In July 2024 Google announced it would not remove third-party cookies from Chrome — a U-turn after years of announcements. In 2026, third-party cookies still exist on Chrome, with a user-choice mechanism. At the same time, GDPR and ePrivacy enforcement has tightened consent requirements to the point where "cookieless" is already a reality for the large share of visitors who decline tracking.
In this guide we look at what actually changed, what stays the same, and 3 concrete strategies for your website in 2026.
Privacy Sandbox and cookieless tracking: the current state
Google's Privacy Sandbox is a set of browser APIs (Topics, Attribution Reporting, Protected Audience) designed to replace third-party cookies with browser-managed, privacy-preserving mechanisms. In 2026 these APIs are available in Chrome but haven't become the universal standard Google promised. Meanwhile:
- Safari (WebKit) has blocked third-party cookies by default since 2017 — representing 50%+ of mobile traffic.
- Firefox blocks them via Enhanced Tracking Protection.
- Chrome keeps them but introduces user-choice UX.
Bottom line: if a user accepts your cookie banner on Chrome, tracking works. But on Safari mobile you never receive third-party ad cookies — regardless of consent.
What GDPR requires on tracking in 2026
European data protection authorities have confirmed that any non-strictly-necessary cookie — including analytics — requires explicit, prior, granular consent. Practical rules for 2026:
- No pre-ticked boxes: every cookie category must be deselected by default.
- Reject as easy as accept: the "Reject all" button must be as prominent as "Accept all".
- Granular consent: users can accept analytics and reject remarketing separately.
- Easy withdrawal: a permanent link to reopen cookie preferences must exist.
3 strategies to stay compliant without losing all data
1. GA4 with server-side tracking
Standard GA4 sends data directly from the browser to Google — blocked by ad blockers and limited by Safari ITP. With server-side tracking (via GTM Server Container, Stape.io or custom), data hits your server first then Google: ad-blocker resistant, more accurate, with IP anonymisation before sending.
2. First-party data as primary asset
Data you own directly (newsletter subscribers, registered accounts, purchase data) doesn't depend on third-party cookies and doesn't expire with regulations. In 2026 building a qualified email list is worth more than any retargeting pixel.
3. Privacy-friendly analytics
Tools like Plausible, Fathom or Umami don't use cookies and don't need a banner (in the cookieless version). They give aggregated data — no personal data, no cross-site tracking — GDPR-compliant by design. Limitation: no demographics, no cross-device attribution.
Conclusion
Cookieless didn't arrive the way Google announced it, but tracking has still changed fundamentally. Anyone without a compliant GDPR banner and a first-party strategy in 2026 risks fines and increasingly inaccurate data.
If you want a review of your analytics setup and cookie compliance, contact us via the quote form: the initial audit is free. All sites we build through our web services include GDPR-compliant configuration from day one. See examples in the portfolio.