Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Google Cloud Trace is a distributed tracing and application performance monitoring (APM) service in Google Cloud. Back end services send spans through OpenTelemetry or the Cloud Trace SDK so engineering teams can analyse latency, dependencies, and bottlenecks. It is server side only and sets no cookies on end users.
Google Cloud Trace is a managed distributed tracing and application performance monitoring service that lets engineering teams understand request latency, dependency chains, and bottlenecks across microservices. Back end applications instrument their code with OpenTelemetry or the Cloud Trace SDK and emit spans over gRPC or HTTPS to a Google Cloud project. Traces are then visualised in the Google Cloud Console, queried via APIs, and exported to BigQuery for deeper analysis. Because tracing happens entirely server side, the service does not interact with user browsers and does not place cookies, pixels, or scripts on visitors.
Spans typically contain technical fields: service name, operation, latency, status code, host, region, container ID, trace ID, span ID, and developer set attributes. Cloud Trace can become exposed to personal data when developers attach user identifiers, IP addresses, request paths with PII, or error payloads to spans. By default, attribute values are not redacted. Cloud Trace stores spans for up to 30 days (configurable) and offers IAM controls, audit logs, and VPC Service Controls to restrict access to the trace data.
The lawful basis is generally legitimate interest under Article 6(1)(f) GDPR, since monitoring availability, performance, and security is essential for the controller and aligns with NIS2, DORA, and Article 32 GDPR security obligations. Article 5(3) ePrivacy does not apply because Cloud Trace is server to server: nothing is stored or read on the user device. Therefore no consent banner is required for Cloud Trace itself, although the website that customers monitor may need consent for other reasons.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Google Cloud LLC acts as a processor under Article 28 GDPR for the trace data. The Google Cloud Data Processing Addendum, the EU and EEA SCCs, and the EU US Data Privacy Framework certification of Google LLC apply automatically once the customer accepts the Cloud Terms. Customers should also enable Customer Managed Encryption Keys (CMEK) where supported, configure VPC Service Controls, and document their use of Cloud Trace in the Record of Processing Activities.
Cloud Trace stores spans in the Google Cloud region chosen by the customer at project level, which can be an EU region. However, support engineering, billing, and operational metadata may involve Google personnel outside the EEA, especially in the United States. Transfers rely on the Google Cloud SCCs, the EU US Data Privacy Framework, and Google Cloud's supplementary measures including end to end encryption and the Sovereign Cloud / Trusted Cloud offerings for sensitive workloads.
Pin trace storage to an EU region, enable CMEK and VPC Service Controls, and restrict IAM roles to the engineers who need them. Avoid attaching personal data, request bodies, or sensitive headers to spans, and use redaction libraries in OpenTelemetry. Configure span retention to the minimum necessary and document Cloud Trace in your Record of Processing Activities, your Article 32 security measures, and your transfer impact assessment for Google Cloud.
Websites using Google Cloud Trace must obtain user consent under GDPR regulations.
DPIA considerations
Cloud Trace alone rarely triggers a DPIA because it processes mostly technical metadata under legitimate interest. A DPIA becomes necessary if developers route personal data, special categories, or large scale user identifiers through spans. Document the categories of attributes collected, retention, IAM access, EU region selection, and the Google Cloud transfer mechanisms (SCCs, DPF, supplementary measures) per CNIL, BfDI, and AEPD guidance on cloud monitoring tools.
Sample consent text
Our back end services use Google Cloud Trace to monitor performance and reliability. The service operates server to server and does not store cookies or read information from your device. Trace data is processed under legitimate interest in line with Article 32 GDPR security obligations.
Third-party domains contacted
cloudtrace.googleapis.comconsole.cloud.google.comtrace.googleapis.comgoogleapis.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| (none) | first_party | N/A | Cloud Trace is a server side service and does not place any cookies on end users. Cookies on console.cloud.google.com belong to the Google Cloud Console, not Cloud Trace itself. |
Google Cloud Trace collects user analytics data — you legally need a consent banner. Try FlowConsent free.
No. Cloud Trace is a server side distributed tracing service. It receives spans from your back end through gRPC or HTTPS and never communicates with the user browser. No cookies, pixels, or scripts are placed on end users.
No. Article 5(3) ePrivacy does not apply because no information is stored on or read from the user device. Cloud Trace can rely on legitimate interest under Article 6(1)(f) GDPR for monitoring performance, availability, and security.
Legitimate interest under Article 6(1)(f) for performance and security monitoring, sometimes combined with Article 6(1)(c) for legal obligations (NIS2, DORA, Article 32 GDPR) and Article 6(1)(b) for contract performance with end customers.
Trace data can be pinned to an EU region. Support, engineering, and operational metadata may still involve Google personnel in the United States. Transfers rely on Google Cloud SCCs and the EU US Data Privacy Framework certification of Google LLC.
Generally no. A DPIA becomes necessary if developers send personal data, special categories, or large user identifier sets through spans. Document the data categories and apply redaction in OpenTelemetry to minimise exposure.
Pin the project to an EU region, enable CMEK and VPC Service Controls, configure IAM roles with least privilege, redact personal data in OpenTelemetry instrumentation, and set short span retention. Audit access through Cloud Audit Logs.
Yes. Self hosted OpenTelemetry plus Grafana Tempo, Jaeger, or Sentry on EU infrastructure, or commercial APMs with EU regions (Datadog EU, Dynatrace, New Relic EU, Lightstep, Elastic Observability) can provide similar tracing capabilities.
Cloud Trace can be listed in the security and observability section as a server side processor by Google Cloud LLC. Mention the EU region, retention, the Google Cloud DPA, the SCCs, the DPF, and confirm that no cookies are placed on end users.