Is multi-touch attribution possible without third-party cookies? — Considering marketing measurement in the cookie-free era
This page has been translated by machine translation. View original
I'm Shigahi. At Classmethod Europe GmbH, I help Japanese and European companies with privacy compliance as a Cookiebot Platinum Reseller.
A recent article from Usercentrics, "Cookieless multi-touch attribution: the future of targeting" featured in the Cookiebot partner newsletter, provides an excellent overview of the challenges many marketers are currently facing, which I'll explain in Japanese.
What is Multi-Touch Attribution (MTA)?
Multi-Touch Attribution (MTA) is a measurement model that allocates conversion credit across multiple touchpoints in the customer journey.
For example, if a user sees a paid ad, later searches on Google, and finally makes a purchase in a physical store, the last-touch model (which attributes success only to the final touchpoint) would credit only the in-store interaction. However, MTA distributes credit across all these touchpoints, making visible the fact that seeing the ad itself contributed to the purchase.
Until now, MTA has heavily relied on third-party cookies. Cookies store small pieces of information in a user's browser, allowing the same user to be identified across multiple sessions and even across multiple sites. These cookies have supported the fundamentals of MTA, such as establishing lookback windows (how far back to evaluate previous touchpoints) and eliminating duplicate counts.
What "breaks" with the elimination of third-party cookies?
In response to stricter data privacy laws like GDPR, major browsers are moving to restrict and eliminate third-party cookies. Safari's ITP (Intelligent Tracking Prevention) and Firefox's ETP (Enhanced Tracking Protection) already block third-party cookies by default. Chrome is also implementing Privacy Sandbox technology and enhancing user controls.
Having witnessed privacy compliance efforts in Berlin, I feel this is not merely a technical change in browsers, but a structural transformation of the entire foundation of digital marketing measurement. Let me outline four aspects of how MTA is breaking down.
1. Loss of cross-site identifiers
Without third-party cookies, we lose the common identifier that tracks the same user across different sites. As a result, customer journeys become fragmented, with what should be connected visits appearing as isolated, separate accesses. This means results tend to be biased toward the last touch (direct visits or brand search clicks).
2. Multi-device connection becomes unstable
Multi-device stitching is a technique that integrates data from multiple devices, such as PCs and smartphones, to track a single user's journey. This was traditionally accomplished through a combination of third-party cookies and probabilistic matching technology, but browser restrictions are causing this to lose reliability. In other words, the same person's mobile and desktop behaviors are processed as separate users.
3. Collapse of touchpoint chronology and lookback windows
Third-party cookies allowed us to track user interactions chronologically across multiple sessions. With shortened cookie lifespans, early touchpoints fall outside the attribution window. This means upper-funnel channels (awareness initiatives) appear less effective than they actually are.
4. Breakdown of cross-channel deduplication
Deduplication is a mechanism to prevent double-counting when the same user crosses multiple platforms. Without third-party cookies, each platform reports conversions independently, unable to maintain consistency with each other. This results in inflated conversion numbers, making it difficult to accurately determine ROAS (Return on Ad Spend).
First-party data becomes the foundation for cookieless MTA
Reading this far, you might think "Is MTA no longer usable?" But MTA itself is not ending. Only the traditional methods that depend on third-party cookies are ending.
The key to rebuilding is first-party data. By building on data collected directly from users with their consent, you can continue MTA in a way that most browsers, platforms, and privacy laws accept. Moreover, this data can be owned and managed by your company, giving you control over how it's processed.
Specifically, you'll need to switch to authenticated first-party identifiers (FPIDs) such as:
- Login-based IDs
- Hashed email addresses
- CRM-linked records
- Loyalty program reference numbers
- First-party cookies set on your own site
- Mobile app instance IDs, mobile ad IDs, and identifiers generated by SDKs
This approach aligns with the "legitimate interest" concept of GDPR and the principles of the ePrivacy Directive. Using first-party data with consent will become the common foundation for marketing measurement in Europe, Japan, and the US under CCPA.
