Cookieless 2026: how to track conversions without third-party cookies

Cookieless is no longer a future trend in 2026, it's the operational reality. Chrome completed the deprecation phase, users blocking cookies are the majority, and the traditional client-side pixel lost 30-50% of conversion data. Companies that haven't adapted their tracking stack are optimising campaigns with blind data.

In this guide we give you the operational roadmap to be ready for cookieless tracking: server-side, first-party data, Privacy Sandbox, data-driven attribution. It's the same framework we apply in Ads projects managed by +Click Ads, where server-side tracking is included by default.

#Cookieless 2026: where we really are

Cookie deprecation milestones and where we've arrived.

State of browsers in 2026

• Safari: ITP (Intelligent Tracking Prevention) blocks third-party cookies since 2020. Limits first-party storage to 7 days. Global traffic share: 18-22%.
• Firefox: ETP (Enhanced Tracking Protection) blocks third-party cookies and other trackers since 2019. Share: 3-4%.
• Brave, DuckDuckGo Browser, Vivaldi: zero third-party cookies. Share: 2-3% growing.
• Chrome: deprecation completed in 2025 with full Privacy Sandbox rollout. Share: 65-70%.
• Edge: follows Chrome with slight delay, third-party cookies disabled by default here too. Share: 5-7%.

Users actively blocking

Beyond default browser blocking, a growing share of users use AdBlock, uBlock Origin, Privacy Badger. In Italy in 2026 it's estimated 25-35% of web users have an active blocker. The consequence: even where a site uses client-side tracking pixels, a significant portion is never tracked.

#Privacy Sandbox: how cookie replacement works

Privacy Sandbox is Google's framework to do advertising and measurement without third-party cookies. It replaces cookie functions with APIs working on-device, without exfiltrating personal data.

Topics API

Replaces interest targeting via third-party cookie. The user's browser assigns up to 5 "topics" (interest categories) based on sites visited in the last 3 weeks. Sites can ask the browser for the user's topics to personalise ads. Privacy: topics are limited to ~470 generic categories, don't identify the user.

Protected Audience API (formerly FLEDGE)

Replaces cross-domain retargeting. The user who visits an ecommerce and adds a product to cart gets saved in an "interest group" on their browser. Other sites can organise an on-device auction to show remarketing ads to the user, without data leaving the browser.

Attribution Reporting API

Replaces cross-domain conversion tracking. When the user sees an ad and then converts, the API generates an anonymised and aggregated conversion report (with differential noise for privacy). Advertising platforms get less precise but usable attribution data to optimise.

#Server-side tracking: the technical pillar

The main way to recover conversions lost in cookieless. Instead of having the data sent by the user's browser (blocked/limited), your server sends it directly to advertising platforms.

How server-side tracking works

1. The user does an important action on your site (purchase, lead, registration).
2. Your server records the event (e.g. after gateway payment confirmation).
3. The server sends the event directly to platform APIs: Meta CAPI (Conversions API), Google Enhanced Conversions, TikTok Events API.
4. Platforms receive the data even if the client-side pixel fails (AdBlock, strict browser, mobile app).
5. Attribution is done server-side with hashed first-party data (email, phone, customer ID).

The 3 implementation methods

• Google Tag Manager Server Container: the most popular. €60-200/month hosting, intermediate setup, maintainable by those who know GTM.
• Partner Integration: for ecommerce on Shopify/WooCommerce. Almost click-and-go setup, limited control.
• Custom Server (Node.js, Python, PHP): maximum control, zero additional hosting cost, requires developers. For the full CAPI setup guide see Meta Pixel and Conversions API.

#First-party data: the new currency

First-party data is what you collect directly from your users with their consent: email, phone, customer ID, behaviour on your site. It's the foundation of digital marketing 2026.

