Impact of browser restrictions on B2B advertising analytics

Privacy laws have enshrined the user’s right to anonymity, directly limiting the data that marketers can collect for advertising and attribution purposes

Executive summary:
B2B marketers face mounting challenges in tracking website visitors and attributing marketing outcomes. Stricter privacy regulations (e.g. GDPR, CCPA) and browser-imposed restrictions (like cookie blocking and script filtering) are undermining traditional advertising and analytics technologies. Crucially, anonymous site visitors who reject cookies cannot be reliably tracked leading to serious gaps in attribution. This article explains why these challenges are occurring, contrasts tracking of logged-in vs anonymous users, examines how popular marketing technology platforms (Marketo, Pardot, HubSpot, Salesforce Marketing Cloud, etc.) still rely on cookies, and quantifies the impact with current data. The findings underscore an urgent need for marketers to adapt to a cookieless reality or risk losing visibility into the majority of their digital engagement.

Evolving privacy regulations and their consequences

Data privacy laws like the EU’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) have fundamentally changed how organisations collect and use personal data online. Under GDPR and related ePrivacy directives, websites must obtain explicit user consent before dropping any non-essential cookies. Users must be given the choice to reject tracking and many are exercising that right. In fact, in 2020 55% of websites were found not to properly obtain user consent, indicating widespread non-compliance or workarounds. Regulatory enforcement is increasing: for example, Facebook was fined and ordered to stop using non-essential cookies without consent in Belgium, and Meta faced a €390m penalty for unlawful behavioural advertising in Europe.

Any cookie or identifier that can track a user (even a first-party analytics cookie) is considered personal data and requires opt-in consent. This means that unless a visitor clicks “Accept” on the cookie banner, your analytics and marketing tags cannot set their tracking cookies. Only strictly necessary cookies (e.g. for site functionality or logged-in sessions) are allowed without consent. As a result, a growing portion of site visitors remain untracked by analytics or marketing tools if they ignore or reject the cookie consent. This regulatory environment has forced companies to change how they process user data, making attribution increasingly challenging.

To make matters more complex, some vendors attempted covert techniques to bypass consent (such as browser fingerprinting or first-party ID leaking), but these are now under scrutiny and largely considered non-compliant.

Browser restrictions: cookies under siege

Web browsers have proactively joined the privacy movement by imposing technical restrictions on cookies and trackers. In recent years, all major browsers introduced features to curtail tracking:

• Safari (Apple): Safari’s Intelligent Tracking Prevention (ITP) blocks third-party cookies by default and even restricts first-party cookies’ lifespan. As of Safari 14 (2020), any client-side cookie (including first-party) is capped to a seven-day lifespan in many cases. Safari 13.1 and later block all third-party cookies by default, meaning cookies from domains other than the site’s own (commonly used for advertising and marketing scripts) simply won’t function.
• Firefox (Mozilla): Firefox introduced Total Cookie Protection (2021), confining cookies to the site where they originated so they cannot track users across sites. Firefox also blocks known trackers and scripts that profile users.
• Chrome (Google): Chrome (with ~60% market share) has previously stated it planned to start phasing out third-party cookies as well, but this got delayed several times and in April 2025 Google announced it will continue to support third-party cookies in Chrome.

Browser extensions and user-installed blockers amplify these restrictions. It’s estimated over 35% of internet users run some form of ad blocker or script blocker in their browsers. These tools (e.g. uBlock, Ghostery, NoScript) can prevent tracking scripts or cookie consent pop-ups from even loading. Paradoxically, if an extension blocks your site’s consent banner, the visitor never sees an “Accept cookies” option, so by default, only essential cookies load and all analytics/marketing tags are blocked without the user ever explicitly refusing. In research by Alphix Solutions, many blockers stop the consent management platform (CMP) entirely, cutting off any chance for the user to opt in.

The combined effect of these browser-level actions is that not only are traditional third-party cookies disappearing, but even first-party cookies face obstacles. A first-party cookie can only be set if the user consents and if no technology blocks it. Many “accept all” clicks are effectively nullified by browser or extension filters that still block any non-essential cookie after the fact. As a result, the data collected by conventional web analytics platforms (e.g. Google Analytics, Adobe Analytics) has become increasingly incomplete and skewed. The rise of ad blockers and cookie refusal has made data from these platforms increasingly inaccurate, significantly reducing the quality and efficacy of the insights.

