"Safari traffic looks like it lost 30% of conversions year over year." "Tags fire empty after the cookie banner went up." I keep hearing variations of this from EC operators — and most of the time, the cause isn't the site or the campaigns. Browsers and regulators are dismantling the third-party cookie premise at the same time, and the measurement stack many EC teams rely on is built right on top of that premise.
Below is the short version of how I think about migrating to first-party measurement without trying to recreate the old world.
TL;DR
- The third-party cookie premise is ending from two directions at once. Safari blocked 3rd-party cookies by default in 2020, Firefox shipped Total Cookie Protection in 2022, Chrome is phasing through Privacy Sandbox, and Japan's revised Telecom Act introduced external transmission disclosure obligations in June 2023.
- Separate broken metrics from intact metrics first. Cross-site retargeting, view-through attribution, cross-channel individual LTV are on the broken side. On-site CVR / AOV / RPS / on-site last-touch attribution remain intact.
- First-party measurement migrates in 4 steps: ① decide your on-site measurement points ② set up the disclosure obligation (Japan-specific) ③ make UTM the source of truth for channel classification ④ redefine KPIs by reverse-engineering revenue.
- The goal isn't 100% precision recovery. It's keeping the precision needed for decisions.
The premise is ending — three forces, simultaneously
Third-party cookies are cookies issued by a domain other than the site being visited. They've been the backbone of cross-site behavioral tracking. That premise is now collapsing from three angles at once.
Browser-side restrictions ramped up step by step. Safari introduced ITP in 2017 and reached full default 3rd-party cookie blocking in March 2020. Firefox rolled out Total Cookie Protection to all users globally in June 2022, isolating cookie storage per site. Chrome continues phasing through Privacy Sandbox, exposing replacement APIs (Topics API, Attribution Reporting API).
Japan's revised Telecom Act (June 2023) added an external transmission disclosure obligation. Telecom-style operators that transmit user information externally via web or app must disclose four items: recipient, information transmitted, purpose of use, and opt-out method. Most EC operators in Japan fall in scope.
OS-level privacy features (iOS / Android) restrict per-app tracking IDs. Strictly that's not a cookie story, but from an EC operator's view it's part of the same shrinking-measurement-environment trend.
"Wait until the spec stabilizes" is no longer a real option. Better to assume the premise won't come back and design for it.
Browser status — same direction, different shape
The vendors landed in different places. EC operators need to know each one's current state.
Two practical takeaways:
First-party cookies still work. Identifiers like visitor_id / session_id issued from your own domain are not subject to 3rd-party restrictions. Catch: Safari ITP caps the lifetime of JS-written first-party cookies at up to 7 days, so designing long-term LTV tracking on cookies alone won't work.
Privacy Sandbox is not a 1:1 cookie replacement. It's a split into purpose-specific APIs. Targeting goes to Topics API, ad measurement goes to Attribution Reporting API, etc. From the EC side, ad measurement precision isn't recovered to 100% — instead you keep just enough precision per use case.
What breaks vs what holds
This is the most important framing change.
| Status | Metric | Impact | Why |
|---|---|---|---|
| Broken | Retargeting precision | High | Requires cross-site cookies |
| Broken | View-through attribution | High | Requires cross-vendor tracking |
| Broken | Cross-channel individual LTV | High | Cross-device/vendor ID join is hard |
| Intact | On-site CVR | Low | First-party cookies suffice |
| Intact | AOV | Low | Computed directly from orders |
| Intact | RPS (Revenue Per Session) | Low | On-site sessions × revenue |
| Intact | Last-touch (on-site) | Low | UTM + referrer is enough |
The realization that re-set our KPI work: most EC decisions can be made entirely from the "intact" side. Channel-level RPS tells you which channel to invest more in. CVR and AOV tell you whether to fix the site or fix pricing. You don't need cross-site individual LTV to make those calls.
The "broken" metrics still survive — just inside ad platforms (Google Ads, Meta Ads Manager) as closed-loop measurement. Cross-vendor aggregated LTV is hard to recover, but scoping aggregation to per-vendor numbers keeps the data usable.
The 4-step shift
Step 1 — Lock down on-site measurement points
Decide first: what gets measured where, on your domain. Specifically:
- The domain that hosts the measurement script (your own domain, ideally)
- First-party cookie names and lifetimes
- Session definition (inactivity timeout)
- Core events to capture (pageview / add_to_cart / purchase)
- What you explicitly do NOT capture (PII, sensitive info)
Hosting the script on your own domain dodges Safari ITP's cookie lifetime cap and reduces the impact of resource-level blocking (ad blockers).
Step 2 — Stand up the disclosure (Japan operators)
For Japanese EC operators: treat the four-item disclosure as a standalone artifact. A dedicated page (e.g., /external-data-policy), reachable from footer + cookie banner. Comprehensive listing of every external transmission. An internal process that updates the page whenever a tool is added or removed.
The point: writing it once is not the goal. Keeping it up to date is. Build the disclosure update into the tool-adoption decision flow.
Step 3 — Make UTM the source of truth
In a cookie-restricted environment, UTM parameters become the source of truth for channel classification. Referrers drop more often (referrer policy, HTTPS→HTTP, in-app browsers), but UTMs in URLs survive.
- Standardize
utm_source/utm_medium/utm_campaignvalues as a written guideline - Avoid case mismatches (
facebook/Facebook) and full-/half-width drift - Use ad-platform URL templates to minimize manual entry
- Apply lowercase + trim normalization on the measurement side
After cookie restrictions, UTM quality directly determines RPS / ROAS accuracy by channel.
Step 4 — Redefine KPIs by reverse-engineering revenue
Drop "broken" metrics (cross-channel individual LTV, view-through) from the headline KPI list. Promote "intact" metrics (CVR / AOV / RPS / on-site last-click) to the top line. Treat cross-vendor aggregations as reference data only. Start monthly reviews from on-site metrics first.
In a cookieless world, KPI design isn't about adding more measurable signals — it's about narrowing to signals that actually drive decisions.
Closing thought
I've been building RevenueScope — a thin analytics layer that surfaces these intact-side KPIs (channel-level RPS / CVR / AOV) on a single dashboard, with the measurement script living on the customer's own domain. The longer-term hypothesis: the EC teams that consistently outperform aren't the ones with the most measurement coverage. They're the ones who picked early which signals to actually argue about every week.
How are you handling the cookieless transition on the EC side? Especially curious if anyone has shipped a clean disclosure page setup that doesn't rot the moment a new tool is adopted.
This article was originally published by DEV Community and written by toshihiro shishido.
Read original article on DEV Community