How to collect first-party data ethically

1. Registration form with clear incentive (first-order discount, premium content, community access).
2. Newsletter sign-up with real value: exclusive content, previews, reserved offers.
3. User account for ecommerce: purchase tracking, wishlist, personalised recommendations.
4. Chat and WhatsApp Business: conversations as data source with explicit consent.
5. Post-purchase survey: useful feedback + customer profile enrichment.
6. Loyalty programs: points, rewards, preferential access in exchange for profile data.

How to use it for cookieless ads

• Google Customer Match: you upload hashed email/phone, Google finds those users on its network for remarketing.
• Meta Custom Audience: same mechanism on Meta Ads (Facebook, Instagram).
• Lookalike audiences: platforms create audiences similar to your customers based on the customer list.
• Email/WhatsApp segmentation: send targeted communications per value segment.
• PMax audience signals: feed the customer list as signal for Google AI.

#Meta CAPI + Google Enhanced Conversions: use them together

The two main server-side mechanisms to implement in parallel to cover Meta Ads and Google Ads.

Meta CAPI (Conversions API)

Recovers 25-40% of conversions lost from the client-side pixel. Implementation: server-side handler sending events to Meta with event_id (for deduplication with Pixel), Event Match Quality above 7.5 thanks to hashed parameters (email, phone, IP, fbp, fbc). For the complete setup see the Meta Pixel and Conversions API setup guide.

Google Enhanced Conversions

Google's equivalent of Meta CAPI. Sent server-side to Google Ads with hashed first-party data (email, phone, address). Improves attribution by 15-30% in cookieless scenarios. Setup: standard conversion tag + Enhanced Conversions enabled in Google Ads + hashed first-party data upload (server-side or via Google Tag Manager Server).

Integration in the tracking stack

• Customer makes purchase on site.
• Server records order, saves customer email/phone.
• Automatic trigger: sends Purchase event to Meta CAPI with unique event_id.
• Same event: sends conversion to Google Ads with Enhanced Conversions and hashed data.
• GA4 receives event both from client-side gtag (if user consented) and from server-side Measurement Protocol (fallback).
• Result: precise attribution even with user blocking cookies/pixel.

#Consent Mode v2: truly GDPR-compliant

Without correctly implemented consent mode v2, in EU you're in trouble. It became mandatory in 2024 for those wanting to continue using Google Ads and Meta Ads in EU.

How Consent Mode v2 works

1. GDPR-compliant cookie banner (Iubenda, Cookiebot, OneTrust, Custom).
2. The user chooses which cookies to accept: necessary, statistics, marketing.
3. Preferences are passed both client-side (to Google Tag, Meta Pixel) and server-side.
4. If the user denies marketing: events are sent to platforms in "anonymous" mode (ldu = limited data use). They receive the aggregate signal without identifying the user.
5. If the user accepts marketing: events are sent complete with all hashed parameters.
6. Google and Meta use "modeling" to estimate missing conversions of deny users, based on aggregate behaviour.

Conversion modeling: what it is

When you lose precise tracking for users denying consent, Google and Meta use statistical modeling to estimate real conversions. Without consent mode v2 this modeling doesn't work or works poorly. With consent mode v2 implemented, you recover 30-50% of "modelled" conversions you'd otherwise lose entirely.

#Cookieless attribution: what changes in practice

Precise, deterministic, last-click attribution is dead. In cookieless you work with probabilistic attribution and modeling.

Attribution models for 2026

• Last-click: still available but systematically underestimates awareness and middle funnel. Use it only as reference data.
• Linear: distributes equally between touchpoints. Simple but inaccurate.
• Position-based (40-20-40): values first and last touchpoint. Good compromise for those without enough data for DDA.
• Data-driven attribution (DDA): the recommended default. Google algorithm distributes credit between touchpoints based on real data. Requires 300+ conversions/month to work well.
• Marketing Mix Modeling (MMM): for large projects (above €50k/month spend), cross-channel statistical analysis working even without cookies.

