3. The Tracking Apocalypse

How ad blockers, Safari's ITP, GDPR consent, and iOS 14.5 each broke a link in the tracking chain — and what the 20–40% data loss actually consists of.

Chapter 2 ended with a chain: tags make requests to vendor domains, identified by JS-set first-party cookies and click IDs, joined to ad clicks server-side. Between 2015 and today, every link in that chain came under attack — each by a different force, for a different reason. This chapter is the story of how browser tracking broke, told link by link, because which link is broken determines which fix (Part 3) actually helps.

chapter 2 primitive            what breaks it
────────────────────────────   ────────────────────────────────────
request to vendor hostname  →  ad blockers, DNS filters
JS-set first-party cookie   →  Safari ITP 7-day / 24-hour caps
third-party cookie          →  blocked by default (Safari, Firefox)
click IDs in URLs           →  ITP link-decoration rules, stripping
"fire by default"           →  GDPR / ePrivacy consent gating
mobile app ad ID            →  Apple's ATT opt-in prompt

Ad blockers: the hostname kill switch

The oldest and bluntest force. Ad blockers (uBlock Origin, AdBlock Plus, and the blockers built into Brave and Opera) work from community-maintained filter lists — EasyList for ads, EasyPrivacy for tracking — that are essentially long lists of hostname and path patterns:

||google-analytics.com^
||googletagmanager.com^
||facebook.com/tr
||connect.facebook.net^

When a page tries to load gtm.js or send /g/collect, the extension simply cancels the request. Note the second line: the GTM container itself is on the lists. For a blocked visitor you don't just lose analytics — every tag in your container never even loads. The same blocking also happens at the network layer: Pi-hole and NextDNS resolve tracker domains to nothing, and some ISPs and corporate networks filter them for everyone behind the router.

How many visitors? Commonly cited figures put ad-blocker use around a third of web users in many markets — and far higher among technical audiences (developer tools, B2B SaaS, gaming can see well over half). The loss isn't random, either: it skews toward exactly the high-intent, high-income segments many businesses care most about.

The blocked link here is the vendor hostname — which is precisely why server-side tagging's first-party domain (your tracking runs on pulse.yourdomain.com, not google-analytics.com) recovers most of this traffic. Chapter 11 returns to this.

Safari ITP: death by version number

In 2017 Apple shipped Intelligent Tracking Prevention in Safari and then tightened it roughly twice a year. The progression is worth knowing version by version, because each one explains a behavior you will see in real data:

  • ITP 1.0 (2017) — third-party cookies for domains Safari's on-device classifier flags as trackers get isolated, then purged. Classic cross-site retargeting starts dying in Safari.
  • ITP 2.0 (2018) — the remaining grace windows are removed; tracker third-party cookies are effectively gone.
  • ITP 2.1 (February 2019) — the big one. Cookies set via JavaScript (document.cookie) are capped at 7 days, even first-party ones. Recall from Chapter 2 that _ga, _fbp, _gcl_au are all JS-set. In Safari, your "2-year" GA cookie now lives a week. A customer who returns after 8 days is a brand-new user; a conversion 10 days after the ad click is unattributable.
  • ITP 2.2 (April 2019) — if the user lands from a cross-site link with link decoration (read: ?fbclid=, ?gclid=) , JS-set cookies on that page live 24 hours. Aimed squarely at the click-ID workaround from Chapter 2's attribution loop.
  • ITP 2.3 (September 2019)localStorage (the obvious cookie fallback) gets purged after 7 days of no interaction on link-decorated sites.
  • CNAME cloaking defense (2020) — some vendors hid behind customers' subdomains via CNAME records pointing at vendor infrastructure. Safari answered: cookies set by CNAME-cloaked subdomains are capped at 7 days too. (Why this matters for how you host a tagging server — and why an A record to infrastructure you control is different — is Chapter 11 and 15 territory.)

Safari is roughly a fifth of browsing globally — but on US mobile it's around half, and iOS users are disproportionately the high-value customers ad platforms prize. ITP is not an edge case; for many shops it's a quarter of the customer base wearing an invisibility cloak.