Site visitor attribution challenges in a cookieless era

One of the biggest casualties of these trends is site visitor attribution – the ability to attribute website visits and conversions to marketing efforts. Traditionally, web analytics and marketing automation rely on cookies to identify a visitor across page loads and sessions. When a new visitor comes to a site, an analytics tool drops a unique ID cookie in the browser; all pageviews and events are tied to that ID so the system knows it’s the same visitor returning. If that mechanism fails (due to the visitor not consenting or the cookie being blocked), every visit looks “new” or is not tracked at all.

Anonymous visitors rejecting cookies are essentially invisible to tracking systems. For example, consider a prospective investor who visits an asset management site but clicks “reject cookies” (or ignores the banner). The analytics platform in this case is limited to only necessary functionality and cannot set its tracking cookie. Any browsing behaviour – pages viewed, time spent, content interests – goes unrecorded in analytics, because there’s no permission to tag that user. If that same individual later receives an email newsletter and clicks a link back to the website, the marketing system would normally attempt to recognise them (often by a unique query parameter or by matching their cookie). Without an existing cookie or identifier, however, the connection is lost.

Even though email marketing tools try to bridge the gap when a known contact returns to the site, they still depend on cookies or scripts running on the site to complete the identification. Adobe Marketo Engage, for instance, uses a Munchkin tracking cookie: when someone first visits a web page with Marketo code, Marketo creates an anonymous activity and uses a browser cookie to track it. Once the visitor is identified, it becomes a person and the history associated with the browser cookie is merged in. But if the cookie was never set (or has been purged by the browser’s ITP), there is no history to merge. The visitor effectively starts from scratch each time.

The result is a critical blind spot: B2B marketers cannot attribute that anonymous visitor’s prior content engagement to the email click or subsequent conversion. If cookies are rejected, even a return via a tracked email link cannot retroactively stitch together that user’s journey. The visitor remains anonymous and their earlier interactions are not tied to their identity in marketing databases. This scenario undermines multi-touch attribution models and leaves marketers “in the dark” about the true buyer journey. Studies show that only about 3-4% of B2B website visitors ever fill out a form to identify themselves. Even among genuinely interested prospects, roughly 80% remain anonymous (not filling forms) during their research phase. This means the vast majority of B2B web traffic is anonymous by default, and without cookies, it stays that way.

Let’s look at a practical example. Suppose a potential client receives your email, clicks through to a gated whitepaper page on your site, but declines cookies on the CMP banner. They download the asset (perhaps you allowed access without form submission due to user friction concerns). Two weeks later, they click a link in a follow-up email inviting them to a webinar. Your email marketing system knows who was sent the email, but when they land on the site, any web tracking script will attempt to set or read a cookie to log this visit under that person’s profile. If the user’s browser or extensions block the tracking script or cookie, the site visit might only register in back-end email click metrics, but not in onsite analytics or lead scoring. From the website’s perspective, that session might as well be a brand-new anonymous visitor. The return visit isn’t attributed to the email campaign in Google Analytics because analytics cookies are absent, so marketing ROI appears lower than reality. This disconnect is becoming common, as Alphix Solutions’ analysis notes a frequent mismatch between reported ad clicks and the entries recorded on landing pages. In other words, paid campaigns show clicks, but web analytics shows significantly fewer corresponding visits, indicating tracking drop-off.

Logged-in users vs anonymous visitors: a contrast in tracking

It’s important to differentiate logged-in (known) users from anonymous visitors in terms of tracking technology and privacy impacts.

• Logged-in users: If a visitor authenticates on a website (e.g. logs into an investor portal or client dashboard), the website can track that session via server-side methods or session IDs linked to the user’s account. Logged-in activity can often be tied directly to a known user ID in a CRM or database. Even here, cookies usually play a role (session cookies to keep the user logged in), but these are considered “necessary” for service and often allowed without explicit opt-in. Marketers can glean some behavioural data (e.g. which resources a logged-in client accesses) without relying on third-party tracking cookies, since the user is identified by account. However, privacy laws still apply – any tracking beyond necessary service (for example, analytics on usage patterns) might still require disclosure, and users can often opt out of analytics in their account settings.
• Anonymous visitors: Before a visitor self-identifies (by logging in or filling a form), they are tracked purely by browser/client identifiers, mainly cookies. Each anonymous visitor is given a unique cookie ID so that if they visit multiple pages or return later, the system knows it’s the same person. This is the realm that has been upended by cookie consent rules and browser blocking. If an anonymous visitor consents to tracking, a first-party cookie might track their visits for months; if they do not consent, each pageview may be isolated with no continuity. In marketing automation platforms, an anonymous visitor is often represented as a temporary profile that later merges with a known contact upon identification (as described with Marketo’s process above). Without the ability to drop a cookie, an anonymous visitor’s interactions cannot be stitched together over time. They will appear as “new” each time, and marketing systems will fail to recognise that they are re-engaging. Contrast this with a logged-in user where the system can tie actions to the user’s account every time – a luxury not available for anonymous traffic in a post-cookie world.