Multi-touch vs Single-touch in 2026

Single-touch (one touchpoint taking credit for the conversion) was the "easy" model of last decade. In 2026 it's inadequate because: 1) journeys are longer (6-12 average touchpoints before conversion), 2) touchpoints are cross-channel and cross-device, 3) loss of deterministic tracking makes it impossible to know "which was really the first click". Multi-touch is the new norm. Detailed in the how to measure digital marketing ROI guide.

#Implementation roadmap: 90 days to be ready

Operational program to take your company from "2020 tracking" to "2026 cookieless tracking" in 90 days.

Days 1-30: foundation

1. Current audit: what you're tracking, where the gaps are, which platforms you use.
2. Consent Mode v2 setup with compliant cookie banner.
3. GA4 configuration (if not already done) with all key events.
4. Basic Meta CAPI implementation (server-side tracking for Purchase/Lead event).
5. Google Enhanced Conversions implementation for active campaigns.

Days 31-60: optimisation

1. EMQ improvement: bring Event Match Quality above 8.0 with richer user data parameters.
2. Customer Match: upload customer list to Google Ads and Meta for cookieless remarketing.
3. Setup data-driven attribution as default model.
4. A/B test consent banner to optimise opt-in rate.
5. GA4 + Looker Studio integration for cross-channel dashboard.

Days 61-90: scaling and advanced

1. First-party audience strategy: segments by value, frequency, recency.
2. Lookalike audiences on Meta and Google based on customers.
3. PMax 2.0 with quality signal feeding (see Performance Max 2.0 guide).
4. Privacy Sandbox API testing for specific use cases.
5. Basic Marketing Mix Modeling to validate cross-channel attribution.
6. Complete technical documentation for internal and privacy audits.

#Common errors in the cookieless transition

1. Treating CAPI as "additional option": it's not optional, it's the base. Without it, you lose 30-40% of conversions.
2. Consent mode v1 instead of v2: v1 no longer works correctly in 2026. Update immediately.
3. Outdated customer list: for Customer Match to work you need fresh data from the last 12 months.
4. Wrong hashing: SHA-256 has precise standards (UTF-8, lowercase, hex). Wrong hashing = rejected data.
5. Ignoring modeling: rejecting modelled data thinking "it's made up" is a mistake. They're statistically valid estimates 70-90% accurate.
6. Comparing pre and post cookieless metrics without adjustment: numbers change. It doesn't mean campaigns work worse, it means you measured wrong before.

#Applied case: Italian ecommerce

To make this concrete, a typical setup for a mid-size Italian ecommerce in 2026.

• Stack: Shopify + Google Tag Manager (Stape server container) + GA4 + Meta CAPI + Google Enhanced Conversions + Iubenda Consent Mode v2.
• Server-side tracking: all key events (ViewContent, AddToCart, InitiateCheckout, Purchase) sent to Meta CAPI and Google with average event match quality 8.4.
• Customer Match: customer list updated monthly, segmented by buyer recency.
• Privacy: Iubenda cookie banner with consent mode v2, average opt-in rate 62% (above European benchmark).
• Result: recovery of 32% of conversions vs client-side pixel only, optimisation decisions based on much more reliable data, realistic ROAS measured instead of distorted.

Similar results are replicable for ecommerce of any size. The F&F Autoservice case shows how well-done CAPI setup brings CPL €1.07 on BMW leads, with tracking that doesn't lose conversions to AdBlock or cookie blocking.

Cookieless isn't a digital marketing apocalypse, it's a cleanup. Companies that got used to numbers inflated by the client-side pixel now see reality. Those setting up server-side, first-party data and correct probabilistic attribution will have increasing advantage.

— Niccolò Giuseppetti, founder +Click

Cookieless audit of your site

1. Cookie banner installed with working Consent Mode v2.
2. GA4 configured with key events and data-driven attribution.
3. Meta CAPI implemented server-side with EMQ above 7.5.
4. Google Enhanced Conversions enabled for all campaigns.
5. Updated customer list uploaded to Google Ads and Meta.
6. Cross-channel dashboard to measure unified ROAS.
7. Technical documentation for GDPR privacy audit.

#FAQ cookieless tracking 2026