If you've spent the past few years trying to follow Google's privacy plans, you're not alone in feeling confused. Since 2020, the company has announced the end of third-party cookies, delayed it three times, reversed course entirely, proposed a replacement, cancelled the replacement, launched a suite of alternative technologies, and then retired most of them. The result isn't a new privacy landscape. It's the old one, degraded in ways that most marketing teams haven't fully grasped.
This article cuts through the noise. What actually changed, what didn't, and what you should do about it.
The cookie saga: six years of announcements, zero changes
In January 2020, Google announced it would phase out third-party cookies in Chrome within two years. The timeline was pushed back three times – to late 2023, then the second half of 2024, then early 2025 – as the replacement technologies proved far harder to build than anticipated and the UK Competition and Markets Authority raised competition concerns.
Then came the reversal. In July 2024, Google abandoned the plan entirely. Instead of removing cookies, the company proposed giving Chrome users a one-time choice prompt – a mechanism similar to Apple's App Tracking Transparency. That prompt never shipped either. In April 2025, Google quietly dropped it, citing "divergent perspectives" from the ecosystem.
The final act came in October 2025. Google retired the Privacy Sandbox initiative – the entire suite of replacement technologies it had spent six years building. Ten APIs were killed, including the Topics API (interest-based targeting), Protected Audiences (remarketing), and Attribution Reporting (conversion measurement). The CMA simultaneously released Google from its binding commitments, concluding that since the cookies were staying, the competition concerns no longer applied.
As of February 2026, third-party cookies remain fully enabled by default in Chrome. No user prompt exists. No changes to default behaviour have been made.
The real story isn't about cookies
Here's the point most commentary misses: the data loss is already happening. It's been happening for years, regardless of Google's cookie policy.
Safari has blocked all third-party cookies by default since March 2020. Firefox partitions them so they cannot be used for cross-site tracking. Brave blocks Google Analytics entirely. Every browser on an iPhone – including Chrome – runs on Apple's WebKit engine, which means Safari's restrictions apply universally on iOS.
Add these up and approximately 20–25% of a typical website's visitors are already operating in a cookieless environment because of the browser they use. Factor in ad blockers (used by over 900 million people globally) and cookie consent rejection, and the picture worsens considerably. For a UK website with a properly implemented consent banner – one that gives users a genuine choice rather than nudging them toward "Accept All" – the proportion of visitors invisible to standard tracking is closer to 35–45%.
Google's cookie reversal didn't create this problem. But it did remove the pressure for a coordinated industry response, leaving businesses to navigate the data gap on their own.
GA4: the data you are probably missing
The shift from Universal Analytics to GA4 wasn't a simple upgrade. It was a fundamental change to how marketing data is collected, processed, and reported. Three structural limitations in GA4 mean the reports you see likely understate reality.
Data thresholding is a privacy feature that hides report rows when user volumes are too small to ensure anonymity. Google doesn't publish the exact trigger, but industry testing puts it somewhere between 30 and 50 users per dimension. For professional services firms running targeted campaigns to niche audiences, this can suppress the data that matters most – the specific sources, demographics, and behaviours of your highest-value prospects. The data is collected and stored; it simply isn't shown.
Data sampling kicks in when queries exceed 10 million events. GA4 analyses a subset and extrapolates. For smaller sites this rarely triggers, but for larger properties it means Exploration reports and custom queries are estimates, not counts.
Cardinality limits group data into an "(other)" row when a dimension exceeds approximately 500 unique values per day. UTM parameters (the tracking codes added to campaign URLs), page URLs with query strings, and product catalogues are common triggers. If your campaign reporting relies on granular URL or parameter analysis, the "(other)" row may contain a significant share of the data you need.
The workaround for all three is BigQuery (Google's data warehouse), which provides access to raw, unsampled data. But the free tier is capped at one million events per day, BigQuery requires SQL expertise and incurs Google Cloud costs, and critically, it doesn't include GA4's modelled data – creating a built-in discrepancy between what you see in the interface and what you can query directly.
