Tracking without cookies has become a forefront concern for marketers recently. Tightening privacy regulations, together with cookie restrictions in browsers, have raised interest in alternative tracking methods that do not rely on cookies.
What cookies are actually used for. The story of cookie appearance and deprecation
Cookies are used by web servers to maintain sessions between individual requests, allowing for the tracking of customer journeys.
They were first introduced in 1995 by Netscape. In this 1995 video, Netscape founder Marc Andreessen demonstrates a cookie to a CNET journalist
Apart from tracking visitors, cookies are commonly used for authenticating on websites and, despite being supplanted by more modern kinds of browser storage, aren’t likely to completely disappear anytime soon.
However, there have been recent moves to restrict the use of cookies by advertisers. The impact on digital marketing was largely driven by legal restrictions on processing personal information and cookie blocking in browsers.
Legal challenges
The European Union, through its ePrivacy Directive and GDPR data protection laws, requires website owners to obtain explicit consent from users for processing personal information, as well as for transferring it to third parties. Similar cookie rules apply in the UK, as well as in the form of CCPA in California, US. While cookies aren’t the only example when such consent is required, they’re a primary and most obvious example.
Third-party cookies blocking
Additionally, browser vendors, starting with Safari in 2017, and continuing with most famously Chrome in 2024, moved to block a certain type of cookies: third-party cookies.
Most ad tracking doesn't rely on third-party cookies.
Third-party cookies are a special kind of cookie that is set by one website (for example, google.com) and can be accessed by another (ablecdp.com). They’re widely used for retargeting, and antimonopoly concerns became one of the main reasons why Google was among the last browser vendors to eliminate them. Restricting third-party cookies doesn’t affect first-party cookies; however, and most of the tracking pixels now rely on setting up first-party cookies associated with the click identifier present in the URL for tracking.
How cookieless tracking works
In response to the cookie restrictions, website owners sought alternative tracking methods. These methods, designed to ensure working attribution, range from grey to white in both legality and reliability and gained some popularity either as primary methods of tracking and analytics, or supplemental, used as a fallback when consent isn’t received.
All methods of cookieless tracking aim to track users without relying on storing tracking identifiers in the browser.
Let’s have a closer look at how different alternatives to cookie-based tracking allowing tracking conversions without cookies work.
Device fingerprinting
Device fingerprinting is arguably the most popular method employed by the majority of cookieless tracking solutions.
It relies upon collecting identifying information such as IP address and browser version from the user’s machine, which then forms a non-erasable digital ‘fingerprint’ of the user’s device. Some of the information required to form such a fingerprint can be collected covertly, from the analysis of application and network protocol requests. Machine learning is then applied to derive unique sessions and user identities from the collected data.
The legal side of such an approach is controversial. While vendors widely tout such an approach as ‘privacy-friendly’ and ‘anonymized’, organizations such as the Electronic Frontier Foundation argued that using it without user consent violates privacy laws, as collecting such device characteristics forms a personal identifier that is then used to associate user activity and behavior with the device and the user.
Any method of cookieless tracking that can identify a specific device requires user consent.
A EU-funded website about GDPR is even more straightforward in this regard:
"Looking back at the GDPR’s definition, we have a list of different types of identifiers: “a name, an identification number, location data, an online identifier.” A special mention should be made for biometric data as well, such as fingerprints, which can also work as identifiers. While most of these are straightforward, online identifiers are a bit trickier. Fortunately, the GDPR provides several examples in Recital 30 that include:
- Internet protocol (IP) addresses;
- cookie identifiers; and
- other identifiers such as radio frequency identification (RFID) tags.
These identifiers refer to information that is related to an individual’s tools, applications, or devices, like their computer or smartphone. The above is by no means an exhaustive list. Any information that could identify a specific device, like its digital fingerprint, are identifiers."
While data privacy concerns undoubtedly put a dark shade on this method, its demise is more likely to be precipitated by the changes in the browsers.
Leaking such identifying information has been well known to browser vendors for more than a decade, and its uniqueness has been severely reduced lately.
The instances where such a fingerprint can uniquely tell website users apart are now more and more rare.
First, browsers were continually removing vulnerabilities that resulted in leaking system cache status and other highly random variables that were historically used for device identification and fingerprinting.
Second, Chromium, the engine used in Google Chrome and other major browsers, has removed unique version-specific and platform-specific details from user-agent strings in 2023. Other major browsers, including Firefox and Safari, have made similar changes.
Third, many browsers now offer IP address anonymization via built-in secure VPN. For example, Edge.
These changes have made using the most popular fingerprinting mechanism, calculating user identity using a combination of IP address and browser version, useless on large websites. This happens because user devices of the same vendor would typically present themselves to such a cookieless tracking algorithm as the same device. In other words, two Apple phones running IOS would be indistinguishable, two Android phones as well, etc.
First-party data
Another approach to reducing reliance on cookies is based on use of the user-supplied data for attribution. When using first-party data, the device tracking isn't normally used.
First-party data is provided by user with explicit consent.
It is then used to track entire journeys without storing cookies in browser or identifying devices otherwise.
First-party data refers to the information that a company collects directly from its customers or audience through its own sources and channels. This can include data from:
-
Website activity: User behavior data collected through website visits, page views, clicks, transactions, etc. via web analytics tools.
-
Customer Relationship Management (CRM) data: Personal information, purchase history, preferences collected through account registrations, purchases, surveys, etc.
-
Marketing campaign data: Lead information, email engagement data collected through marketing campaigns.
-
Customer service data: Details about customer inquiries, issues, resolutions collected through customer support channels.
