The Tracking Landscape in 2026: A Minefield
In 2026, advertisers face a more hostile tracking environment than ever. Between browser restrictions, operating system rules, and European regulations, 30 to 40% of conversions are lost if no mitigation measures are in place.
This is not a projection. It is what we see in the field, audit after audit. And the situation will only get worse if you do not adapt.
Here is the complete state of play and the solutions that work.
Safari ITP: The Most Aggressive Browser
What ITP (Intelligent Tracking Prevention) Does
Safari is the default browser on iPhone, iPad, and Mac. In France, it accounts for roughly 28% of web traffic (and up to 45% on mobile-heavy sites). Its ITP system is the most restrictive on the market:
| ITP Restriction | Impact |
|---|---|
| First-party cookies via JavaScript: 7-day maximum | The _ga cookie (GA4) expires after 7 days — a returning visitor after 8 days is counted as new |
First-party cookies via document.cookie with link decoration: 24 hours | If the URL contains a gclid, fbclid, or utm_, the cookie is limited to 24h |
| Third-party cookies: blocked entirely | No third-party cookie works on Safari |
Partitioned localStorage | Stored data does not persist across contexts |
| Link decoration stripping | Safari may remove certain tracking parameters from URLs |
The Concrete Impact for You
On an e-commerce site with 30% Safari traffic:
- Multi-session journeys are not tracked: a user who discovers your site on Monday and purchases on Saturday (6 days later) has a valid cookie. But if they purchase on Sunday (8 days), they appear as a new user
- Campaign attribution is skewed: the GCLID is stored in a cookie. If that cookie expires, the conversion is not attributed to Google Ads
- Retargeting audiences shrink: with 7-day cookies, your audience lists deplete rapidly
iOS ATT: The Opt-In That Changed Everything
App Tracking Transparency in Numbers
Since iOS 14.5 (April 2021), Apple requires a consent prompt for cross-app tracking. The numbers speak for themselves:
- Global opt-in rate: 25-35% depending on industry (Appsflyer, 2025)
- France: approximately 28% opt-in (slightly below the European average)
- Impact on Meta Ads: estimated 30-40% loss of conversion signals on iOS
- Impact on audiences: 50-60% reduction in iOS retargeting audiences
What This Means for the Web
ATT primarily impacts apps, but mobile web on Safari suffers indirect effects:
- The Meta pixel in Safari iOS browser is doubly penalized (ITP + ATT)
- SKAdNetwork (Apple’s attribution system) provides aggregated and delayed data
- View-through conversions are virtually nonexistent on iOS
Chrome: Third-Party Cookies Survive (for Now)
Google’s U-Turn
After announcing the deprecation of third-party cookies in 2020 (originally scheduled for 2022, then 2024, then 2025), Google ultimately abandoned the plan in July 2024. Third-party cookies remain active in Chrome.
But be careful: the Privacy Sandbox is advancing in parallel.
Privacy Sandbox: The APIs Gradually Replacing Cookies
| API | Purpose | 2026 Status |
|---|---|---|
| Topics API | Replace interest-based targeting | Available, limited adoption |
| Attribution Reporting API | Privacy-safe conversion measurement | In expanded testing |
| Protected Audience API (formerly FLEDGE) | Retargeting without third-party cookies | Available, gradual adoption |
| Private State Tokens | Replace CAPTCHAs and anti-fraud | In development |
Chrome accounts for 55-60% of traffic in France. While third-party cookies still work there, the Privacy Sandbox is nonetheless changing the rules for targeting and measurement.
Firefox ETP: Quiet but Effective
Firefox Enhanced Tracking Protection (ETP) has been enabled by default since 2019:
- Third-party cookies: blocked for domains identified as trackers (Disconnect list)
- Content trackers: blocked in private browsing
- Fingerprinting: active protection
- Cryptomining scripts: blocked
Firefox represents approximately 5-7% of traffic in France. The volume impact is smaller but adds to the overall erosion.
Quantifying Data Loss by Channel
Here is a realistic estimate of conversion data loss without any mitigation measures:
| Channel | Loss Source | Estimated Loss |
|---|---|---|
| Google Ads (Search) | ITP (cookie expiry), blockers | 15-25% |
| Google Ads (Display/YouTube) | ITP, blockers, third-party cookies blocked on Safari/Firefox | 25-35% |
| Meta Ads | ITP, ATT, blockers, GDPR consent | 30-50% |
| TikTok Ads | ITP, ATT, blockers (pixel heavily blocked) | 35-55% |
| Organic traffic (SEO) | ITP (fragmented sessions), GA4 blockers | 10-20% |
| Email marketing | ITP (multi-session attribution), Mail Privacy Protection | 15-25% |
Weighted total for an average French e-commerce site: 25-40% of conversions lost.
Solutions That Work in 2026
1. Server-Side Tracking: The Foundational Solution
Server-side tracking solves the most critical problem: first-party cookies are set by the server, not by JavaScript.
How this bypasses ITP:
- A cookie set via an HTTP
Set-Cookieheader from your own domain (first-party) is not subject to ITP’s 7-day limit - The cookie can have a lifespan of 13 months (recommended GDPR limit) instead of 7 days
- Ad blockers cannot block requests to your own subdomain
Browser → tracking.yourdomain.com (GTM SS server)
↓
First-party cookie set via Set-Cookie header
Lifespan: 390 days
↓
Data forwarded to GA4, Google Ads, Meta, etc.Measured impact: server-side tracking recovers an average of 15-25% additional data compared to client-side alone on Safari.
2. Consent Mode V2: Modeling Lost Conversions
Consent Mode V2 allows Google to statistically model conversions from users who refuse consent, based on the behavior of users who accepted.
- Default
deniedmode in Europe - Google receives anonymized pings (no cookie, no identifier)
- The algorithm models the missing conversions
- Estimated recovery: 55-70% of conversions lost to consent refusal
3. Enhanced Conversions: First-Party Matching
Enhanced Conversions send hashed first-party data (email, phone) to Google to improve matching even when cookies have expired.
- +5 to 15% additional conversions
- Compatible with server-side tracking
- SHA-256 hashing ensures data protection
4. Meta CAPI: Bypassing Blockers
Meta’s Conversions API sends events server-to-server, eliminating dependence on the browser pixel.
- +20-30% accuracy in Meta conversion tracking
- Improved EMQ (Event Match Quality) score
- CPA improved by 13% on average
5. Structured First-Party Data Collection
The long-term strategy rests on direct first-party data collection:
- Customer accounts with verified email
- Loyalty programs
- Newsletter signup forms
- On-site behavioral data (searches, favorites, wishlists)
This data depends on no cookie and survives all restrictions.
Protection Strategy: Where to Start
| Priority | Action | Impact | Complexity |
|---|---|---|---|
| 1 | Consent Mode V2 | High | Low |
| 2 | Enhanced Conversions | Medium-High | Low |
| 3 | Meta CAPI | High (if Meta is a major channel) | Medium |
| 4 | Server-side tracking | Very high | Medium-High |
| 5 | First-party data strategy | Very high (long-term) | High |
Order matters: start with quick wins (Consent Mode, Enhanced Conversions), then invest in server-side infrastructure.
Do Not React. Anticipate.
Tracking restrictions are not going to ease up. Every month without action means less data and underperforming campaigns. At chillmetrics, we deploy the full stack: server-side tracking, Consent Mode V2, CAPI, Enhanced Conversions — all configured, tested, and documented.
Let us handle your tracking installation and take back control of your conversion data.