Web cookies, introduced in 1995, have been a fundamental tool for tracking user behavior and maintaining online sessions. Recent legal restrictions and browser policies have challenged their use, leading to the development of alternative tracking methods. These include device fingerprinting and first-party data collection through customer data platforms. Cookieless tracking solutions aim to provide user journey analytics and conversion attribution without relying on browser-stored identifiers. Implementation methods vary based on website architecture and can include server-side tracking, form submissions, and integration with e-commerce platforms.
Want to skip the background? Scroll straight to the setup guide.
What cookies are actually used for. The story of cookie appearance and deprecation
Cookies are used by web servers to maintain sessions between individual requests, allowing for the tracking of customer journeys.
They were first introduced in 1995 by Netscape. In an old 1995 CNET video, Netscape founder Marc Andreessen demonstrates a cookie to a CNET journalist, explaining a metaphor that the cookies were named after.
Apart from tracking visitors, cookies are commonly used for authenticating on websites and, despite being supplanted by more modern kinds of browser storage, aren’t likely to completely disappear anytime soon.
However, there have been recent moves to restrict the use of cookies by advertisers. The impact on digital marketing was largely driven by legal restrictions on processing personal information and cookie blocking in browsers.
Legal challenges
The European Union, through its ePrivacy Directive and GDPR data protection laws, requires website owners to obtain explicit consent from users for processing personal information, as well as for transferring it to third parties. Similar cookie rules apply in the UK, as well as in the form of CCPA in California, US. While cookies aren’t the only example when such consent is required, they’re a primary and most obvious example.
Third-party cookies blocking
Additionally, browser vendors, starting with Safari in 2017, and continuing with most famously Chrome in 2024, moved to block a certain type of cookies: third-party cookies.
Most ad tracking doesn't rely on third-party cookies.
Third-party cookies are a special kind of cookie that is set by one website (for example, google.com) and can be accessed by another (ablecdp.com). They’re widely used for retargeting, and antimonopoly concerns became one of the main reasons why Google was among the last browser vendors to consider eliminating them. Google dropped Chrome third-party cookies deprecation plans in July 2024, but they remain blocked by other vendors such as Apple Safari. Restricting third-party cookies doesn’t affect first-party cookies; however, and most of the tracking pixels now rely on setting up first-party cookies associated with the click identifier present in the URL for tracking.
Different cookieless tracking solutions
In response to the cookie restrictions, website owners sought alternative tracking methods. These methods, designed to ensure working attribution, range from grey to white in both legality and reliability and gained some popularity either as primary methods of tracking and analytics, or supplemental, used as a fallback when consent isn’t received.
All methods of cookieless tracking aim to track users without relying on storing tracking identifiers in the browser.
Let’s have a closer look at how different alternatives to cookie-based tracking allowing tracking conversions without cookies work.
Device fingerprinting tracking solutions
Device fingerprinting is arguably the most popular method employed by the majority of cookieless tracking solutions.
It relies upon collecting identifying information such as IP address and browser version from the user’s machine, which then forms a non-erasable digital ‘fingerprint’ of the user’s device. Some of the information required to form such a fingerprint can be collected covertly, from the analysis of application and network protocol requests. Machine learning is then applied to derive unique sessions and user identities from the collected data.
The legal side of such an approach is controversial. While vendors widely tout such an approach as ‘privacy-friendly’ and ‘anonymized’, organizations such as the Electronic Frontier Foundation argued that using it without user consent violates privacy laws, as collecting such device characteristics forms a personal identifier that is then used to associate user activity and behavior with the device and the user.
Any method of cookieless tracking that can identify a specific device requires user consent.
A EU-funded website about GDPR is even more straightforward in this regard:
"Looking back at the GDPR’s definition, we have a list of different types of identifiers: “a name, an identification number, location data, an online identifier.” A special mention should be made for biometric data as well, such as fingerprints, which can also work as identifiers. While most of these are straightforward, online identifiers are a bit trickier. Fortunately, the GDPR provides several examples in Recital 30 that include:
- Internet protocol (IP) addresses;
- cookie identifiers; and
- other identifiers such as radio frequency identification (RFID) tags.
