Cookieless Retargeting: What Replaces the Cookie

ByKeith Lacy
Why Cookie-Based Retargeting Worked So WellThe Five Mechanisms That Now Do the WorkWhat This Means for Organisations With Limited Data InfrastructureThe Consent Layer Is Not OptionalHow to Stress-Test Your Current Retargeting SetupThe Measurement Problem That Nobody Talks About EnoughResourcing the Transition

Get sharp marketing thinking, weekly

No fluff. Just clear, commercially grounded insights.

Cookieless retargeting is the practice of re-engaging audiences who have previously interacted with your brand, without relying on third-party cookies to identify and track them across the web. It uses a combination of first-party data, contextual signals, privacy-preserving APIs, and identity resolution to achieve what cookie-based retargeting once did, though rarely with the same precision or simplicity.

The honest answer to “what replaces the cookie” is: nothing replaces it perfectly. What you get instead is a set of imperfect substitutes that, used together, can come close, provided you have built the right foundations.

Key Takeaways

  • No single technology replaces third-party cookies. Effective cookieless retargeting requires combining at least three or four approaches simultaneously.
  • First-party data quality is the single biggest determinant of how well your retargeting survives the transition. Volume matters less than accuracy and consent.
  • Google’s Privacy Sandbox APIs, particularly the Protected Audience API, offer on-device interest-based targeting without exposing individual user data to advertisers.
  • Hashed email matching through platforms like Google’s Customer Match and Meta’s Custom Audiences is already the most reliable retargeting signal available for brands with strong CRM data.
  • Organisations that treat this as a technical problem will underperform. It is a data strategy problem that happens to have technical components.

In This Article

  1. Why Cookie-Based Retargeting Worked So Well
  2. The Five Mechanisms That Now Do the Work
  3. What This Means for Organisations With Limited Data Infrastructure
  4. The Consent Layer Is Not Optional
  5. How to Stress-Test Your Current Retargeting Setup
  6. The Measurement Problem That Nobody Talks About Enough
  7. Resourcing the Transition

If you want to understand how this fits into the broader picture of how marketing teams are structured and resourced to respond to changes like this, the Marketing Operations hub covers the operational frameworks that sit behind modern marketing execution.

To understand what we are replacing, it helps to be clear about why the original model worked. Third-party cookies allowed advertisers to drop a small identifier on a user’s browser when they visited a site. That identifier could then be read by ad networks across thousands of other sites, enabling the advertiser to recognise the same user later and serve them a targeted ad.

The reason this was so commercially powerful was the combination of scale, precision, and low cost. You could retarget a user who had abandoned a checkout, or who had browsed a specific product category, or who had visited your pricing page, without needing to know anything about them personally. The cookie did the identification work automatically.

I saw this in action early. At lastminute.com, we were running paid search campaigns where the retargeting layer was doing a significant portion of the conversion work. Someone would click on an ad for a music festival, browse without buying, and then be followed across the web with a reminder. The economics were strong precisely because the targeting was tight and the intent signal was fresh. The cookie made that possible with almost no data infrastructure on our side.

That is exactly what is being removed. And the reason it matters is not just privacy regulation. It is that browser-level privacy changes have been tightening for years, independent of any single legislative event. Safari has been blocking third-party cookies since 2017. Firefox followed. Google’s eventual deprecation of third-party cookies in Chrome, which has been delayed repeatedly but remains directionally certain, is the last major domino.

The Five Mechanisms That Now Do the Work

There is no elegant replacement. What exists instead is a set of mechanisms, each with different strengths, different data requirements, and different levels of maturity. The brands that are performing well in cookieless environments are not using one of these. They are using several, with clear logic about which to apply where.

1. Hashed Email Matching

This is the most reliable mechanism currently available, and it has been underused for years. When a user logs in to a platform, or provides their email address at checkout, that email can be hashed (converted into an anonymised string) and matched against the same hash in an ad platform’s identity graph. Google’s Customer Match, Meta’s Custom Audiences, and LinkedIn’s Matched Audiences all operate on this principle.

