Attribution Modeling in Digital Marketing: The Past [Part 1/3]

Since Google announced plans to shut off support for third-party cookies by 2022, the industry has been awash in proclamations — "cookies are dead," "attribution modeling has no future," and everything in between.

This first article in a three-part series cuts through that noise. It looks at the role third-party cookies have played in attribution, the browser-level changes that have steadily eroded their reach, and why what's being framed as a "privacy revolution" is, in many respects, a fallacy.

Beyond attribution, the series examines the technical underpinnings of how attribution models actually work and why those characteristics make them especially vulnerable to cookie deprecation.

What This Series Covers

This is a dense topic, so breaking it into three parts makes sense.

• The past (this article): The role third-party cookies have played in attribution, the browser changes that have weakened them, and the privacy fallacy driving their demise.
• The present: What current attribution models look like, and the specific roles first-party and third-party cookies play in them.
• The future: How Google and Apple's walled gardens are reshaping attribution, and the viable alternatives to third-party tracking that are emerging.

This first part is about context. Let's start from the beginning.

The Origins of Cross-Site Tracking and Third-Party Cookies

For over a decade, online advertising companies have used web cookies — primarily third-party cookies, often called third-party trackers — to identify users across different websites. This practice is known as cross-site tracking.

The reasons for doing so are concrete: running behaviourally targeted ads based on browsing history, enforcing frequency capping (avoiding showing the same user the same ad repeatedly over a given period), measuring ad campaign performance, and attributing ad impressions and clicks to conversions.

AdTech platforms like DSPs use third-party cookies to identify the same user across different websites.

In the early days, this all happened quietly in the background as pages loaded. It didn't take long, however, for users, journalists, and regulators to discover that these cookies were being used to build profiles of individuals' interests and behaviour across the internet.

Add in the data collection practices of Google and Facebook, and the situation becomes considerably more loaded. Whether those practices are harmful or excessive is a separate debate — but they set the stage for the privacy concerns that followed.

One key driver of those concerns has been data breaches and leakages — mass data sharing between companies, or unauthorized access due to security failures. The Facebook and Cambridge Analytica scandal, tied to voter influence in the US elections and the UK's Brexit campaign, pushed data privacy into mainstream discourse at a level not seen before.

Yet the actual depth of public concern, when measured against everyday behaviour, is telling.

Google Trends data shows a clear upward trajectory in searches for "data privacy" — but when compared against random searches like "white sneakers" or "avocado," the relative importance drops dramatically.

Data privacy vs. random searches — US, past 5 years

Google Trends

Google Trends

Google Trends

This gap between stated concern and demonstrated interest is precisely what has left the door open for companies like Apple and Google to position themselves as privacy champions.

A More Private Web: The Privacy Fallacy

"A more private web" is the stated goal behind most of the recent browser changes designed to limit third-party cookies and related tracking methods.

Although ad-blocking tools like AdBlock Plus had been gaining traction since the mid-2000s, the first significant privacy move from a browser vendor came in 2015, when Apple released content blockers with iOS 9. These blockers prevented certain scripts and elements from loading in Safari on iOS devices, with two goals: faster page load times and stopping third-party trackers from collecting data.

The conversation became much more serious when Apple introduced ITP 2.0 (Intelligent Tracking Prevention) in 2017 — blocking third-party cookies by default and restricting the lifespan of certain first-party cookies. Firefox followed with its own protections shortly after.

Here's a summary of where the major browsers stand:

Safari's Intelligent Tracking Prevention (ITP): Blocks third-party cookies by default, restricts the lifespan of certain first-party cookies, and deletes local storage data after 7 days.

Firefox's Enhanced Tracking Protection (ETP): Blocks social media trackers, third-party cookies, and device fingerprints by default. Users can strengthen protections further through settings.

Google Chrome's Privacy Sandbox: A proposed set of privacy-centric standards designed to replace the advertising functions currently underpinned by third-party cookies — including ad targeting, retargeting, measurement, and attribution.

Chrome has also already shipped a structural change to how it handles cookies.

Google Chrome's SameSite Attribute

In October 2019, Google's Chromium team published a detailed post explaining how cookie handling would change in Chrome 80. The core of it: website developers would need to explicitly label cookies using a SameSite attribute (specifically, SameSite=None) to distinguish between cookies intended for use only on the current site versus those designed for cross-site use.

This change effectively gives users more visibility and control over whether third-party cookies are created in the first place.

For publishers and advertisers, the practical impact is limited — these changes need to be implemented at the platform level by the developers behind tools like Facebook, Google, and Criteo. For teams using tag management systems like Tealium IQ, first-party cookies created within that system already include the SameSite parameter.