These identifiers refer to information that is related to an individual’s tools, applications, or devices, like their computer or smartphone. The above is by no means an exhaustive list. Any information that could identify a specific device, like its digital fingerprint, are identifiers."
While data privacy concerns undoubtedly put a dark shade on this method, its demise is more likely to be precipitated by the changes in the browsers.
Leaking such identifying information has been well known to browser vendors for more than a decade, and its uniqueness has been severely reduced lately.
The instances where such a fingerprint can uniquely tell website users apart are now more and more rare.
First, browsers were continually removing vulnerabilities that resulted in leaking system cache status and other highly random variables that were historically used for device identification and fingerprinting.
Second, Chromium, the engine used in Google Chrome and other major browsers, has removed unique version-specific and platform-specific details from user-agent strings in 2023. Other major browsers, including Firefox and Safari, have made similar changes.
Third, many browsers now offer IP address anonymization via built-in secure VPN. For example, Edge.
These changes have made using the most popular fingerprinting mechanism, calculating user identity using a combination of IP address and browser version, useless on large websites. This happens because user devices of the same vendor would typically present themselves to such a cookieless tracking algorithm as the same device. In other words, two Apple phones running IOS would be indistinguishable, two Android phones as well, etc.
First-party data and customer data platforms
Another approach to reducing reliance on cookies is based on use of the user-supplied data for attribution. When using first-party data, the device tracking isn't normally used.
First-party data is provided by user with explicit consent.
It is then used to track entire journeys without storing cookies in browser or identifying devices otherwise.
First-party data refers to the information that a company collects directly from its customers or audience through its own sources and channels. This can include data from:
-
Website activity: User behavior data collected through website visits, page views, clicks, transactions, etc. via web analytics tools.
-
Customer Relationship Management (CRM) data: Personal information, purchase history, preferences collected through account registrations, purchases, surveys, etc.
-
Marketing campaign data: Lead information, email engagement data collected through marketing campaigns.
-
Customer service data: Details about customer inquiries, issues, resolutions collected through customer support channels.
The key aspect of first-party data is that it is collected directly from the company's owned sources and channels and stored in a database controlled by the company rather than in the user's browsers. First-party data is an excellent alternative to using cookies for understanding user journeys.
It can thus be used to track conversions without relying on cookies, as well as implement customer journeys and sales funnels that don’t require cookie consent.
Using first-party data is radically different from employing client-side tracking apps such as Google Analytics 4 alone, ensuring that the journeys are tracked by customer-provided user data, shared with an explicit consent, rather than cookies or device fingerprints and other imprecise signals.
First-party data differences when sharing data with ad platforms
When the tracking data are used outside of an organization, for example, for sending conversions to Meta Conversions API or Google Ads conversion tracking, ad platform will need to recognize the matching user and ad click in order to attribute the conversion to the source correctly.
In the simplest case, ‘CRM’ data such as customer email or phone can be sent to ad platform API together with a conversion. This approach is typically used by inexpensive general-purpose integration platforms such as Zapier and built-in integrations in e-commerce platforms and CRMs.
A major downside of such implementation is it relies on the data already present in CRM, which typically excludes website visitor data collected on tracking landing page view. It relies on the ad platform previously knowing that the given bit of personal information belongs to a known user and in practice only allows attributing around half of the conversions.
Customer data platforms take tracking to the next level, allowing for entirely cookieless tracking in some cases, as well as for significant reduction of reliance on cookies.
When a user submits a lead or a sign-up form, entered personal information, along with explicitly expressed consent are then associated with the website visitor source and click identifiers and stored in a database with the user data.
When a conversion occurs later, regardless of whether it’s an online or an offline conversion, previously stored information, instead of the cookies, is then used to attribute it to the visitor source.
How to set up cookieless conversion tracking using a customer data platform
Cookieless website journey tracking
There are several ways of using first-party data attribution provided by customer data platform tracking solutions such as Able CDP to track visitors without cookies or covert device fingerprinting. The method should be chosen depending on how the funnel is organized and the technical stack that powers the website.
Using first-party data allows tracking conversions without using cookies entirely in instances where the landing page contains a lead or a sign-up form. A completed form is tracked by a customer data platform and associated with the visitor source and click identifier present in the URL at the moment of tracking the form, allowing to associate user identity with the visitor source without needing to store anything in the user's browser.