The key aspect of first-party data is that it is collected directly from the company's owned sources and channels and stored in a database controlled by the company rather than in the user's browsers. First-party data is an excellent alternative to using cookies for understanding user journeys.
It can thus be used to track conversions without relying on cookies, as well as implement customer journeys and sales funnels that don’t require cookie consent.
Using first-party data is radically different from employing client-side tracking apps such as Google Analytics 4 alone, ensuring that the journeys are tracked by customer-provided user data rather than cookies or device fingerprints and other imprecise signals.
Trivial server-side integrations
In the simplest case, ‘CRM’ data such as customer email or phone can be sent to ad platform API together with a conversion. This approach is typically used by inexpensive general-purpose integration platforms and built-in integrations in e-commerce platforms and CRMs.
A major downside of such implementation is it relies on the data already present in CRM, which typically excludes website visitor data collected on tracking landing page view.
It relies on the ad platform previously knowing that the given bit of personal information belongs to a known user and in practice only allows attributing around half of the conversions.
Customer data platforms
Customer data platforms take tracking to the next level, allowing for entirely cookieless tracking in some cases, as well as for significant reduction of reliance on cookies.
When a user submits a lead or a sign-up form, entered personal information, along with explicitly expressed consent are then associated with the website visitor source and click identifiers and stored in a database with the user data.
When a conversion occurs later, regardless of whether it’s an online or an offline conversion, previously stored information, instead of the cookies, is then used to attribute it to the visitor source.
Cookieless tracking implementation
Using first-party data often requires using cookies to some extent, to track the portion of the user journey from the landing page to the page where first-party data is entered. This significantly improves the resilience of the funnel to browsers expiring tracking cookies shortly after they were set, which in many browsers happens in one to seven days.
While it's commonly known that browsers been limiting tracking cookie lifetime to a few days since 2019, the less commonly known fact is that the cookies set by solutions like server-side GTM are detected by browsers that identify cloaking used to hide the container and limit longevity of HTTP-only cookies such tracking containers set as well.
Using first-party data allows tracking conversions without using cookies entirely in instances where the landing page contains a lead or a sign-up form. (And in some other special cases – more on this below.)
A completed form is tracked by a customer data platform and associated with the visitor source and click identifier present in the URL at the moment of tracking the form, allowing to associate user identity with the visitor source without needing to store anything in the user's browser.
Able CDP server-side tracking is an example of such cookieless tracking implementation.
Conversion attribution with cookieless tracking that uses first-party data
When a conversion happens later, it is then attributed by a customer data platform to the original source and click identifier solely using first-party data, allowing to implement robust server-side tracking that tracks conversions without storing any kind of cookies.
Collected first-party data can then be used to report conversion metrics and other insights useful for iterating and improving marketing strategies.
More importantly, having click identities associated with the user's details and identity in the tracking database allows sending conversions to ad platforms’ server-side tracking APIs attributed to the specific click and browser identifiers, ensuring that the conversions are recognized and correctly attributed on the ad platforms’ end.
Precise click identifier is superior to all other attribution signals used by ad platforms.
Implementing cookieless tracking in funnels that require navigating across many website pages is slightly trickier, but smarter funnels are already being built today with the full readiness for a cookieless future.
There are two approaches to using first-party data to track conversions without cookies in funnels that include navigating across many different website pages.
In funnels where the lead form isn’t located on the landing page, and where using cookies is entirely unsuitable, the following methods can be used instead.
New tracking methods for the cookieless world
In some funnels, a unique value linked with the ad click and appended to a URL parameter can be used to track user journey across different pages and domains. An example where this is useful is tracking Stripe payment links placed on the landing page, where each payment link is automatically tagged by a customer data platform with a unique checkout session identifier.
When a checkout session is completed, the e-commerce platform sends a webhook to a customer data platform, notifying it of the checkout result and customer details, which are then attributed to the original visit, traffic source, and paid click identifier using solely server-side tracking.
In other cases, when a modern web framework such as Next, Nuxt, or Turbo.JS is used, conversions can be tracked without cookies by using so-called ‘soft navigation’.
To accelerate loading speed and implement pre-caching, the web framework replaces the content of the page instead of loading a new one. While this happens transparently to the user, and has an appearance of normal link navigation, the original URL and attribution parameters are available to tracking scripts running on the page, allowing a customer data platform to associate customer details entered in a lead form together with accepting privacy policy with the source of the visit without requiring additional cookie consent or storing information in the browser.
Conclusion
In conclusion, cookieless tracking has emerged as a crucial topic for marketers in the face of tightening privacy regulations and cookie restrictions in browsers. While cookies have been the traditional method for tracking customer journeys and maintaining sessions, alternative methods have gained popularity to ensure accurate attribution and analytics.
Device fingerprinting, despite its controversial legal status, has been a popular approach among cookieless tracking solutions. However, the uniqueness of device fingerprints has been significantly reduced due to browser vendors' efforts to remove vulnerabilities and anonymize user information.
On the other hand, the smart use of first-party data has proven to be a promising alternative to cookie-based tracking. By leveraging data collected directly from owned sources and channels, companies can track conversions and implement customer journeys without relying on cookies. Customer data platforms have emerged as effective tools for cookieless tracking implementation.
As the digital landscape continues to evolve, marketers must adapt to new tracking methods that prioritize user privacy while still providing valuable insights. By embracing cookieless tracking techniques and leveraging first-party data, businesses can navigate the challenges posed by privacy regulations and browser restrictions, ensuring accurate attribution and effective marketing strategies in the cookieless world.
Able Customer Data Platform has been pioneering cookieless tracking solutions and supports all of the legal first-party data cookieless tracking methods described above.