GA4 also limits data retention to 14 months for standard properties, making long-term trend analysis impossible without an external data warehouse. And the shift to data-driven attribution – where machine learning distributes conversion credit across touchpoints – means historical comparisons with Universal Analytics are not like-for-like.
Consent Mode V2: the gatekeeper for your data
Since March 2024, Consent Mode V2 has been mandatory for advertisers using Google Ads and GA4 to target UK and EEA users. It determines what data Google receives when someone interacts with your cookie banner.
The practical difference between Basic and Advanced implementation is significant. In Basic mode, when a user declines consent, Google receives nothing – no pings, no signals, no data of any kind. That visitor vanishes from your analytics and your ad reporting entirely. In Advanced mode, Google tags fire immediately but send only cookieless pings when consent is denied: timestamps, device type, country-level location, and consent state. No cookies, no persistent identifiers, no personal data. These limited signals feed Google's behavioural modelling, which estimates the activity of non-consenting users based on patterns from consenting ones.
Google claims this modelling recovers more than 70% of lost conversion data on average. Independent testing suggests the figure is lower – third-party reports put recovery at 30–50%, with significant variation depending on implementation quality and traffic volume. The gap between these estimates matters, because modelled and observed data are blended seamlessly in GA4's interface. There's no way to separate them at row level. You can't tell which conversions were directly measured and which were inferred by an algorithm.
There's a further catch. Behavioural modelling only activates if your property meets minimum thresholds: at least 1,000 daily events with consent denied for seven or more days, plus at least 1,000 daily users with consent granted over the same period. Many small and mid-sized businesses don't meet these thresholds. For them, users who decline consent are simply lost data – no modelling, no recovery.
What UK consent rates actually look like
Your GA4 data quality is directly tied to your consent rate, and your consent rate is almost entirely determined by how your cookie banner is designed.
The research on this is fragmented but converging. When a consent banner offers "Accept All" and "Reject All" with equal prominence, UK acceptance rates typically fall between 30% and 50%. When the reject option requires multiple clicks or is visually de-emphasised, acceptance rates climb toward 80–90% – but that design risks ICO enforcement. A 2025 study of over 254,000 European and UK websites found only 15% of cookie banners met minimum GDPR compliance requirements.
The trend is moving in one direction. A 2025 consumer survey found 46% of people are clicking "Accept All" less often than they were three years ago. Consent rates are declining, not stabilising.
As of April 2024, only 26% of the top UK websites had implemented Consent Mode V2 at all. That figure is likely higher now, but it signals how many businesses are still running Google Ads and GA4 without the consent infrastructure Google's own tools require to function properly.
The Privacy Sandbox: what it was and why it failed
The Privacy Sandbox was Google's answer to the question: if we remove cookies, what replaces them? The answer, after six years and enormous industry investment, was: nothing that works well enough.
The CMA's testing found that publisher revenue dropped approximately 30% when using Privacy Sandbox technologies instead of cookies. Independent testers reported advertiser spend declines of 42%, 60%, and 67% – far worse than Google's own estimate of 14%. Click-through rates fell by 12% to 67%. Criteo's testing found the Topics API was five times less effective than cookies for targeting, and that in a Privacy Sandbox environment, Google Ad Manager's market share could increase from 23% to 83%.
The IAB Tech Lab's assessment was blunt: the technologies "suffered from deep technical flaws" and could not support the majority of standard advertising use cases.
The retirement matters for one practical reason: there is no replacement technology coming. The industry's plan B – that Google would build something to fill the gap left by cookies – is now definitively off the table. Businesses need to build their own measurement infrastructure rather than waiting for Google to provide one.
The UK regulatory shift
The most significant recent change for UK businesses is the Data (Use and Access) Act 2025 (DUAA), whose cookie-related provisions took effect on 5 February 2026.
The Act introduces a new exception for analytics cookies used solely for statistical purposes. Under this exception, websites can set analytics cookies on an opt-out basis – without requiring prior consent – provided the cookies are used only for aggregate statistical analysis to improve the service, users are clearly informed, and a simple free opt-out mechanism is available.