5 Steps to Implement Cookieless MTA
The Usercentrics article outlines a practical roadmap. Let's examine it step by step.
Step 1: Collect consent-based first-party data
The first requirement is implementing a CMP (Consent Management Platform). CMPs like Cookiebot or Usercentrics obtain detailed consent from users through cookie popups or banners and record it in a structured format. They automatically block third-party trackers for users who haven't consented to analysis.
As I've written in previous articles, cookie inventories take more time than expected. There have been actual cases where the number of cookies exploded from 170 to 900 due to the addition of external tags. Accurate consent management is virtually impossible without a CMP.
Step 2: Implement server-side tagging and tracking
Moving tracking from the user's browser to the server side allows you to control the data processing flow on your own infrastructure. This reduces the risk of losing conversion visibility due to browser-based script blocking and allows you to build a system that passes only consented data to subsequent platforms by integrating with a CMP.
According to Usercentrics data, server-side tracking adoption has grown rapidly since 2020, with 20-25% of small and medium-sized businesses having already implemented it. It's predicted that 70% of data-driven organizations will adopt it as standard by 2027.
Step 3: Connect server-side events to analytics and advertising platforms
From the server-side setup, send customer interaction data to analytics platforms. By hashing first-party identifiers before sharing, you can minimize user privacy risks. For example, when sending a purchase event, you would hash customer names or email addresses.
Integration with Meta Conversions API (CAPI) or LinkedIn Conversion API also happens at this layer.
Step 4: Utilize modeling and data clean rooms
First-party data alone may not cover all customer journeys. In such cases, use probabilistic data-based modeled attribution or data clean rooms to safely analyze aggregate data. For example, when there aren't enough clicks on an ad campaign, you can check whether paid ads still exist in the customer journey.
Step 5: Verify with incrementality tests and MMM (Marketing Mix Modeling)
Finally, regularly validate the accuracy of your attribution model. Incrementality checks analyze changes in user behavior with and without specific channels. Meanwhile, MMM statistically evaluates contribution at the macro level of entire channels, rather than at the individual user level, supporting long-term budget allocation decisions.
The 2026 best practice is UMM (Unified Marketing Measurement), combining MTA and MMM. This hybrid approach leverages MTA's strengths for short-term, user-level digital optimization and MMM for long-term, cross-channel strategic planning.
Implications for Japanese companies
With the 2026 revision of Japan's Personal Information Protection Act, regulations on personal-related information (including Cookie IDs) will be strengthened and a penalty system will be introduced. This means that not only European companies but also Japanese companies are reaching a point where they must move away from "tracking without consent."
The mindset should not be "marketing measurement becomes impossible without third-party cookies," but rather "building a more accurate and sustainable measurement foundation with consent-based first-party data and server-side measurement."
Implementing a CMP is the first step. Cookiebot provides consent management that complies with GDPR, CCPA, and Japan's Personal Information Protection Law, and supports integration with server-side tagging environments.
If you're unsure where to start or struggling to keep up with multiple sites, please feel free to contact cookiebot.jp.
Summary
| Challenge | Third-Party Cookie Era | Cookieless Era Alternative |
|---|---|---|
| User Identification | Third-party Cookies | First-party Identifiers (FPID) |
| Cross-site Tracking | Cookie Synchronization | Server-side Tagging + CMP |
| Multi-device | Probabilistic Matching | Authentication IDs (Login, Hashed Email) |
| Deduplication | Common Cookie ID | Data Clean Rooms |
| Long-term Analysis | Lookback Windows | MMM + Incrementality Testing |
| Legal Basis | Implicit (Often Without Consent) | Explicit Consent (via CMP) |
MTA is not ending. Rather, it's in the process of evolving into a more reliable measurement model based on consent. First-party data, server-side tracking, and CMPs. Rebuilding around these three axes will become the standard for marketing measurement going forward.
Original article: Cookieless multi-touch attribution: the future of targeting (Usercentrics, February 13, 2026)
