Attribution & Measurement
RGM° · Training
Post-ATT and Cookieless Attribution
The defining measurement challenge of the decade. iOS ATT, cookie deprecation, Privacy Sandbox, CAPI, clean rooms, and the survival strategies that work.
Why this matters
The measurement substrate of the 2010s — ubiquitous third-party tracking, persistent user identifiers, click-attribution accuracy — is collapsing. Mature programs are adapting through multiple strategies: server-side conversions, first-party identity investments, MMM and incrementality re-emergence, data clean rooms, and Privacy Sandbox APIs.
The teams that move fast are gaining structural advantages. The teams that hope cookies come back are losing ground.
iOS ATT
Apple's App Tracking Transparency (ATT), launched April 2021 with iOS 14.5, requires apps to request user permission before tracking across apps and websites owned by other companies. Opt-in rates run 20–30%; iOS users represent roughly half of US smartphone users and skew higher-income.
What ATT broke
- Cross-app user identification via IDFA (Identifier for Advertisers).
- Click-attribution for iOS app installs and in-app conversions from web ads.
- View-through attribution on iOS.
- Audience-based retargeting precision for iOS-heavy programs.
What ATT preserved
- Within-app first-party tracking.
- Aggregate measurement via SKAdNetwork (and SKAN 4.0+ for finer detail).
- Server-side conversion API tracking via hashed user data.
- Brand and engagement-level measurement via consented users.
SKAdNetwork (SKAN)
Apple's privacy-preserving attribution framework. Provides aggregate conversion data with delays and limits. Used by all major iOS-targeting ad platforms. SKAN 4.0 added more granular conversion windows and post-install lifecycle measurement.
Third-party cookie deprecation
Chrome's plan to deprecate third-party cookies has been repeatedly delayed. As of 2024–2025, the path forward involves consent-mode-based degradation and increasing reliance on Privacy Sandbox APIs.
Browsers that already block
- Safari (ITP): Blocked since 2017; further restricted in 2019–2020.
- Firefox (ETP): Blocked since 2019.
- Brave, DuckDuckGo browser: Block by default.
- Chrome: Phased deprecation in progress.
What this means in practice
- Cross-site identification via third-party cookies is unreliable today, with or without Chrome.
- First-party cookies still work and are the foundation of on-site personalization.
- Server-side tracking and authenticated identity become more important.
Privacy Sandbox
Google's set of privacy-preserving web APIs intended to replace third-party cookies. Key components:
- Topics API. Browser-derived topic interests inferred from browsing history; available for ad targeting without user-level identification.
- Protected Audience API (formerly FLEDGE). On-device auction for retargeting and custom audiences without server-side user identification.
- Attribution Reporting API. Privacy-preserving conversion attribution with summary reports and event-level reports (with noise).
- Trust Tokens / Private State Tokens. Anti-fraud and authentication without identification.
- CHIPS, Storage Access API, Fenced Frames. Architectural pieces enabling functionality without cross-site tracking.
The Privacy Sandbox is still maturing. Effectiveness for advertisers vs cookies is debated; some studies show measurable ROAS decline, others show acceptable performance for properly-prepared advertisers.
Conversion APIs (CAPI)
Server-side conversion APIs are now the foundation of post-ATT measurement. Meta CAPI, TikTok Events API, LinkedIn CAPI, Google Enhanced Conversions, Snap CAPI — each platform's server-side equivalent of its browser pixel.
What CAPI does
- Captures conversions server-side, beyond browser's reach.
- Bypasses ad blockers and tracking prevention.
- Passes hashed user data (email, phone, IP) for matching.
- Improves attribution match rates 15–40% on average.
- Enables matching to closed-won CRM events post-conversion.
Implementation
- Server-side GTM is the most common implementation route.
- Direct API integrations for organizations with backend control.
- Deduplication keys required when CAPI and browser pixel both fire.
- Hashing per platform requirements (SHA-256 typically).
First-party data and identity
- Email-based identity. Hashed email as cross-platform key. Customer match in Google Ads, Meta, LinkedIn, TikTok.
- Account-based identity. Logged-in users with persistent IDs across sessions and devices.
- Phone-based identity. SMS marketing platforms; phone hashing for ad platforms where supported.
- Customer Data Platform (CDP). Centralized identity resolution: stitch together emails, phones, devices, and behavioral signals into unified profiles.
- Universal IDs. Industry-led alternatives to third-party cookies: ID5, UID 2.0, LiveRamp RampID, The Trade Desk's identity solutions.
