly because we don't have the unique top level domain that we will mention. We have the service we deliver only in Netherlands and we give that service back to you only if your Netherlands or Germany or Spain or Ireland or, yeah.

[00:18:31] Rick Dronkers: Yeah, that's a sort of a filter, right. That helps a lot with this issue. [Laughs]

[00:18:37] Alejandro Zielinsky: It helps a lot for sure. I would say I'm lucky to have at least that's adopt. But yeah, I'm guessing there would be some kind of way there were, even if we had a single domain, I'm guessing the traffic would be served on a folder basically. Yeah. Like /US /NL. Like we need to differentiate the customers in some way by the local, by whatever variable they have, even, maybe not by theb address, but by the language that you have on or something like that.

[00:19:06] Rick Dronkers: So let let's switch a little bit. So do you feel like now, compared to, before you had centralized this setup, the way you have it right now, do you feel like now you are better able to, I think the GDPR is still a complex thing to understand, right. Or privacy regulation anywhere because you're serving other countries as well.

[00:19:26] But let's think GDPR is the example. I think for us technologists, it's not our main thing. We try to do as best as we can. But do you feel like right now you're in a better position than you were before with regards to the GDPR?

[00:19:40] Alejandro Zielinsky: Yes. Yes. Much better than three years ago, for sure. I never say it say we are fully compliant because probably no one is not even their European agency that

[00:19:51] got into some trouble earlier [laughs], but, we are more compliant than we were or we tried to be like the, I think it's also about the intention of what you're doing.

[00:20:02] Like whenever an agency approaches you, which we have sometimes whenever agency approach you, it's important to be transparent about what you are doing the data. They ask us, Hey how do you serve the scripts or, Hey, what do you do with consent yeah, we got approached in, I mean, it was a mistake from our side.

[00:20:21] We didn't have the banner, for example, in the Netherlands or France with a reject all button. We actually sold that recently. Some people see them as a witch hunt sometimes from then, but they are really reasonable. If you are transparent about what you're doin] [laughs[ I agree

[00:20:38] we don't like being asked about this stuff because we think we are compliant and we think we are acting in the best interest. It's what it is. And, but yeah, I think that the most important part is that you are TransParenting about what you're doing and you're willing to correct whatever mistake that you have as soon as possible.

[00:20:55] Rick Dronkers: Yeah, and I've, but I think the willingness, like that willingness. So tied to your ability. And I think that because of what you have built and how it is constructed now, you actually now have the ability, whereas before you, like your only option, would've been to disable the entire JavaScript perhaps instead of…

[00:21:19] Alejandro Zielinsky: Exactly. Yeah. They say the track will pretty much just put a rule if you haven't accepted, just put an exception on the tag and don't fire it at all. There were no reduction of females or more personal information and stuff like that. or serving scripts from your servers and all of this.

[00:21:37] So yeah, there was no way to do that before server side tagging in this case has allowed us to, as enabled us to do that for sure.

[00:21:45] Rick Dronkers: Yeah. Cause that's also the way I try to look at it, like I think server side tech manager in a country without a privacy regulation surf site tag manager could be used for a lot of really cool things to enrich the data, that's what we tend to think about first, right?

[00:22:00] As tech, as an enthusiast of technology. But I think the control it gives you is actually perhaps even more interesting and more important, especially in the times we live in right now where I think privacy regulations eventually the whole world will likely have a form of a privacy regulation. So having that control is essential.

[00:22:21] Alejandro Zielinsky: Yeah, it does give you a sandbox, let's call it play with the data before you actually send it to anyone. You can just yeah manipulate it in any way that you need to legally, or you want to as a company, Hey, I don't want to, I don't know, show up to the vendor what am I doing.

[00:22:39] Or I just want to send them some specific sales, not everything that they track on their script. I just want to send them, like, we work a lot with vouchers, for example. We only send to affiliates vouchers, like purchases that were done with affiliate vouchers. We don't send all the purchases done only at HelloFresh.

