top of page

Cookies, parameters and tags – how web tracking works and what’s changing

“Google Chrome to block third-party cookies by the end of 2024” – you may have read this headline or one like it, seen it in an article covering any of the major digital advertising platforms like Google or Meta, or even heard it in a board meeting.

It sounds like it’s important, but you don’t really know what it means. Does this require “putting too much milk in your tea” or “the house is on fire” level of worrying? You therefore either assume other people will know more about this subject than you and don’t ask, or when you do ask, you find it hard to judge whether you are getting a reasonable answer.


If this sounds familiar, then you’re in the right place. We'll set out the basics of how web tracking works, the impact of the various privacy-driven changes over the past few years, and the upcoming changes in Google Chrome.

We’re not technical tracking experts, but almost all our work involves using the outputs from tracking, and when you are running an ecommerce business you certainly feel motivated to understand how it works – as without it you are effectively ‘flying blind’. But if you are a senior marketing leader, CEO or private equity investor – we’ll help you to understand what you should be worrying about and what questions you should be asking.


How does web tracking work?


For our purposes, in this article we’re going to focus on a subset of web tracking capabilities relating to understanding the behaviour of users on your own website – which sources they arrive from, what they do and what they buy. This is key to accurate attribution and measuring marketing ROI, important factors for any investor-backed business seeking above-market growth.


We need to understand the two key components of web tracking:


1.       URL parameters: if you see a '?' in the address bar of a webpage, everything following it relates to web tracking. There is a standard structure used, called UTM parameters, which track certain dimensions like the source you arrived from or which ad creative you clicked on – these are appended to the links that you would have clicked on to arrive on the website.


You can test this by deleting all the tracking parameters in the URL and re-loading the website.

UTM parameters

2.       Cookies: these are small text files that record information in your web browser relating to your activity on a website. For example: a unique anonymous identifier; which pages you visit; and if you add any products to your basket or make a purchase. These cookies can either be ‘first-party’ - meaning they can only be accessed by the website you are visiting, or ‘third-party’ - meaning they can be accessed by any website using the third-party provider’s code. When you see adverts ‘following you around the internet’, these are relying on third-party cookies – so it’s not hard to see why these have been the subject of privacy concerns.


You can see which cookies have been placed by a website when in Google Chrome by pressing the F12 key, navigating to the ‘Applications’ tab and selecting ‘Cookies’ from the left-hand menu. Cookies are placed at a browser level, so you if you visit a website from difference browsers or different devices, you’ll receive additional cookies. Google Analytics cookies normally last for two years, but this can be configured.

When you look at the performance of your website in Google Analytics (the web tracking tool used by >85% of the world’s websites), almost all of the data has been gathered by some combination of URL parameters and cookies being created and logged.

Web tracking is something that requires constant management - whenever you change your website, upload new content or make changes to your digital marketing activity, there is a risk that tracking could be corrupted or missed altogether. It is important to have a robust approach to monitoring tracking as it is not normally possible to retrospectively backfill any missing data.


What has been changing with web tracking?


General Data Protection Regulation - GDPR (2018)


Arguably one of the most important changes to online privacy was the introduction of the General Data Protection Regulation (GDPR). It harmonised data privacy laws across Europe and introduced the requirement for explicit and informed consent from users to store cookies, where before consent was assumed through the ‘privacy policy’ (you’ve read that, right?). Website owners are now required to have explicit consent for each type of cookie (often presented as ‘necessary’ and ‘optional’).


Safari Intelligent Tracking Prevention (ITP) (2018)


Shortly after GDPR was introduced, Apple’s Safari became the first mainstream browser to block third-party cookies by default and apply lifespans to first-party cookies. As the second most popular browser, this affected 20% of total search traffic, significantly impacting businesses that rely on third-party cookies to target their advertising like Meta.


Google Analytics 4 (2020)


Google Analytics 4 (GA4) was released as an update to their Universal Analytics (UA) platform to move away from third-party cookies and prevent the collection of personal information post-GDPR. For example, there an explicit section in its Terms & Conditions confirming that a website may not store any personally identifiable information such as IP addess within GA4.

For most regular GA users who we work with, the switch to GA4 was painful, with a significant reduction in the platform’s ability to run reports and understand website performance. However, the data structures that can be accessed via the API or in the Google BigQuery data warehouse were an improvement, and the shift to use first-party cookies means that GA4 will survive the current trend of browsers blocking third-party cookies by default. GA4 also added improved consent management features supporting opt-out options for website visitors (known as ‘Consent Mode V1’).