Logged-in tracking tends to rely more on first-party session cookies and back-end logging (e.g. web server logs, application logs tied to user ID), which are under the website’s control and often exempt from consent when purely functional. Anonymous tracking relies on analyticsscripts (JavaScript) and tracking cookies or local storage to persist a user’s ID across visits. Technologies like Google Analytics, Adobe Analytics and marketing automation scripts (Marketo Munchkin, HubSpot tracking code, etc.) all operate by planting an ID in the browser. If that mechanism is blocked, they have little recourse because, by design, they do not know the actual identity (email, name) of the visitor yet.

In highly regulated industries like asset management, many valuable website visitors will remain anonymous (due to compliance content consumption, research by analysts, etc.) until very late in the funnel. If those users cannot be tracked anonymously due to cookie restrictions, marketing teams lose insight into early-stage engagement. They might only capture data once the visitor finally fills a form or logs in, missing all prior touchpoints. Logged-in tracking gives rich data but only for known customers; the challenge is that new prospects may never be logged in during their research phase and thus require effective anonymous tracking which cookies used to provide.

Marketing technology systems still depend on cookies for user matching

Despite the clear shift in the landscape, most major marketing technology and analytics platforms in use today still rely heavily on cookies for user matching and engagement tracking. This includes widely used B2B marketing systems such as Marketo (Adobe), Pardot (Salesforce Marketing Cloud Account Engagement), HubSpot, and Salesforce Marketing Cloud (ExactTarget), among others. These tools were built in an era when dropping a browser cookie was standard practice to remember a visitor over time, and many have been slow to adapt to a world without ubiquitous cookies.

• Marketo Engage (Munchkin Tracking): Marketo’s tracking script (Munchkin) sets a cookie named _mkto_trk on the visitor’s browser to record page visits and link them to a lead profile. This is typically a first-party cookie tied to the company’s domain or a CNAME. Marketo’s documentation explains that it tracks all individuals (anonymous or known) who visit your website, and once someone converts (for example, by clicking a tracked email or submitting a form), Marketo associates their previous anonymous cookie activity with their now-known profile. The issue: if the cookie was never allowed, Marketo can only track the point of conversion forward – all prior engagement is lost. Moreover, Safari’s ITP shortens the lifespan of Marketo’s cookie to seven days (treating even first-party cookies set via JavaScript as ephemeral), which severely limits Marketo’s ability to track long sales cycles on Safari. Marketo has implemented workarounds like using server-set cookies via HTTP headers to bypass client-side restrictions, but these require complex changes and still depend on some level of consent.
• Pardot/Salesforce Account Engagement: Pardot historically tracked visitors with a cookie on the domain go.pardot.com, which is effectively a third-party cookie from the perspective of the client site. This allowed Pardot to monitor visitor activity and later tie it to a Salesforce lead/contact once identified. However, as browsers started killing third-party cookies, Salesforce introduced first-party tracking options. Admins can configure a first-party tracking CNAME so that Pardot’s cookie comes from your own subdomain (e.g. go.yourcompany.com), turning it into a first-party cookie. Still, consent is required: Pardot’s own guidance notes that you must manage cookie consent to be GDPR-compliant when using Pardot tracking. Pardot’s cookie can have a very long lifespan (up to ten years by default) to capture long-term behaviour, but again, only if it’s permitted to be set. Salesforce has stated plainly: “If third-party cookies go away, our website’s interaction with Pardot is gone. Poof! Unless you enable first-party web tracking cookies.” This highlights how pivotal cookies are to Pardot’s core functionality. Many Pardot users in Europe now grapple with consent banners that, if unanswered or declined, mean Pardot will not track that visitor at all.
• HubSpot: HubSpot’s marketing platform uses a cookie called hubspotutk to keep track of a visitor’s identity across visits. When an anonymous visitor eventually converts (for example, by filling out a HubSpot form on the site), that cookie’s value is passed to HubSpot’s servers so the previously anonymous activity can be merged into the new contact record. HubSpot sets several cookies (for tracking sessions, pageviews, etc.), all of which are classified as non-essential, which means they require consent under GDPR. If a user declines, HubSpot tracking code will either not run or not set cookies, preventing any association of that visitor with future conversions. HubSpot provides tooling to respect a visitor’s Do Not Track preference or cookie opt-out settings, which while privacy-friendly, further contributes to gaps in data if many visitors opt out.
• Salesforce Marketing Cloud & others: Platforms like Salesforce Marketing Cloud (SFMC) and Oracle Eloqua also use similar tracking mechanisms. SFMC’s Web and Email Tracking scripts (older ExactTarget components or newer Interaction Studio) generally drop first-party cookies to recognise visitors and link email click activity to onsite behaviour. Eloqua places a first-party cookie (often named ELOQUA) for site tracking.