[00:23:00] And only for those countries specifically. So, yeah it's a way to filter out first, all the things that you want to send to them instead of just selling whatever JavaScript in there and leave it to them to see what they are tracking and they can read your data layer because it's still on their browser and cleaning script on your side. They can read whatever you have there for sure.

[00:23:20] Rick Dronkers: Yeah. In a sense we're relocating the complexity, right? Where before the vendors were constructed, well, usually they just copied each other's JavaScript libraries and adjusted it a little bit. But they created the complexity on their end and they provided you with a script. And I think in that case, it also had to do with the stage that companies were at and the stage the internet was at, like, all these companies did not have the capacity to actually build this logic themselves.

[00:23:51] Rick Dronkers: Like they didn't even know what JavaScript was probably. So they got a pixel and they were like, wow, this is working. This is good. Let's move to the next step. So that's how it all started. Right.

[00:24:00] Alejandro Zielinsky: Yeah. And it was kind of like I was saying before, it was a bit of a jungle on, Hey, let's give our tag manager specialist this tag, just install it there. Put the trigger on all pages and forget about it. I mean, even when we were only on client side before server side was a thing we actually started to limit where those pixels were actually fired or those JavaScript tags, basically.

[00:24:28] So, we don't need to optimize the conversion follow, for example, to show up a script or inject the script on the site o where you manage your subscription because we don't need it there. And those are different pages and they don't need to optimize or create any data, especially because it's also a private area of the site.

[00:24:47] And you can touch your settings there, or input a credit or a new payment method and stuff like this. So, yeah, it was before it was, or, and I think it is for most sites right now. Basically you install attack, you put it on all pages and you forget about it, then that's it then. Oh, tag manager is amazing.

[00:25:06] Rick Dronkers: It is amazing, but it has some downsides also. [Laughs] Yeah. I think a lot of people don't realize that, for instance, how the Facebook script would basically record every form submit that you did. Right. That's insane. If you think about it, that's crazy. Like it's like every, like you own a physical store and then you tell Facebook, yeah, sure every shop visitor that comes in here, you can put a camera on their shoulder and follow them around, like with everything they do while they fill out their pin code when they pay like everything. [Laughs] So, yeah, I think it's good that we are waking up in that sense. And I think privacy regulations help with that.

[00:25:47] But I think up until something like service tag manager, we did not really have the tools to actually make it happen while still having high quality data. Right. Cuz we, cuz I think we can agree especially for HelloFresh, like advertising, HelloFresh is an advertising heavy brand, right?

[00:26:07] You guys advertise a lot. And I think having conversion tracking on that to evaluate the return on investment of campaigns and stuff like it's worthwhile doing it. Right. But you wanna do it in a nice, in a clean way. Not in a track, everybody without any consent way.

[00:26:29] Alejandro Zielinsky: Oh, if it was up to the marketing people we wouldn't, you would have the banner there. Actually, it's funny because they typically call the difference between Google Analytics vendor data or data warehouse. They call it discrepancy. I call it. It's not discrepancies.

[00:26:46] It's consent. [Laughs] It's people actually saying, no, I don't want to be tracked by a third party. I mean, you still have the purchase our data warehouse, because we do need the data that you purchase the box, for sure. And we have the voucher that you, so we can still have some attribution because we know where the voucher was used in, into which marketing channel it belonged.

[00:27:08] Rick Dronkers: Yeah, that's actually very smart, like so, to give people that don't know, HelloFresh an idea. Like I often get a voucher, like either in the app or with the physical mail that says, this is, use this special discount to either give friends of mine boxes, like give them free like three free meals or 20% discount or whatever, or for my own repurchase in the future. But they all are unique codes.

[00:27:34] Alejandro Zielinsky: Yeah. If you want to reactivate them. They are unique codes. Well, They are not unique. I mean, some, sometimes the, they are, I mean, if it's a referral code yeah it will be unique. But for example, even online in online channels, we don’t use vouchers. If you go on a Facebook campaign, for example we would have a voucher there. It will still give you a discount. But it is not unique to the click that you just did.