The Decision Is Not Really Made By the User Anymore

Here's a critical distinction that often gets lost in the privacy conversation: the browser privacy settings in Safari, Firefox, and Chrome are default configurations, not choices actively made by individual users.

This is meaningfully different from a user choosing to install an ad blocker. Installing an ad blocker is a deliberate, user-initiated decision. Browser-level cookie blocking is an opt-out that's been set on the user's behalf by the browser vendor.

That doesn't make it wrong, but it does complicate the framing of "user privacy" as the primary motivation — particularly when the same companies restricting third-party data collection are simultaneously building their own alternatives.

Google has proposed Chrome's Privacy Sandbox. Apple has put forward Privacy Preserving Ad Click Attribution. Both offer pathways for some level of advertising functionality — but through infrastructure those companies control.

This is the core of the privacy fallacy: the data will still likely be collected at the most granular level by companies like Google, as it is today — it just won't be shared with independent marketers and AdTech vendors.

Apple's privacy positioning aligns reasonably well with its broader business model, which isn't ad-dependent. Google's motivations are harder to read, given that its ad platforms hold a dominant position in the programmatic advertising ecosystem.

The question that has circulated widely in the industry: Is Google introducing privacy restrictions that limit independent AdTech companies' data access, while continuing to collect and use that same user-level data internally?

It's a fair question. The answer is becoming clearer over time.

How the Scale of the Problem Changed

When Safari first started blocking third-party cookies in 2015, it was a single browser operating in relative isolation. Safari holds approximately 17% of global browser market share — though this varies considerably by market and device type. The most current figures are available via StatCounter.

When Firefox introduced similar protections, the combined market share of the two still wasn't enough to shake the AdTech industry in any fundamental way. Most platforms absorbed the impact and moved on.

Then came January 2020: Google announced Chrome would end support for third-party cookies by 2022.

Chrome commands approximately 60–70% of global browser market share. That announcement changed the calculus entirely.

Platforms that have built their core functionality on third-party cookies — programmatic and RTB platforms, DMPs, multi-touch attribution models, retargeting tools — are now facing a significant reduction in their ability to collect, model, and activate user-level data.

It's worth being precise here, though: third-party cookies are the thing being deprecated, not cookies broadly. First-party cookies will remain largely intact, at least for now. Many companies most affected by this shift have already been building cookieless solutions in anticipation of the change.

The Role Data Plays in Digital Advertising and Marketing

Companies collect and use data for a wide range of purposes: personalizing on-site experiences, keeping users authenticated, and identifying friction points through web analytics.

But the data shared with third parties generally serves a handful of specific advertising and marketing functions:

• Cross-site ad targeting
• Measurement and attribution
• Audience segmentation and activation
• Frequency capping

Among the most prominent third parties in this space: Salesforce with its DMP, Criteo with its retargeting platform, Nielsen with its multi-touch attribution offering, and Google across its many advertising and marketing platforms.

Cookies are central to all of this. They collect identifiers that enable platforms to connect the dots across a user's interactions with digital assets — which is precisely why attribution, in particular, is so exposed to what's coming.

Attribution Modeling: Why It Matters

The days when a customer would encounter one ad, one message, and immediately purchase are largely gone. Today, based on Nielsen data, over 50% of customer journeys involve two or more touchpoints. Users research across channels, compare options, and move through multiple interactions before converting.

That complexity means companies need to be present across search, social, email, display, and retargeting simultaneously — and they need to understand which of those touchpoints are actually driving outcomes.

Attribution modeling is how that understanding is built. It helps identify which touchpoints contributed to a conversion, allowing marketers to answer questions like:

• Which touchpoints did a customer encounter before converting (completing a purchase, download, or other goal)?
• How did each touchpoint contribute to revenue — directly or in an assisted capacity?
• Which touchpoints are generating the most and fewest conversions and revenue?

Part 2 of this series goes deeper on attribution modeling specifically — current models, how they work, and the precise ways first-party and third-party cookies interact with them.

Before moving on, here's a summary of what this first part has established:

• Safari and Firefox implemented default privacy settings blocking third-party cookies, reducing advertisers' ability to track users across sites.
• Google Chrome introduced the SameSite cookie attribute and announced it will end third-party cookie support entirely.
• Chrome has also proposed Privacy Sandbox as a replacement framework for targeting, measurement, and attribution.
• The "more private web" framing is partly a fallacy: Google's own AdTech platforms are unlikely to be affected in the same way as independent vendors.
• Users aren't actively choosing these privacy settings — they're defaults set by browser vendors.
• Multi-touch attribution models, DMPs, ad servers, and retargeting platforms all rely on third-party cookies and will be directly impacted by their deprecation.