Modeled conversions and data clean rooms
Modeled conversions
When observed conversions are incomplete (consent declined, identifier lost, cross-device), platforms statistically model the missing conversions. Google Consent Mode, Meta's modeling, GA4's behavioral modeling all do this.
Modeled conversions are aggregate estimates, not user-level. They're directionally useful but should not be confused with observed.
Data clean rooms
Privacy-preserving environments where two or more parties can analyze their data together without exposing individual records. Examples: Amazon Marketing Cloud, Google Ads Data Hub, Snowflake Data Clean Rooms, AppsFlyer Privacy Cloud, Habu (acquired by LiveRamp).
Use cases: cross-platform measurement, audience overlap analysis, lookalike modeling with retailer data, cohort analysis with partner data.
Survival strategies
- Triangulation across MMM + incrementality + MTA. Don't rely on any single methodology.
- Server-side conversion APIs everywhere. Recover 15–40% of attribution match rate.
- First-party data investment. Build authenticated identity wherever possible.
- Consent Mode and consent management. Maintain measurement coverage in privacy-strict markets.
- Clean room readiness. Prepare for cross-platform analysis without raw user data exchange.
- Privacy Sandbox pilot participation. Test APIs before they're mandatory.
- Geographic mix awareness. EEA and California behave differently from US national average; segment your measurement.
Advanced playbook
- Identity graph maturity assessment. Audit your first-party identity coverage: % of customers with email, phone, account, device-stitched. Plan investments to fill gaps.
- CAPI implementation breadth. Coverage across Meta, Google, TikTok, LinkedIn, Snap, Pinterest, Amazon, X. Each platform missed is attribution lost.
- Hashed CRM integration. Push customer match audiences to all platforms; refresh weekly via CDP sync.
- Always-experiment posture. Quarterly incrementality tests as MTA degrades; tests are the ground truth.
- MMM as foundation. Build MMM as the strategic measurement layer; calibrate with experiments.
- Data clean room early adoption. Pilot AMC, Ads Data Hub, or partner clean rooms before they become required for measurement.
- Privacy Sandbox readiness. Test Topics, Protected Audience, Attribution Reporting APIs in your environment.
- Reporting honesty in stakeholder communications. Acknowledge measurement degradation. Quote ranges. Show triangulation.
- Geographic and platform-specific measurement strategies. Different markets and platforms have different signal availability. One global approach is wrong.
- Tactical-vs-strategic boundary discipline. Tactical = platform-native, server-side, modeled. Strategic = MMM + incrementality. Don't conflate.
Common mistakes
- Treating measurement degradation as transient; waiting for cookies to come back.
- No CAPI implementation; 30–50% conversion loss on iOS-heavy programs.
- Single-source attribution post-ATT; trusting MTA as the answer.
- No first-party data strategy; surface-level customer match without identity persistence.
- Skipping Consent Mode for EEA traffic; 30–50% data loss.
- Trusting modeled conversions as observed without stakeholder caveat.
- Treating Privacy Sandbox as theoretical; not piloting until forced.
- No data clean room strategy; missing cross-platform analytical capability.
- Geographic-uniform measurement; misses EEA and California differences.
- Failing to communicate measurement limits to leadership; manufactured confidence in numbers.
Operating checklist
- Conversion APIs implemented on Meta, Google, TikTok, LinkedIn (minimum)
- Server-side GTM or direct API integration with dedup keys
- First-party identity audit: email, phone, account, device coverage
- CDP or equivalent identity-resolution layer
- Consent Mode v2 implemented for EEA
- MMM built and rebuilt at least annually
- Quarterly incrementality testing cadence
- Data clean room access for major partners
- Privacy Sandbox API piloting
- Geographic segmentation in measurement
- Stakeholder communication acknowledges degradation and triangulation
Sources and further reading
- Apple App Tracking Transparency documentation
- SKAdNetwork (SKAN) documentation
- Privacy Sandbox documentation (Chrome, Google)
- Meta Conversions API documentation
- Google Enhanced Conversions documentation
- TikTok Events API documentation
- LinkedIn Conversions API documentation
- Amazon Marketing Cloud documentation
- Google Ads Data Hub documentation
- LiveRamp, ID5, UID 2.0, The Trade Desk identity initiatives
- IAB Cookieless and Privacy Working Groups
- Industry coverage: AdExchanger, Digiday, Marketing Brew on cookieless transition
Part of the Attribution & Measurement series.