[00:27:58] Rick Dronkers: No, but it's unique to Facebook in that case. Right.

[00:28:00] Alejandro Zielinsky: To add that campaign on Facebook. Most probably, but yeah.

[00:28:03] Rick Dronkers: Exactly. So that's a nice, like backup way to…

[00:28:07] Alejandro Zielinsky: To attribute, yeah.

[00:28:08] Rick Dronkers: You currently have a consent banner. If people opt out, you don't track. Have you thought about if people opt out having like your own totally anonymized first party tracking. Let's call it a snowplow kind of thing where there's no user identifies only for product analytics, basically only how do people navigate and what they do, but unable to stitch it.

[00:28:33] Alejandro Zielinsky: That would be one option. I have thought about it. Many people have thought about it. I'm not good to attribute that to myself. Many people internally have thought about it, but then in the end we reach the point of how much do we invest to actually build an ad solution just to measure the 50, 20% of the data that we are actually missing.

[00:28:59] It's actually curious insight that we got earlier down the road when we were implementing the banner was that, we were actually, by accident, measuring people that rejected the banner. We realized that, but then we, it gave us a chance to see something there.

[00:29:17] And it was that the conversion rate from the people that actually rejected the banner was much lower. and for us, it was like, okay, we are actually, yes, we lose those users, but we actually are not losing that much of the data that we actually care about. Yeah.

[00:29:32] Rick Dronkers: Or that you care about.

[00:29:34] Alejandro Zielinsky: Or let's call it quality users, sorry to discriminate against those that reject for no, yeah, I mean, we weren't losing that much data to begin with.

[00:29:45] Also if I see the consent opt in rate, let's call it like that. The opt-in rates of the banner. it widely shifts between countries. Like, for example, I think Nordics don't care at all about the banner. Like the acceptance of the banner is something like 95, 94% of the people give, just accept all, but then you vote to Germany or Netherlands for France and, and it's 75%.

[00:30:11] I don't know if I would invest that much time building analytic solutions for just measuring those people. We have a really good sample. I mean, let's take, for example, just TV ratings. Like they are based on maybe 1% of the people that have those devices historically and pretty much all the investment in TV campaigns were based on those 1% of people that had those things there. And you still made decisions based on 1% of the data. And here you have 75, 80, 90%.

[00:30:43] Rick Dronkers: That's a really interesting point to highlight, cuz I think there, what we're talking about in this case is loss of version, right? Right. We have gotten used to performance marketing metrics, which a lot of people assumed were a hundred percent accurate. Of course, as technologists, we know they were never actually accurate cuz it was the JavaScript metric. So there was always a, you know…

[00:31:07] Alejandro Zielinsky: Ad blockers, something failing there, who knows.

[00:31:10] Rick Dronkers: For the users of the tools, they had a feeling of a hundred percent accuracy. Let's put it like that. And now they are confronted with the fact that we are willingly omitting a certain percentage of the people from it. Whereas with the TV metrics, people never actually understood how those things got done.

[00:31:30] Anyway, they just accepted what it was. Right. And went ahead with it.

[00:31:34] Alejandro Zielinsky: Yeah, exactly. And you went along with it and that's it. And you invested millions of euros or dollars in those things and in a Super Bowl ad that you don't know exactly what you are actually measuring or how many people you're actually.

[00:31:48] Rick Dronkers: I think maybe what also plays a role is that we can. Our minds can handle the complexity of TV where it's like, let's call it 10 channels that matter. Right. There's 20, whatever. you can actually step to it and see your own advertisement and be like, yeah it's, it's on there. Right. So you can verify it yourself.

[00:32:09] And with online, we cannot, it's too big for us. We're like, yeah. I don't know where the, like, where are all these people coming from? Are they actually coming? Are they actually clicking? So it's, it's too abstract for us to understand.

[00:32:22] Alejandro Zielinsky: It's too abstract, but in the end it has patterns and not likely any statistical data in the end, like you won't see a shift if you were capturing a hundred percent of the people and you're capturing 70%, you won't see up trend for one sample and a down 10 for the other. I mean, you would see different levels of opt options or down trends, but you won't see the opposite way of what's wrong.

