The death of third-party cookies: what it means for ad tracking

For two decades, third-party cookies were the backbone of digital advertising. They let ad platforms track users across websites, build audience profiles, measure conversions, and power retargeting. Now they're going away – and if you haven't prepared, your ad tracking is about to get a lot less reliable.

What's actually happening

Safari blocked third-party cookies by default in 2020. Firefox followed. Chrome – which accounts for roughly 65% of global browser traffic – has been phasing them out through its Privacy Sandbox initiative. By 2026, most browsers either block or severely restrict third-party cookies.

This matters for advertising because the ad pixel on your site typically sets a third-party cookie. When that cookie is blocked:

• Retargeting audiences shrink. The ad platform can't identify returning visitors across sites.
• Conversion tracking breaks. The pixel can't match the ad click to the conversion because the cookie linking them has been blocked or expired.
• Frequency capping fails. Without cross-site identification, you can't control how often someone sees your ad.
• Attribution windows shorten. First-party cookies set by JavaScript (like the Meta pixel's _fbp cookie) are capped at 7 days on Safari due to ITP. A click on Monday can't be attributed to a conversion on the following Monday.

What's replacing third-party cookies

The industry has landed on several replacement mechanisms. None is a perfect substitute, but together they recover most of the lost tracking capability.

1. First-party cookies and data

First-party cookies – set by your own domain – are not affected by browser restrictions. The key shift is to store click IDs (gclid, fbclid, li_fat_id) in first-party cookies on your domain rather than relying on the ad platform's third-party cookie.

This means your landing page JavaScript needs to capture URL parameters and store them as first-party cookies. Most modern tag managers and ad platform SDKs do this automatically, but verify yours is set up correctly.

2. Server-side conversion APIs

Instead of relying on the browser pixel to report conversions, conversion APIs let you send events from your server. This bypasses all browser restrictions – no cookies needed, no JavaScript needed, no ad blockers to worry about.

All major ad platforms now offer conversion APIs: Meta CAPI, Google Ads offline conversions, LinkedIn CAPI. Setting these up is the single most impactful thing you can do to protect your conversion tracking.

3. Enhanced conversions

Google's Enhanced Conversions and Meta's Advanced Matching let you send hashed user data (email, phone, name) alongside conversion events. The ad platform matches this data against its logged-in user base to attribute conversions – even without cookies.

This works well because most users are logged into Google or Meta on their browsers. The match rate is typically 60–80%, significantly better than cookie-only tracking in a cookieless environment.

4. Privacy Sandbox APIs

Chrome's Privacy Sandbox introduces APIs like the Attribution Reporting API (for measuring conversions without cross-site tracking) and the Topics API (for interest-based advertising without individual tracking). These are still maturing and have limitations:

• Attribution reports are delayed and aggregated – no real-time, individual-level data.
• Topics are broad categories, not granular audience segments.
• Only work in Chrome – Safari and Firefox have their own (different) approaches.

What you should do now

1. Audit your current tracking. How much of your conversion data relies on third-party cookies? Check what percentage of your reported conversions disappear when you filter by Safari users – that gives you a preview of a fully cookieless world.
2. Set up server-side conversion APIs. Prioritise Meta CAPI and Google Ads offline conversions – these cover the vast majority of ad spend. See our practical guide.
3. Enable enhanced conversions. Turn on Google's Enhanced Conversions and Meta's Advanced Matching. These are often a configuration change, not a development project.
4. Capture click IDs in first-party cookies. Make sure gclid, fbclid, and li_fat_id are stored as first-party cookies on your domain, not relying on the platform's third-party cookie.
5. Build a first-party data strategy. Email addresses are the new identifier. Encourage newsletter sign-ups, account creation, and logged-in experiences. The more first-party data you have, the better your conversion matching will be.
6. Use blended metrics. Accept that you'll never have perfect attribution again. Blended ROAS – total revenue divided by total ad spend – becomes your most reliable metric.

What this means for your reporting

Expect reported conversions to be lower than before, even with all the mitigations in place. This is actually more accurate – the old numbers were inflated by cross-site tracking that counted the same users multiple times.

The platforms will push harder toward modelled conversions – statistical estimates of conversions that weren't directly observed. Google already uses machine learning to fill gaps in conversion data. These modelled numbers are better than nothing, but they're estimates, not measurements.