This approach also works in funnels where landing page links to a third-party checkout that can receive a unique session identifier. For example, it can be used for tracking Stripe payment links placed on the landing page, where each payment link is automatically tagged by a customer data platform with a unique checkout session identifier. Even though no tracking code can be added to Stripe checkout itself, a webhook received by a customer data platform after a completion of checkout would allow to precisely associate customer email and identifier with the preceding browser journey.
Able CDP server-side tracking is an example of such cookieless tracking implementation. Setting up form or payment link tracking in Able CDP is trivial. First, open the 'Get Code' tab. If there are any lead forms, they need to be specified on the page to let Able recognize the fields relevant for first-party attribution. Stripe payment links are usually recognized and tagged fully automatically. Once done, press 'Generate' to get tracking code.
What happens if the customer journeys are more extensive and don't result in a lead or a checkout on the landing page?
An entirely cookieless journey tracking is possible when a modern web framework such as Next, Nuxt, or Turbo.JS is used, by using so-called ‘soft navigation’.
To accelerate loading speed and implement pre-caching, such framework replace the content of the page and the URL displayed in browser instead of loading a new one. While this happens transparently to the user, and has an appearance of normal link navigation, the original URL and attribution parameters are available to tracking scripts running on the page, allowing a customer data platform to associate customer details entered in a lead form together with accepting privacy policy with the source of the visit without requiring additional cookie consent or storing information in the browser.
Able CDP offers a detailed setup guide for cookieless tracking in such single-page applications.
In all cases, it's possible to implement a hybrid approach and track the portion of the user journey from the landing page to the page where first-party data is entered. This significantly improves the resilience of the funnel to browsers expiring tracking cookies shortly after they were set, which in many browsers happens in one to seven days.
While it's commonly known that browsers been limiting tracking cookie lifetime to a few days since 2019, it's less well known that the server cookies set by standalone tracking containers like server-side GTM are detected by browsers that identify cloaking used to hide the container and limit longevity of HTTP-only cookies such tracking containers set as well.
Conversion attribution with cookieless tracking that uses first-party data
When a conversion happens later, it is then attributed by a customer data platform to the original source and click identifier solely using first-party data, allowing to implement robust server-side tracking that attributes conversions without relying on stored cookies.
Conversions are received server-side and a customer data platform looks up the matching customer in its database using solely first-party identifiers such as an email.
Collected first-party data can then be used to report conversion metrics and other insights useful for iterating and improving marketing strategies.
More importantly, having click identities associated with the user's details and identity in the tracking database allows sending conversions to ad platforms’ server-side tracking APIs attributed to the specific click and browser identifiers, ensuring that the conversions are recognized and correctly attributed on the ad platforms’ end.
Precise click identifier is superior to all other attribution signals used by ad platforms. It substantially improves attribution and ad targeting and a 5-7x RoAS increase or an ability to double ad budget by targeting customers better are not uncommon.
Conclusion
In conclusion, cookieless tracking has emerged as a crucial topic for marketers in the face of tightening privacy regulations and cookie restrictions in browsers. While cookies have been the traditional method for tracking customer journeys and maintaining sessions, alternative methods have gained popularity to ensure accurate attribution and analytics.
Device fingerprinting, despite its controversial legal status, has been a popular approach among cookieless tracking solutions. However, the uniqueness of device fingerprints has been significantly reduced due to browser vendors' efforts to remove vulnerabilities and anonymize user information.
On the other hand, the smart use of first-party data has proven to be a promising alternative to cookie-based tracking. By leveraging data collected directly from owned sources and channels, companies can track conversions and implement customer journeys without relying on cookies. Customer data platforms have emerged as effective tools for cookieless tracking implementation.
As the digital landscape continues to evolve, marketers must adapt to new tracking methods that prioritize user privacy while still providing valuable insights. By embracing cookieless tracking techniques and leveraging first-party data, businesses can navigate the challenges posed by privacy regulations and browser restrictions, ensuring accurate attribution and effective marketing strategies in the cookieless world.
Able Customer Data Platform has been pioneering cookieless tracking solutions and supports all of the legal first-party data cookieless tracking methods described above.