The limitation is obvious: you need the email address. That means you need a reason for users to identify themselves, which means you need login functionality, a newsletter, a loyalty programme, or a checkout flow that captures email. Brands with strong CRM data are in a much better position here than those who have historically relied on anonymous traffic.

I have seen this play out across industries. When I was working with financial services clients, the ones with strong customer login infrastructure had a natural head start on identity-based targeting. The ones who had built their digital presence around anonymous browsing were starting from scratch. The same dynamic applies to credit union marketing, where member login data is a significant untapped retargeting asset that most institutions are not yet using strategically.

2. Google’s Privacy Sandbox and the Protected Audience API

Google’s Privacy Sandbox is an attempt to preserve some of the functionality of cookie-based advertising while keeping user data on the device rather than sharing it with advertisers. The Protected Audience API (formerly FLEDGE) allows interest-based retargeting to happen within the browser itself. The advertiser defines an audience and a bid, the browser holds the user’s interest group data locally, and the auction happens on-device.

The result is that advertisers can still reach users who have shown interest in their products, but they never receive individual-level data. The trade-off is reduced transparency and more limited optimisation signals. You cannot see which specific users converted. You can see aggregate outcomes.

Whether this becomes the dominant mechanism depends largely on Chrome’s market share holding and on whether the ad tech ecosystem builds sufficient tooling around it. At the time of writing, adoption is still relatively limited, but the directional logic is sound.

3. Contextual Targeting at Scale

Contextual targeting has been reframed as a cookieless solution, but it is worth being precise about what it does and does not do. It does not retarget. It targets. The distinction matters. Contextual targeting places ads on pages with relevant content, based on the content of the page rather than the identity of the user. It is not retargeting in the traditional sense because it has no memory of the user’s prior behaviour.

Where it becomes relevant to a retargeting strategy is in upper-funnel reinforcement. If someone has visited your site and you cannot follow them with a cookie, you can still ensure your ads appear in environments where they are likely to be. A user researching home renovation is probably reading home improvement content. That contextual signal is imprecise but not useless.

Modern contextual platforms have become considerably more sophisticated. Semantic analysis, NLP-based content classification, and brand safety scoring have made contextual targeting much more granular than the blunt category-based targeting of ten years ago. It is not a replacement for behavioural retargeting, but it is a legitimate complement to it.

4. Server-Side Tracking and First-Party Data Infrastructure

Server-side tracking moves the data collection from the user’s browser to your own server. Instead of a third-party pixel firing in the browser (which can be blocked by ad blockers, browser privacy settings, or ITP), your server collects the event data and sends it directly to the ad platform via an API. Meta’s Conversions API and Google’s Enhanced Conversions both work on this model.

The practical effect is that you recover a significant portion of the conversion signal that client-side tracking was missing. This is not a new concept, but it has become more urgent as browser-side tracking has become less reliable. Privacy and data security considerations have made server-side infrastructure not just a performance improvement but a compliance necessity in many markets.

Setting this up properly requires development resource and a clear data architecture. It is not a plug-and-play solution. But for any organisation spending meaningfully on paid media, the signal recovery alone justifies the investment. I have seen implementations where server-side tracking recovered 20 to 30 percent of conversion events that client-side was missing. That changes your ROAS calculations materially.

5. Identity Resolution and Clean Rooms

Data clean rooms are environments where two parties can match their first-party data without either party exposing their raw data to the other. A retailer can match their customer data against a media owner’s audience data, identify overlaps, and build targeting segments, all without the data leaving a controlled environment.

Google’s Ads Data Hub, Amazon Marketing Cloud, and various independent clean room providers operate on this model. For large advertisers with substantial first-party data, clean rooms offer a privacy-compliant way to do sophisticated audience matching that approximates what cookie-based retargeting once enabled.

The barrier to entry is high. Clean rooms require data engineering resource, legal agreements between parties, and a minimum volume of first-party data to make the matching statistically meaningful. For most small and mid-sized organisations, this is aspirational rather than immediately practical.