Firefox runs a parallel program — Enhanced Tracking Protection (default since 2019) blocks known trackers' cookies from a blocklist, and Total Cookie Protection (2021+) partitions all third-party cookies per site. Smaller market share, same direction.

And Chrome? Google announced third-party cookie deprecation in 2020 (the "Privacy Sandbox" project), delayed it for years — and in 2024 reversed course: third-party cookies stay in Chrome, and by late 2025 Google had wound down the Privacy Sandbox ad APIs entirely. After a decade of "the cookiepocalypse is coming," the dominant browser blinked. But don't misread it: Chrome is the outlier, the damage in Safari/Firefox is permanent, and the broader trajectory (including Chrome's Incognito defaults) still points one way.

The browsers attacked the mechanics; regulators attacked the defaults. Under the EU's GDPR (enforced May 2018) and the ePrivacy rules behind cookie law, non-essential tracking requires prior, informed, freely-given consent. In practice:

  • Tags may not fire — no cookies set, no collect requests — until the visitor actively consents. The consent banner industry (CMPs: Cookiebot, OneTrust, Usercentrics…) exists to manage exactly this.
  • Some share of visitors never grants consent — commonly 10–30%, swinging with market, audience, and banner design. Those visitors are legally invisible to your tags. (Bots and bounce-before-banner traffic add to the gap between server logs and analytics.)
  • Enforcement has teeth: EU regulators (Austria, France, Italy) ruled in 2022 that standard Google Analytics setups illegally transferred EU data to the US, forcing config changes and EU data-residency features platform-wide.

Two things to internalize. First, this loss is lawful and intentional — the fix is better consent UX and modeling, not engineering tricks. Second — and this cannot be said often enough — server-side tagging does not bypass consent. Moving a request from the browser to your server changes where processing happens, not whether you're allowed to do it. Chapter 17 covers Consent Mode v2 and what Google models for the consent gap.

iOS 14.5: the ATT earthquake

April 2021, Apple ships App Tracking Transparency: every iOS app that wants to track users across other companies' apps and websites must show the system prompt — "Ask App Not to Track" — and most users decline (opt-in rates settled around a quarter, often lower). The IDFA, mobile advertising's equivalent of the third-party cookie, effectively died.

Strictly speaking ATT is about apps, not websites — your GTM setup was never directly touched by it. It belongs in this chapter because of its shockwave: Meta publicly estimated ~$10 billion of lost 2022 revenue, and the platforms' response reshaped web tracking overnight. Meta started pushing the Conversions API (server-to-server events, Chapter 13) to every advertiser; Google leaned into enhanced conversions and modeling. The hashed-PII matching from Chapter 2 went from nice-to-have to centerpiece. When your Meta rep insists on CAPI, ATT is why.

Counting the damage

Put the four forces together and the standard estimate — 20–40% of events lost or degraded for a typical EU/US consumer site — stops being a scare number and becomes arithmetic. The damage:

Symptom Mechanism
GA4 purchases ≪ backend orders ad blockers + consent decliners + ITP
Inflated "new users" 7-day cookie death resets identity
Conversions credited to (direct) click → buy gap exceeded cookie life
Meta/Google campaigns "underperform" conversion joins fail → bidding starves
Shrinking remarketing audiences no durable identifier to pool
Sample bias losses skew Safari/iOS, technical, privacy-conscious — your most valuable segments

The last row is the most underrated: this isn't a uniform 30% haircut, it's a biased one. Decisions made on the surviving data systematically undervalue exactly the channels and audiences that convert best.

The industry's answer

Four broad responses emerged, and they form the rest of this guide:

  1. Consent-aware measurement — Consent Mode v2, conversion modeling (Chapter 17).
  2. Hashed first-party data — enhanced conversions, advanced matching (Chapters 13–14).
  3. Server-side tagging — move collection to a first-party domain you control: survive hostname blocking, set durable server-side cookies, own the data flow (all of Part 3).
  4. First-party data discipline — logins, CRMs, offline conversion imports; beyond this guide's scope but the strategic backdrop.

One ordering note before we go there: the next five chapters are about web GTM, properly. That's deliberate. Every server-side setup still starts in the browser — events are born in a web container before they ever reach a server — and you can't debug what you don't understand. Master the client side first: Chapter 4 — GTM from the Ground Up.