[00:32:48] Rick Dronkers: Yeah. And I think one of the important things is to explain to either the company where you work at, or your clients that to look, not look at absolute metrics, but instead look at trends over periods of time. Right? Cause then hopefully most of it you will still keep that trend in tech to steer on that even though 20% of people opt.

[00:33:09] Alejandro Zielinsky: I mean, then I always tell the same, like, oh, but then our experiments, we don't know what's going on. Again, if you have a 1% increase on whatever metrics you're measuring, then it's not worth what you're doing. You're looking for five to six something significant. If you have a 1%, it's probably an error, like you are within the margin of error, for sure.

[00:33:35] I always joke about here at HelloFresh, whenever they have a conversion rate experience in the three years I have been here it is like, yeah, we have had conversion rates that increases on every experiment. We should be converting a hundred percent of the people right now with all the increases that we have had in the past three years. [Laughs]

[00:33:54] I think it's a matter of having that mindset that you are having a sample of the people, and it's a big sample. Even the elections are based on a thousand people or 10,000 people out of our country of billions. It shouldn't be an issue with what you're looking at, for sure.

[00:34:09] Rick Dronkers: Yeah, I think there probably is a little bit of education that we need to help our clients and our internal clients or our real clients with, like helping them process the loss of their data to mourn it and then to move on. [Laughs]

[00:34:26] Alejandro Zielinsky: Yeah. And they spent a lot of their time validating against different, I dunno, dashboard. Sorry. Hey, GA is saying one thing, Hey, Google ads is saying this other, my data is saying this other one. Which one should I believe? All three actually. [Laughs]

[00:34:42] Rick Dronkers: Yes.

[00:34:43] Alejandro Zielinsky: You should believe all three. You cannot sum all of them or aggregate all of them but you shouldn't, but yes, it's, it's a matter of knowing what you're looking at and dealing with that fact and knowing that you're looking at a good approximation of reality.

[00:34:58] Rick Dronkers: Yeah. And also focusing on moving forward with what you have instead of trying to get to perfect with, which will never happen. Right. That's not the goal.

[00:35:07] Alejandro Zielinsky: Exactly. That's not the goal. Your goal is to grow or increase the business or sell the pops in this case. So, that the food not to have a hundred percent of clicks in all of the platforms.

[00:35:17] Rick Dronkers: So switching back a little bit to the privacy aspect. So you mentioned that whenever a DPA of a country reaches out with, Hey, your cookie banner is configured wrong or, or whatever, kind of question they have, it's important to be open to them. How have you handled documentation of your setup? What have you guys done to support that?

[00:35:38] Alejandro Zielinsky: I cannot speak for every case, but for, for sure, the cases that have reach. How to us, or to me directly typically they just have like a form of questions and they ask you, Hey, how are you handling this? Or, Hey, how are you handling UTM or IP addresses? Or, we just are open to it and say, yes we do this, we have a proxy, for the scripts we redact the IP addresses and all that.

[00:36:08] So far, those have not reached anything further than that. So, I cannot speak from experience. I always say we're more compliant than the next guy. They wouldn't go probably for the other person or the other company that has less complaints than us in this case.

[00:36:26] Also is not something that they are actually actively looking into all the sites to see, oh, let's see, HelloFresh what they are doing wrong today. No, it probably came from a complaint from a user or something like this. We have had users directly approaching us saying that, Hey, I'm seeing these cookies from Facebook, but I didn't accept.

[00:36:48] And then basically for example, we have NGA for example, or all our certifi, basically just like a flag saying, yeah, you did accept. And this is the ID of the acceptance of your cookie banner. So we have a way to say, no, you did. If you reject that you can still opt out and the cookies and then basically they won't show up again.

[00:37:08] And, that's the thing. We are reasonable about it and we are open about it and we try to solve everything as first. Sure. You cannot make everyone happy. Some people will still complain about it so far. We haven't had any issues that….