This is meaningful, but the practical reality is narrower than headlines suggest. The exception doesn't cover advertising or remarketing cookies, which still require prior consent. And there's an open question about whether standard GA4 configurations qualify, since Google may use the collected data for its own purposes – a condition that could disqualify the exemption. The ICO hasn't yet ruled on this point; finalised guidance is expected in spring 2026.
The Act also raised fines under the Privacy and Electronic Communications Regulations (PECR) from £500,000 to £17.5 million or 4% of global turnover, aligning them with UK GDPR levels. Non-compliant cookie implementation is no longer a minor risk.
For businesses operating across the UK and EU, the divergence creates complexity. The EU hasn't relaxed its cookie consent requirements. A UK site that switches to opt-out for analytics under the DUAA exception will still need to obtain prior consent from EU visitors.
What to do about it
The six-year cookie saga is over. The replacement technologies are dead. The regulatory landscape has shifted. Here's a prioritised set of actions based on where most professional services firms stand today.
Audit your consent banner first. This is the single highest-impact action. Your banner design determines your data quality more than any other technical decision. If your reject option requires multiple clicks, if categories are mislabelled, if non-essential cookies fire before consent is given, you are both non-compliant and making decisions based on artificially inflated data. The ICO's online tracking programme has now reviewed the UK's top 1,000 websites. Enforcement is shifting from guidance to action.
Implement Consent Mode V2 (Advanced) if you run Google Ads or GA4. Basic mode means losing all data from non-consenting users. Advanced mode at least provides the signals Google needs for behavioural modelling. It's not a perfect solution – the modelling is opaque and the recovery rate is debatable – but it's materially better than a complete data blackout.
Evaluate whether server-side tracking is worth the investment for your business. Server-side tracking routes data through your own server before sending it to analytics and advertising platforms. It mitigates ad blocker interference and Safari's cookie restrictions, and improves data quality for consented users. Managed platforms like Stape (from approximately $20 per month) and Cloudflare Zaraz (free tier available) have brought the cost within reach of smaller businesses. But server-side tracking doesn't bypass consent requirements, and it adds technical complexity. It makes most sense for businesses spending significant budgets on paid advertising where data accuracy directly affects return on investment.
Build your first-party data infrastructure. The era of relying on third-party tracking for audience insight is ending – not because of a single policy change, but because of the cumulative effect of browser restrictions, consent requirements, and ad blockers. First-party data – the information people give you directly through forms, email signups, preference centres, and CRM interactions – is the foundation of reliable marketing measurement. Enhanced Conversions in Google Ads, which use hashed first-party data to match conversions with ad clicks, are now described as essential rather than optional.
Assess the DUAA analytics exception carefully. If your site serves only UK visitors and your analytics are used purely for aggregate statistical purposes, you may be able to set analytics cookies on an opt-out basis. But verify that your GA4 configuration doesn't allow Google to use the data for its own purposes, and wait for the ICO's finalised guidance before relying on this exception. If you serve EU visitors, the exception doesn't help – you still need prior consent for those users.
Accept that perfect measurement is gone. The industry consensus in 2026 is that marketing measurement has moved from deterministic precision to directional accuracy. Modelled data, aggregated reporting, and probabilistic attribution are the new normal. Marketing Mix Modelling – once an enterprise-only discipline – is becoming accessible through open-source tools like Google's Meridian and Meta's Robyn. The businesses that adapt to this reality will make better decisions than those still chasing the measurement precision that disappeared with Universal Analytics.
Where Penby fits
Ola Degteva implements consent architectures, server-side tracking configurations, and GA4 setups for businesses navigating exactly these challenges. The work is technical, but the decisions it enables are strategic: which data to trust, where the gaps are, and how to build a measurement infrastructure that works within privacy constraints rather than against them. If your marketing data doesn't feel reliable, it probably isn't – and the gap is likely wider than your current reports suggest.