Cookieless EC measurement: a 4-step shift to first-party

"Safari traffic looks like it lost 30% of conversions year over year." "Tags fire empty after the cookie banner went up." These are increasingly common complaints from EC operators — and most of them have nothing to do with the site itself or with ad performance. Browsers and regulators are dismantling the third-party cookie premise at the same time, and the measurement stack many EC teams rely on is built on top of that premise.

This article unpacks how third-party cookie deprecation and Japan's revised Telecom Act (external transmission disclosure) affect EC measurement — by separating what actually breaks from what still holds. From there it lays out a 4-step migration to first-party measurement that's realistic for 2026 and beyond.

Key takeaways#

1. The third-party cookie premise is ending from two directions at once. Safari blocked 3rd-party cookies by default in 2020, Firefox rolled out Total Cookie Protection to all users in 2022, Chrome is phasing through Privacy Sandbox, and Japan's revised Telecom Act introduced external transmission disclosure obligations in June 2023.
2. Separate broken metrics from intact metrics first. Cross-site retargeting, view-through attribution, and cross-channel individual LTV are on the broken side. On-site CVR / AOV / RPS / on-site last-touch attribution remain intact.
3. First-party measurement migrates in 4 steps. ① Decide your on-site measurement points ② Set up the 4 disclosure items required by Japan's law ③ Make UTM the source of truth for channel classification ④ Redefine KPIs by reverse-engineering revenue. The goal is not to rebuild 100% of ad measurement precision, but to keep the precision needed for decisions.

1. Why EC operators must drop the third-party cookie premise now#

Third-party cookies are cookies issued by domains other than the one being visited (the first party). They've been the backbone of cross-site behavioral tracking — used by ad platforms, analytics tools, and tag managers alike — for years.

That premise has been collapsing for some time, and three forces are doing the collapsing.

First, browsers tightened restrictions step by step. Safari introduced Intelligent Tracking Prevention (ITP) in 2017 and reached full default 3rd-party cookie blocking in version 13.1, March 2020 [4]. Firefox rolled out Total Cookie Protection to all users globally in June 2022, isolating cookie storage per site [5]. Chrome continues phasing through Privacy Sandbox, exposing replacement APIs like Topics API and Attribution Reporting API [3].

Second, Japan's revised Telecom Act introduced external transmission disclosure on June 16, 2023 [1]. It requires telecom operators and entities operating telecom-style services that transmit user information externally via web or app to disclose four items to users: recipient, information transmitted, purpose of use, and opt-out method. Most EC operators in Japan fall within scope.

Third, OS-level privacy features (iOS / Android) restrict per-app tracking identifiers (IDFA / GAID). Strictly this isn't a cookie story, but from an EC operator's perspective it's part of the same shrinking-measurement-environment trend.

Given all three are running simultaneously, "wait for the spec to settle" is not a real option. The premise is not going to come back, so measurement strategy has to be rebuilt around that fact.

2. Browser-by-browser status — Safari / Firefox / Chrome today#

The restrictions vendors have rolled out vary in shape. EC operators need to know each browser's current state to plan around them.

Two practical points matter for EC operators.

First, first-party cookies remain usable. Identifiers like visitor_id / session_id issued from your own domain are not subject to 3rd-party restrictions. The catch: Safari ITP caps the lifetime of JS-written first-party cookies at up to 7 days, so designing long-term LTV tracking on cookies alone won't work.

Second, Chrome's Privacy Sandbox is not a cookie replacement — it's a split into purpose-specific APIs. Targeting goes to Topics API, ad measurement goes to Attribution Reporting API, and so on. From the EC operator's perspective, ad measurement precision isn't recovered to 100% — instead you keep just enough precision per use case.

Much of the rise in GA4 "Direct / (none)" you've been seeing isn't unrelated to all this either. Cookie restrictions, referrer policy, and in-app browser quirks combine to drop the referrer and UTM. The full breakdown is in GA4 Direct/(none) increase: 5 root causes and fixes.

3. What Japan's revised Telecom Act adds on top#

For EC operators in Japan, the revised Telecom Act's external transmission disclosure is the local layer on top of the global cookie story [1][2]. It went into force on June 16, 2023, and requires user notification or public disclosure when a website or app transmits user information externally.

The four items that must be disclosed are:

A practical pitfall: burying these four items inside a privacy policy is generally not enough. A dedicated "External transmission disclosure" page (or a clearly accessible section) is the realistic operating model.

Another common misunderstanding is the assumption that "we're not a telecom operator, so we're out of scope." The act's definition of "operating a telecom-style service" is broad. Most EC operators that send user information to external services fall in scope. If your site uses GA4, Meta Pixel, ad pixels, chat tools, or heatmap tools — even one of them — disclosure is likely required.

4. What breaks vs what holds in EC measurement#

Cookie restrictions and the disclosure obligation don't break everything. Sorting what breaks from what holds is the fastest way to set priorities.

The point worth internalizing: most EC decisions can be made entirely from the "intact" side. Channel-level RPS tells you which channel to invest more in. CVR and AOV tell you whether to fix the site or fix pricing. You don't need cross-site individual LTV to make those calls.

The "broken" metrics survive — but only inside ad platforms (Google Ads, Meta Ads Manager) as closed-loop measurement. Cross-vendor aggregated LTV is hard to recover, but scoping the aggregation to per-vendor numbers keeps the data usable.