[00:37:20] Rick Dronkers: Yes. [Laughs]

[00:37:21] Alejandro Zielinsky: you wood here, that we won't have big ones in the future. But yeah, I mean, we try our best where we have the willing list to product your data. And I think that's an important part inside the company, having someone that actually advocates for that because if you don't have it pretty much, everyone does whatever they do. And no, I will never get cut or , you're not that big for getting cotton and stuff like that. So, but yeah, it's important to have people advocate for this internally.

[00:37:50] Rick Dronkers: I've seen a presentation of yours before where you explain the technical setup, which we will also do at the Digital Analytics Summit, likely. But do you also have like, maybe like an in maybe internal or perhaps also external documents about those data flows from like a privacy perspective?

[00:38:08] Alejandro Zielinsky: We do have the privacy policy, but yet we don't explain the flow in there for sure of how the data is setup internally. We do have those documents, we have the conflict basis and everything in between. But whenever a lawyer or a legal person approaches us, we proceed to a recommendation and, or have all with them speak that I think we don't have anything facing publicly, other than me speaking to you about this or at conferences, but yeah.

[00:38:38] Rick Dronkers: That's actually, because this is, like an idea I have, which I wanna roll out for a client in the near future where we got to do their entire setup together. So instead of just jumping in somewhere in the middle, they had a new website, so we got to do beginning to end implementation.

[00:38:54] Rick Dronkers: So we also do all the documentation for them. And then I was thinking about, okay, maybe we can take a, like this documentation, which is of course for us, like technical aim, but maybe we can turn it into a, let's call it open privacy audit or something where you could be proactive towards the public where you show, okay this is our server side setup. This is where we redact the data. This is where we cut it off. This is where, this is where we do hashing. This is right. So all those preserving steps.

[00:39:26] Alejandro Zielinsky: Is this how your data flows, this is how your data flows towards a third party. Yeah.

[00:39:31] Rick Dronkers: But they, but especially from a privacy perspective, like not all the other data, like not how you process all the interesting data layer attributes, where do you hash, where do you store consent? Where do you, I was thinking, if a lot of companies would do that could also be like a positive movement. Like, Hey, we take privacy seriously. And this is how we have, this is how we showcase it. What we have built so far.

[00:39:53] Alejandro Zielinsky: Yeah it's a good flag for a company to have this, for sure. What I would be skeptical is to not produce too many details into it, because then, then someone can say, oh, I don't like this. And, and how are you doing this? And you get more inquiries than you. Typically you lend you, you would spending more resources on that.

[00:40:13] But, I agree that maybe we should be sizing more what we are doing that with brands. And the companies are not the bad guys. We try some of us try to respect our tools pretty much.

[00:40:30] Rick Dronkers: Definitely. But I, and I think also it could help a lot. Like, even like, I saw your presentation. I think it was from super week where you did this. Right. And that already gave me inspiration to think about, Hey, okay. If we indeed can only use like a custom measurement protocol hit on the client site and reduce the third party outs script there. So hopefully Google, please give us the measurement protocol for GA4, where we can use that entirely. [Laughs]

[00:41:02] Alejandro Zielinsky: In the end, the measurement protocol is one way to get things to the GTM server. Of course, if you're tied to a lot of the Google stuff, you do need some of their format, but when in the end you can use whatever format you want. You can send it to the adjacent. I mean, there are a lot of providers actually working on that.

[00:41:19] And you have, I know other people from state yeah, I mean, there are many custom scripts that send data to, to a server or construct a network, an GTP request, which is what it is at the end server, our custom HTTP request and send it to, to the server. In this case, we chose measureable one because it was what was available widely and the accommodation was very open about it. And, yeah, we thought that GTM server would actually require you to send things on that format, but yeah, in the end you can send wherever you want and then just read it from a client on the GTM server side.

[00:41:57] Rick Dronkers: But, and I think companies sharing this, right? So in your case you're sharing this roadmap presentation. But I think if we could open source, like, this privacy way of handling data, I think that we could also for a lot of smaller companies that have less resources make it easier for them to also follow that path somehow.