All of these systems face the same fundamental challenge: they are built on the assumption that a persistent cookie can be set in the user’s browser to record interactions over time. When that assumption fails – due to lack of consent or technical blocking – the systems have only partial data.

Why haven’t these systems eliminated cookies entirely? Cookies have been the most straightforward way to achieve continuity of user data in web browsers and replacing them is non-trivial. Some vendors are exploring alternatives, such as fingerprinting techniques or identity resolution via server-side logic. However, fingerprinting (using a combination of browser attributes to guess a unique user) is disfavoured under privacy laws and often less accurate. Server-side tracking requires that the user log in or click a uniquely coded link every time, which is not practical for anonymous visitors. As a result, even in 2025, cookies remain deeply ingrained in many marketing technology platforms for activities like lead scoring, campaign attribution, retargeting and personalisation.

The growing impact: incomplete data and skewed insights

The convergence of strict privacy consent regimes and aggressive browser restrictions is creating significant blind spots in marketing data. For performance-driven marketers accustomed to granular tracking, the impact is stark and quantifiable. Research by Fundamental Media and Alphix Solutions (focusing on asset manager websites) in 2023 found that:

• Traditional analytics undercount actual traffic by a huge margin. Cookie-based analytics platforms were failing to record over 60% of website traffic on average. In some cases, the delta between reported visits and real visits was found to be 35% to 95%, meaning the analytics tool might only show 5–65% of the true engagement. This gap is attributed to users not accepting cookies or having blockers that prevent tracking scripts from firing. In practical terms, if your Google Analytics shows 1,000 monthly visitors, the reality could be closer to 1,600 and you wouldn’t know it without alternative measurement.
• Web traffic and campaign metrics are no longer aligning. Marketers are observing large mismatches between the clicks recorded in advertising or email campaigns and the visits recorded on their websites. The most common symptom of cookie blocking is a discrepancy between ad click counts and landing page sessions. Essentially, your ad platform says you drove traffic, but your web analytics doesn’t show it. These discrepancies are a direct result of visitors arriving but not being tracked due to cookie consent or blocking.
• Attribution models are severely skewed. If 60% or more of traffic isn’t logged properly, any multi-touch attribution models built on that data become unreliable. Using cookies anywhere in the marketing funnel today will actively misrepresent the reality of where your marketing activities are driving performance and where your budget is being wasted. For instance, view-through conversions (someone seeing an ad and later visiting) cannot be measured accurately when cookies are blocked. The same goes for retargeting campaigns: if a large portion of your audience can’t be cookied for retargeting, the size and relevance of retargeting pools plummet.
• Site functionality issues have emerged. An unexpected side effect of aggressive privacy tools is that some sites break entirely. Alphix Solutions and Fundamental Media found 16% of asset management sites tested had functional issues (content not loading, frozen scrolling, unresponsive pages) due to ad/script blockers interfering with scripts like CMPs. This is not just a data problem but a user experience problem, ironically caused by attempts to enforce privacy. It underscores that privacy measures can have material impacts on website performance and user journey if sites haven’t been optimised to handle script blocking gracefully.
• B2B marketing is hit slightly harder than B2C. The research noted that the B2B sector may fare marginally worse than B2C in attribution loss. This is partly because corporate networks (especially in finance) add another layer of privacy – many firms route traffic through secure networks that strip tracking parameters or employ network-level ad blocking. Financial professionals often browse in hardened environments where marketing scripts simply don’t run. Thus, asset managers and other B2B firms could see even higher proportions of “invisible” traffic compared to consumer sites where users might be on personal devices with default settings.

To put these points in perspective, consider the broader industry reaction: over 60% of marketers believe the phasing out of third-party cookies is bad for advertisers and will hurt their insight into consumers. Yet from the consumer/privacy side, these changes are seen as positive, which is exemplified by Apple’s App Tracking Transparency on iOS, where 95% of users opted out of cross-app tracking, costing Facebook an estimated $10 billion in 2022 due to lost targeting ability. In traditional web analytics, we are seeing a similar user opt-out at scale, whether deliberate or by default. Marketers lose data, but users gain privacy – a trade-off regulators and browser makers seem willing to make.