What This Means for Organisations With Limited Data Infrastructure

The honest reality is that cookieless retargeting is much harder for organisations that have not historically invested in first-party data. The mechanisms that work best, hashed email matching, server-side tracking, clean rooms, all require data that you own and can use with consent. If your digital presence has been built on anonymous traffic and third-party audience segments, you are starting from a significant deficit.

This is not unique to large enterprise. I have worked with smaller specialist firms, architecture practices, design studios, and professional services businesses, where the marketing function is lean and the data infrastructure is minimal. For an architecture firm allocating a modest marketing budget, building a first-party data programme from scratch is a real investment decision that has to be weighed against other priorities.

The same applies to interior design firms developing a marketing plan. The retargeting question is not just technical. It is about whether the business has the client data, the consent infrastructure, and the operational capacity to use it. For most firms in this category, the pragmatic answer is to focus on the mechanisms that require less infrastructure: contextual targeting, platform-native audience tools, and email-based retargeting through owned channels.

Non-profit organisations face a particular version of this challenge. They often have significant first-party data in the form of donor records and volunteer databases, but they rarely have the technical infrastructure to activate it for paid media retargeting. Understanding the right non-profit marketing budget allocation includes accounting for the data infrastructure investment that makes modern retargeting possible, not just the media spend itself.

Every cookieless retargeting mechanism that relies on first-party data requires consent. This is not a legal technicality. It is a foundational requirement that shapes what data you can collect, how you can use it, and what targeting you can build from it.

The practical implication is that your consent management platform, your privacy policy, and your data collection flows need to be designed to maximise legitimate consent, not just to achieve technical compliance. There is a significant difference between a consent banner that is designed to be dismissed and one that is designed to build a consented audience. The former gives you legal cover. The latter gives you a retargeting asset.

Privacy policy frameworks are increasingly important not just for SMS and email, but for any first-party data collection that feeds into paid media targeting. The data you collect under consent for one purpose cannot automatically be used for another. This matters when you are trying to use CRM data for ad targeting. The consent you obtained at sign-up needs to cover that use case.

Early in my career, I had to build things from scratch because there was no budget and no existing infrastructure. I taught myself to code to build a website when the MD said no to the investment. The lesson was not just resourcefulness. It was that understanding the underlying mechanics gives you better judgment about where to invest when budget does become available. Consent infrastructure is exactly that kind of foundational investment. It looks unglamorous, but it determines what you can do with everything that sits on top of it.

How to Stress-Test Your Current Retargeting Setup

Before deciding what to build, it is worth understanding what you currently have and how dependent it is on mechanisms that are already degrading. A few diagnostic questions worth working through with your team:

What percentage of your retargeting audiences are built from third-party cookies versus first-party identifiers? If you cannot answer this, your ad platform dashboards will give you a starting point. Audience match rates and addressable reach metrics tell you how much of your audience is currently identifiable.

What is your current email capture rate across key conversion points? Checkout flows, newsletter sign-ups, gated content, account creation. This is the raw material for hashed email matching. If your capture rate is low, that is the first thing to fix before any technical retargeting work.

Are you running client-side or server-side tracking for conversion events? If client-side only, your conversion data is already being underreported. The gap between reported conversions and actual conversions has been widening for several years as browser privacy settings have tightened.

Running a structured marketing workshop with your team to map these gaps is a practical starting point. A well-run marketing strategy workshop can surface the specific dependencies in your current setup and create a prioritised action list, which is considerably more useful than a generic migration checklist from a vendor who has a product to sell you.

The Measurement Problem That Nobody Talks About Enough

Cookieless retargeting does not just change how you target. It changes what you can measure. And the measurement changes are, in many ways, more significant than the targeting changes.

When retargeting worked on cookies, attribution was relatively straightforward. The cookie that tracked the user through to conversion gave you a direct line between the ad impression and the outcome. Remove the cookie and that line breaks. You are left with aggregate signals, modelled conversions, and probabilistic attribution.