[00:42:17] Alejandro Zielinsky: Maybe you will build like a template in a, in the gallery of DTM and just, Hey, if you want to send server side tracking, you can just do this. I mean, we call it server side tracking, but it's actually a hybrid thing because you still depend a lot on the client for sure. But yes, I agree that we should have something more open not, and we'll also should open up a bit on how the requests are used in GTAG.

[00:42:47] You have very weird things like the Google ads tag replying back to the browser with a HTTP request that it needs to be able to set up the third part equal teams and you need to add GTAG for that otherwise. So basically if you want to be able to retar right now with Google and serving GA4 for example you need to use gag.

[00:43:10] You cannot use your custom solution for, with I don't like it. I appreciate the technical aspect of it. It's really nice how they handle this, privacy wise figure not doing actually anything. [Laughs]

[00:43:25] Rick Dronkers: Yeah, it still forces you to play by their rules instead of on one hand, they give you service side tech manager where you can create your own logic. And then on the other end you have the Google Ads team is probably not on board with that fully.

[00:43:38] Alejandro Zielinsky: I get it, it's their business. And so they have to defend it. But yeah, and like I said, I appreciate the technical aspect of it. but for sure, it's, it looks weird, like getting back to the browser URL that then that URL gets interpreted in some way to send an press or you get the third party cookie, which are trying to avoid in the first place.

[00:43:59] Rick Dronkers: If you look into the near future, let's call it next three to five years. Well, That's already quite far ahead. Right. But, what would you hope to see when it comes to enhancing privacy even further? Like you already have this great setup right now. I think you are definitely ahead of the average company you guys are definitely ahead.

[00:44:18] You have a lot of the infrastructure. Let's say you have it rolled out, but what would be the features you would like to see or the things you would like to see if, to move this to the next step?

[00:44:28] Alejandro Zielinsky: I would say more than technical stuff, because we are pretty much have everything that we need to make that happen. I would say it's education on the channel managers, marketing managers, basically education on the sense of what we were talking about before first, you are having a subset of the data and it's a big sample of it.

[00:44:52] You actually don't need to worry about so much about the quality of that. Second, it's you don't need to install pixels everywhere on your site to be able to have this as your vendor to have an API we need to have marketing vendors. Also work along with us and work along with privacy friendly things.

[00:45:14] I think it's an education thing and also a pressure from each one of the advertisers, like, pressure, whatever, all the brand it is pressuring them. Hey, if you want to work with us, please. Have an API that we can send data server side, or please have this measures here.

[00:45:34] Hey, don't inject an iframe on my browser on your scripts because I don't know what you're injecting inside that. It's a lot of work that we are doing right now, actually. So it's trying to by default, whenever someone asks, Hey, does this vendor have an API let's work on that?

[00:45:51] I would say it's more on the education side and make people aware that this is a privacy movement, let's call it. That privacy is a thing and people need to be sure that it’s being connected correctly or handled correctly, at least. It’s about education of the managers or on the company side, especially marketing's like product also but, but yeah, marketing especially it's has a lot of issues with pixels and vendors coming out here and there and they all have great JavaScripts that track amazing things on your site, and they will improve clear conversion rate by 10, 15, 50% all of them.

[00:46:33] I think the next three, five years, whatever timeframe you wanna tap it's it's it's about. Make two people aware of what's going on and two people how JavaScript works and how browsers work.

[00:46:48] I mean, I think Simo is doing a great job with all those courses JavaScript for marketers and stuff like that. A thing that we actually do to make people aware of what's going on. It's also the reason why I'm doing like this talks lately and, internally in the office, Hey, this is how tracking works.

[00:47:06] You get things from the cookies and the data layer and mix them. And then if you have this on the client side, anyone includes it, not just us.

[00:47:15] Rick Dronkers: I would agree. Like the, I have one last question for you. What do you think has had more impact on vendors creating conversion APIs or service side APIs? Do you think privacy regulation had more impact or ITP or ATT?