Adapting to the new normal of privacy-first marketing

Privacy regulations and browser restrictions have fundamentally reset the playing field for B2B marketing analytics and advertising. The era where every site visitor could be silently tagged, tracked, and later re-identified via cookies is rapidly drawing to a close. For B2B marketers  (including asset management firms that rely on long buyer journeys) this means rethinking how to measure and influence prospects.

Key takeaways and actions:

• Expect and plan for data loss in analytics. It is now normal that a large share of your site traffic (possibly the majority) will not be fully captured by traditional cookie-based analytics. When presenting performance reports, educate stakeholders that reported web metrics could be undercounting actual engagement by 60% or more. Adjust KPIs and targets knowing the data is incomplete, or seek supplementary site performance measurement solutions that don’t rely on cookies (for example, cookieless tracking solutions or server-side analytics).
• Audit your consent management and compliance. Ensure your cookie management platform (CMP) is properly implemented. The Alphix audit found 3% of fund manager sites had a broken CMP and 21% had CMPs not fully compliant with GDPR. Issues like that can lead to legal trouble or even worse data loss. A functioning CMP won’t magically make users consent, but it will give you a chance to request opt-in. Also avoid illegal practices like dropping cookies even after a user declines (which 17% of sites were caught doing). Not only is this unlawful, but modern browsers likely block those cookies anyway, so it’s ineffective.
• Differentiate tracking for known vs unknown visitors. Leverage the data you can collect from known (logged-in or form-identified) users, as this will be more reliable. For anonymous visitors, consider progressive profiling strategies (e.g. encouraging micro-conversions (like subscribing to newsletters) earlier) to move users into an identifiable state sooner. When a visitor becomes known, ensure your systems merge their past anonymous interactions where possible. (Many platforms do this automatically via cookies, but you may need to configure query parameters in email links or use first-party tracking domains to facilitate the merge.)
• Maximise first-party data and cookies where feasible. All major marketing technology systems now offer a first-party cookie mode, so make sure to use it. For example, configure Marketo or Pardot with your own domain for tracking so that you’re not reliant on third-party cookies. First-party cookies have a fighting chance to survive (especially if the user consents). While browsers may still restrict them, they are more likely to be allowed than any third-party tag. Additionally, invest in building out first-party data (e.g. known user preferences, engagement histories) in your CRM, as future targeting and personalisation will revolve around consented first-party information rather than third-party data aggregation.
• Monitor the developments in cookieless tracking technology. The industry is responding with new solutions. For instance, the Alphix Solutions platform offers cookie-free site performance metrics, using non-personal data signals to measure traffic and engagement without dropping tracking cookies. Google Analytics 4 (GA4) is shifting towards an event-based model that can operate with or without cookies, using modelling to fill gaps. Keep an eye on privacy-safe identifiers (like clean rooms, unique on-site identifiers or federated identity solutions) that might help bridge the gap in a compliant way. However, always vet these against regulations, as some “innovations” may not pass legal muster if they reintroduce individual tracking without consent.
• Re-think attribution and marketing strategy. In the short term, contextual targeting and content relevance gain importance as personalised retargeting loses some efficacy. Marketing attribution might rely more on aggregate trends and correlations (e.g. traffic lift during a campaign) rather than individual user paths. B2B marketers should enrich their analysis with other data: email engagement metrics, CRM data on sales cycles, offline touchpoints, etc., to form a complete picture. Where possible, encourage users to identify themselves (via login or form) at key points of the journey – for example, perhaps gating certain high-value content behind logins for a personalised experience. This must be balanced carefully against user experience, because forcing login too early can deter prospects.

In conclusion, the twin forces of privacy laws and browser changes are forcing marketers to adapt or be left with unreliable data. Those who proactively adjust – by upgrading their technology stack, seeking privacy-compliant analytics, and focusing on first-party engagement – will still be able to derive insights and drive results. But the days of easy tracking are over: if your marketing and site performance measurement today still heavily rely on cookies, expect performance and reporting to be severely compromised. B2B firms, especially in finance, should act now to modernise their approach, as the cost of inaction is clear: losing sight of perhaps 80%+ of your audience’s journey and misallocating marketing spend due to misleading data. The imperative is to respect user privacy choices while finding innovative ways to measure and optimise marketing – a new balance that defines the next era of B2B digital marketing.