GA4 Consent Mode V2 (2023)


Consent Mode V2 aims to ‘improve user privacy and data compliance’ with mandatory enforcement for all companies using Google Analytics or Google Ads (PPC) in March 2024. In V1, users who did not explicitly consent to cookies would still have their event data tracked and sent to Google ‘anonymously’, to train their machine learning models.


In V2, alongside some other compliance updates, Google have provided website owners with two options, “basic” and “advanced”. Basic mode means that the website visitor must respond to the cookie consent banner before GA4 loads. In advanced mode, GA4 loads when the website loads, but users who do not respond to the cookie consent banner will still be tracked via ‘Cookie-less pings’, and their data will still be used to train Google’s ML models, to estimate the behaviour of users who declined first-party cookies.


Google Chrome Third-Party Cookie Blocking (2024)


Google Chrome will block third-party cookies in H2 2024 and is already rolling out its ‘Tracking Protection’ feature to some users on a trial basis. With a market share of 65% of web browser usage, this will have a significant impact on any business reliant on third-party cookies for web tracking.


What does this mean for you and what should you do?


The combination of the changes to web tracking since 2018 means that even with the privacy-protecting changes in GA4, not every website visitor is tracked.


Based on a sample of four of our largest ecommerce clients where we can compare transactional data with Google Analytics, consistently 75-80% of online conversions can be tied to individual, anonymous website behaviour tracked in GA4.


So, whilst we’ve lost some visibility, we aren’t yet flying blind. When assessing marketing performance, we tend to allocate those un-tracked conversions pro-rata with those that we can track. Google’s Consent Mode v2 may try to do something a bit more scientific but for most businesses, this isn’t necessary.


The upcoming changes in Google Chrome are unlikely to adversely change this core tracking ability, as they impact third-party cookies rather than first-party cookies as used by GA4 – so in that sense, you don’t need to worry.


If you’ve relied on social media channels for paid advertising or run retargeting activity (serving display ads to your recent website visitors after their visit), you will have seen a more significant impact from changes relating to third-party cookies, most notably Apple’s ITP. This would have made it harder to track and target your specific customers and their ‘lookalikes’, reducing advertising effectiveness and increasing cost. Platforms such as Meta have changed their tracking methodology to mitigate some of these issues, but Chrome’s upcoming changes will likely impact this further.


If this applies to you, I think this is a great opportunity to really test the efficacy of these types of advertising through incrementality testing (for example, only running the activity in one geographic region to allow for comparative analysis). It also forces you back to more ‘analogue’ contextual targeting techniques – instead of ‘following people around the internet’ at an individual level, you can understand your audience as a whole and think about which other types of websites they might visit.


This should also serve as a catalyst to ensure you are collecting identifiable data from your website visitors – subscribing them to your mailing list or offering demos and downloads which require contact information. This type of legitimately acquired data is always going to be more reliable for targeted advertising than anonymous third-party cookies.


What questions should I ask?


If you are attending a management or board meeting and want to understand the current state-of-play for a business’s web tracking, you could ask:

(1)    Do we have web tracking expertise in house via a trusted partner? This is a mission critical area if your business drives meaningful demand or conversions online, and it would be a risk to not have access to skilled resources at short notice.

(2)    How many of our online purchases or conversions can we tie back to identifiable, anonymous website visitors (i.e. how often is GA4 able to track website visitors at an individual level?)

(3)    How reliant is your marketing activity on retargeting and/or paid social activity? If this drives a meaningful proportion of your revenue, are you using contextual/aggregated targeting rather than relying on third-party cookies? It may also be worth asking how the business was impacted by ITP in 2018.


We’ve covered the basics of web tracking, the recent changes, and how upcoming adjustments in Google Chrome might affect your business. You don’t need to know every detail of technical web tracking to ensure your business is taking the correct steps - I’ll save describing cross-device joining and server-side tracking for another day!


There is no need for panic - we work with this type of data every day and still have plenty of ways to understand and improve website performance with Google Analytics and internal data after the privacy-driven changes of recent years. But it is also important to not be complacent. There will no doubt be further changes in the future so making sure you have access to sufficient technical talent is key.


If you’d like to discuss how you can understand the role of web tracking in measuring marketing effectiveness for your business, please Contact Us.



Subscribe to get my ideas as they are published

Thanks for subscribing - I normally publish ideas at the start of each week.

bottom of page