[00:47:31] Alejandro Zielinsky: That's a good one. I would say ITP, ATT and having first party data, things like emails, hashed. Read a post sometime ago. I, sorry, I don't remember his name, but. It was like server site tracking and first party data is it like the, our new friend or is it Satan?

[00:47:53] Rick Dronkers: Both. [Laughs]

[00:47:55] Alejandro Zielinsky: Both. I mean, it's both, it will help you have more privacy, but then yeah, on the other side you have to trust that the advertiser or whoever is actually tracking you is doing the right thing with that data or that brand basically like you have to chart that HelloFresh is actually not sending the email.

[00:48:13] I mean, of course there are regulators that will ask [laughs] if that's going on or not but yeah it's more obscure for sure. And the server side tracking, but it also enables you to do privacy things. On your question, yes, I think ATT and ITP were more impactful in that sense.

[00:48:32] Rick Dronkers: They force them.

[00:48:34] Alejandro Zielinsky: It forced their hands basically because the data was being cut out directly. It was not a regulation that you, I mean, you should follow, but you can choose not to and assess your risk about it. But this one is you have no choice. It's like you, the source is cutting you out of the data basically. So, you need some sort of way to actually get it.

[00:48:57] Rick Dronkers: Yeah, it's interesting to see how, what privacy regulators tried to do got done by a couple of WebKit developers who implanted those features for whatever reason, right? Cause maybe Apple has some ulterior motives with it.

[00:49:13] Alejandro Zielinsky: Exactly. I won't argue about, like, if they have the best intentions or not, but, for sure, it did, move the industry as a whole, for sure.

[00:49:24] Rick Dronkers: It did have an effect. Yeah. Alejandro, thanks a lot for sharing your knowledge. If people wanna hear more, even more technical details, not about the privacy, they should go to the Digital Analytics Summit where you're gonna give a talk. What's the title of your talk?

[00:49:39] Alejandro Zielinsky: “How We Implemented Server Side Tracking on a Global Scale”. it's not the actual title written on the slide, but yeah it's about that.

[00:49:46] Rick Dronkers: That's basically it. Yeah. So to give people a teaser, I think you have over 100 app engine instances running all the time and a really big cloud bill. Right? So

[00:49:56] Alejandro Zielinsky: Yeah, a thousand hits for second. I mean, probably even more because this is actually a, some old material, but yeah, it's has its months now, it's a big implementation and it's a huge achievement for sure. And we did it with a small team, which is, I am always proud of. We don't have a huge amount of those who are working for this stuff.

[00:50:21] Rick Dronkers: Definitely, go have a look at Alejandro talk at the event. Yeah, I wanna thank you for sharing your knowledge in the podcast. If people wanna follow you, where can they, can they go? You're on LinkedIn and also on Twitter?

[00:50:33] Alejandro Zielinsky: I'm on LinkedIn on Twitter. Wow. It's a bit difficult to pronounce @ZordnajelA. So basically it's my, Alejandro spelled backwards.

[00:50:43] Rick Dronkers: We're gonna put it in the show notes. [Laughs]

[00:50:46] Alejandro Zielinsky: Yes, please. but yeah, I should get a better handle for sure.

[00:50:51] Rick Dronkers: Okay, thanks a lot. And we'll talk later.

[00:50:53] Alejandro Zielinsky: Same.

[00:50:54] Rick Dronkers: Hey everyone. Quick reminder, before you close the podcast, this episode is a collaboration with the DDMA and their Digital Analytics Summit, which will take place on October 13th in Amsterdam. You can get your tickets at digitalanalyticssummit.nl and with the code ‘LIFEAFTERGDPR’ in all caps, you can get a 20% discount.

The event is gonna be about all technical topics, big query service side, tracking GA4, but also about how to build your data team, how to scale that. And of course, there will be a privacy track focused on all the topics that we discuss in this podcast. So try to be there October 13th in Amsterdam, digitalanalyticssummit.nl and use the code ‘LIFEAFTERGDPR’ for a 20% discount. Thank you.