The limits of last-click attribution itself are covered in The last-click trap: why major brands change their attribution model. In a post-cookie world, last-click ends up being one of the few attribution models that keeps working.

5. The 4-step shift to first-party measurement#

Putting all of the above together, here is the migration plan.

Step 1: Lock down your on-site measurement points#

Decide first: what gets measured where, on your domain. Specifically, fix these five:

• The domain that hosts the measurement script (your own domain, ideally)
• First-party cookie names and lifetimes (e.g., visitor_id / session_id)
• Session definition (inactivity timeout in minutes)
• Core events to capture (pageview / add_to_cart / purchase, etc.)
• What you explicitly do not capture (PII, sensitive info)

Hosting the measurement script on your own domain dodges Safari ITP's cookie lifetime cap and reduces the impact of resource-level blocking (ad blockers).

Step 2: Stand up the 4-item disclosure (Japan)#

For Japanese EC operators, treat the four-item disclosure from Section 3 as a standalone artifact:

• A dedicated page (e.g., /external-data-policy) rather than a paragraph in the privacy policy
• Reachable from the footer and from the first-visit cookie banner
• Comprehensive listing of every external transmission you currently run (GA4, Meta Pixel, ad tags, etc.)
• An internal process that updates the page whenever a tool is added or removed

The point is that writing the four items once is not the goal — keeping them up to date is. Build the disclosure update into the tool-adoption decision flow.

Step 3: Make UTM the source of truth for channel classification#

In a cookie-restricted environment, UTM parameters become the source of truth for channel classification — referrers drop more often (referrer policy, HTTPS→HTTP, in-app browsers), but UTMs in URLs survive.

• Standardize utm_source / utm_medium / utm_campaign values as a written guideline
• Avoid case mismatches (facebook / Facebook / FACEBOOK) and full-/half-width drift
• Use ad-platform URL templates to minimize manual UTM entry
• Apply lowercase + trim normalization on the measurement side

Detail on UTM design lives in How to use UTM parameters correctly. After cookie restrictions, UTM quality directly determines RPS / ROAS accuracy by channel.

Step 4: Redefine KPIs by reverse-engineering revenue#

Finally, redefine KPIs given the new constraints.

• Drop "broken" metrics (cross-channel individual LTV, view-through) from the headline KPI list
• Promote "intact" metrics (CVR / AOV / RPS / on-site last-click) to the top line
• Treat cross-vendor aggregations as reference data only, not decision drivers
• Start monthly reviews from the on-site metrics first

The KPI design framework is in Marketing KPI design: 5 metrics that drive decisions. In the cookieless world, KPI design is not about adding more measurable signals — it's about narrowing to signals that actually drive decisions.

6. Reverse-engineering revenue — where RevenueScope fits#

Steps 1 to 4 sit on the same line: first-party measurement points → UTM → revenue decomposition → decision-grade KPIs. The hard part is having a single screen that slices that pipeline by channel — most analytics tools don't, by themselves.

GA4 is a strong front-end for first-party measurement, but it carries structural weaknesses around cookie-driven Direct / (none) inflation, channel-classification drift, and cross-subdomain session handling. Ad dashboards (Google Ads, Meta Ads) report ROAS inside their own walled garden, but site-wide RPS doesn't appear there.

The product I'm building, RevenueScope, is purpose-built for the post-cookie world: keep only the metrics that drive decisions, by reverse-engineering revenue. The first-party measurement script lives on your own domain, UTMs are normalized, and channel-level RPS / CVR / AOV are presented on a single dashboard.

If you have GA4 ecommerce already configured, RevenueScope needs almost no extra setup — it picks up purchase events by reading the dataLayer. Accept that the third-party cookie era is over, and run decisions from the metrics that hold. That's the design intent.

For the four-item disclosure, RevenueScope publishes a copy-ready template covering recipient, information, purpose, and opt-out. The goal is to minimize the writing you have to do at adoption time and reduce the maintenance cost of keeping the disclosure current.

References#

[1] Ministry of Internal Affairs and Communications (Japan), "External Transmission Regulation," June 2023. https://www.soumu.go.jp/main_sosiki/joho_tsusin/d_syohi/gaibusoushin_kiritsu.html

[2] Ministry of Internal Affairs and Communications (Japan), "Guidelines on the Protection of Personal Information in the Telecommunications Business," 2024. https://www.soumu.go.jp/main_sosiki/joho_tsusin/d_syohi/telecom_perinfo_guideline_intro.html

[3] Google for Developers, "Privacy Sandbox," 2024. https://privacysandbox.google.com/

[4] Apple WebKit, "Full Third-Party Cookie Blocking and More," March 2020. https://webkit.org/blog/10218/full-third-party-cookie-blocking-and-more/

[5] Mozilla, "Firefox rolls out Total Cookie Protection by default to more users worldwide," June 2022. https://blog.mozilla.org/en/products/firefox/firefox-rolls-out-total-cookie-protection-by-default-to-all-users-worldwide/

[6] IAB Europe, "Transparency and Consent Framework v2.2," May 2023. https://iabeurope.eu/transparency-consent-framework/

[7] Ministry of Economy, Trade and Industry of Japan, "Survey on the Market for Electronic Commerce in Japan, FY2023," September 2024. https://www.meti.go.jp/press/2024/09/20240925001/20240925001.html