Measuring Marketing After the Cookie
- Google reversed course and is keeping third-party cookies in Chrome, so the real disruption to measurement came from Safari, Firefox, Apple's tracking prompt and privacy law, not a single deprecation date
- Modeled conversions and consent mode fill the gaps left by blocked tracking, but the numbers they report are estimates that depend on enough consented traffic to train on
- First-party data captured with permission, moved through your own server, is the most durable foundation for measurement that survives browser restrictions
The phrase "after the cookie" suggests a clean break that never happened. Google spent years promising to remove third-party cookies from Chrome, then in 2025 it abandoned the plan entirely, dropping both the deprecation timeline and the idea of a standalone choice prompt. Later that year it wound down the Privacy Sandbox project that was supposed to replace cookies altogether. So third-party cookies are staying in Chrome for now. The reason marketing measurement still feels broken is that the change came from everywhere else. Safari and Firefox already block third-party cookies by default. Apple's App Tracking Transparency asks users whether an app can track them, and most say no. Privacy regulation keeps tightening what counts as consent. The result is a measurement layer full of holes, and the work now is learning to read data that is partly observed and partly estimated.
What actually changed
The shift was gradual, which is part of why it caught teams off guard. Safari's Intelligent Tracking Prevention has restricted cross-site cookies for years, and Firefox followed. Those two browsers alone account for a large share of traffic in many markets, so a meaningful slice of users were already invisible to classic cookie-based tracking before Google entered the conversation. Apple's tracking prompt then cut off a major signal for mobile app advertising. Opt-in rates vary widely by region and category, with industry panels reporting averages well under half, so advertisers lost the bulk of device-level tracking on iOS. None of this was a Chrome cutoff. It was a slow erosion of the assumption that every user could be followed across sites and apps, and that assumption was what most attribution was quietly built on.
Modeled conversions and what they really are
When tracking breaks for some users but not others, platforms estimate the missing part. Conversion modeling uses machine learning to study the observed paths from users who can be tracked, then projects similar behavior onto the journeys that cannot be observed. Google reports these modeled conversions inside the same totals as directly measured ones, so a marketer looking at a conversion count is often looking at a blend of real and estimated events without a label distinguishing them. This is not deception, and the models are reasonable, but it changes how the numbers should be treated. A modeled conversion is a statistical inference, not a recorded fact, and its quality depends on having enough consented, trackable traffic to learn from. Thin accounts and rare conversion events produce shakier estimates.
Consent mode and the signal it preserves
Consent mode is the mechanism that lets modeling work without ignoring user choice. In its advanced form, tags still load when a page opens, and while a user has declined consent the tags send stripped-down, cookieless pings rather than full data. Those pings carry enough aggregate signal for the platform to model what likely happened, and full measurement resumes only when a user agrees. The trade-off is that modeling needs volume to function. Google has described minimum thresholds, on the order of hundreds of ad clicks per country over a rolling week, before it will model conversions for unconsented users. Sites below that bar see gaps go unfilled. The practical lesson is that a clean, well-designed consent banner is not just a legal formality. It directly determines how much of the picture gets reconstructed.
Server-side tracking
Server-side tagging moves the collection point off the browser. Instead of the page sending data straight to ad and analytics platforms, it sends data to a server the company controls, which then forwards what is needed. Two things improve. Cookies set by that server are first-party cookies on the company's own domain, so browser limits on third-party cookies do not apply to them. And because the traffic flows through the company's domain, it is harder for ad blockers and tracking restrictions to single it out. Server-side setups are more work to build and maintain, and they do not magically recover users who declined consent. What they do is make the data that is collected more durable and give the company more control over what leaves its environment.
First-party data as the foundation
The most reliable signal a company has is the data its own customers hand over. Enhanced conversions, for example, use hashed first-party information such as an email address or phone number, collected with consent, to match a conversion to a logged-in user even when cookies are blocked or deleted. The hashing means the platform never receives the raw identifier. This is why the strongest measurement programs now start with owned data. A logged-in account, a newsletter subscription, a purchase tied to an email, a CRM record. These survive browser changes because they do not depend on cross-site tracking in the first place. The catch is that first-party data is only as good as the permission and the structure behind it. Collected sloppily, it becomes a liability rather than an asset.
What to do now
The honest version of modern measurement accepts estimation as part of the toolkit rather than pretending the gaps do not exist. A few moves matter more than the rest.
- Treat reported conversions as part-modeled: ask which platform numbers are observed and which are estimated, and weight decisions accordingly
- Invest in consent quality: a clear banner with high opt-in rates feeds the models the data they need to fill gaps well
- Build first-party collection deliberately: capture emails, accounts and purchases with permission so measurement does not lean on cross-site tracking
- Move tagging server-side where volume justifies it: more durable data and more control over what is shared with third parties
- Read trends, not single events: aggregate movement over time is more trustworthy than any individual user-level path
The cookie did not disappear, but the era of assuming every interaction could be traced is over. Measurement now lives somewhere between what is recorded and what is inferred, and the teams doing it well are the ones who know which is which.