The temptation is to treat this as a temporary data quality problem that will be solved by better technology. I would push back on that framing. The direction of travel in privacy regulation and browser policy is not going to reverse. Forrester’s work on marketing budgets and accountability has consistently shown that measurement pressure on marketing teams is increasing, not decreasing. The answer is not to wait for better measurement tools. It is to build a measurement framework that is honest about what it can and cannot see.

Marketing mix modelling, incrementality testing, and brand lift studies are the tools that work in a world of limited individual-level data. They are also more expensive and slower than last-click attribution. That is the honest trade-off.

I judged the Effie Awards for several years, and one thing that consistently separated the winning entries from the also-rans was not the sophistication of their targeting. It was the rigour of their measurement thinking. The best campaigns were built around a clear theory of how the activity would drive outcomes, with measurement designed to test that theory. That discipline matters more in a cookieless environment, not less.

Resourcing the Transition

One of the underappreciated challenges of the cookieless transition is that it requires skills that many marketing teams do not currently have in-house. Data engineering, consent management, server-side tracking implementation, and identity resolution are not standard competencies in a marketing department that has been built around campaign execution and creative production.

For organisations that cannot justify a full in-house data and martech team, a virtual marketing department model offers a way to access specialist capability without the overhead of permanent headcount. This is particularly relevant for the cookieless transition, where you may need intensive specialist support for a defined implementation period rather than an ongoing full-time role.

The operational structure of a marketing function determines what it can execute. If your marketing operations are not set up to handle first-party data collection, consent management, and server-side tracking, then the most sophisticated cookieless retargeting strategy in the world will not get implemented. Resourcing the transition is as important as planning it.

Marketing budget planning for the next one to two years should explicitly include a line for data infrastructure. Not as a technology cost, but as a marketing investment. The organisations that treat first-party data infrastructure as a capital investment rather than a cost centre will be in a materially better position in three years than those who do not.

The full context for how marketing operations teams are being restructured to handle these kinds of systemic changes, not just the cookieless transition, sits across the Marketing Operations hub, which covers everything from team structure to budget allocation to operational frameworks for modern marketing functions.

About the Author

Keith Lacy is a marketing strategist and former agency CEO with 20+ years of experience across agency leadership, performance marketing, and commercial strategy. He writes The Marketing Juice to cut through the noise and share what works.

Frequently Asked Questions

Can you still do retargeting without third-party cookies?
Yes, but not with the same simplicity or precision. Cookieless retargeting relies on a combination of hashed email matching, server-side tracking, platform-native identity tools, and Google’s Privacy Sandbox APIs. Each mechanism has different data requirements and coverage limitations. Used together, they can approximate the reach and relevance of cookie-based retargeting, but only for organisations that have invested in first-party data infrastructure.
What is the most effective cookieless retargeting method right now?
Hashed email matching through platforms like Google Customer Match and Meta Custom Audiences is currently the most reliable mechanism. It requires a consented email address for the user, but when that data is available, match rates and targeting precision are strong. Server-side conversion tracking is a close second in terms of practical impact, because it recovers conversion signal that client-side tracking is missing, which improves the quality of all your optimisation and measurement.
How does Google’s Privacy Sandbox affect retargeting?
Google’s Privacy Sandbox introduces a set of APIs designed to preserve advertising functionality without exposing individual user data to advertisers. The Protected Audience API allows interest-based retargeting to happen on-device, within the Chrome browser, without the advertiser receiving individual-level identity data. The trade-off is reduced transparency and more limited optimisation signals. Advertisers can see aggregate outcomes but not individual user journeys.
Do small businesses need to worry about cookieless retargeting?
Yes, but the priority actions are different from those facing large enterprise advertisers. For small businesses, the most practical steps are improving email capture rates at key touchpoints, enabling server-side tracking for conversion events, and using platform-native audience tools like Customer Match and Custom Audiences. Data clean rooms and identity resolution at scale are not realistic for most small businesses, but the foundational steps are accessible and have a meaningful impact on retargeting performance.
What first-party data do you need for cookieless retargeting?
The most valuable first-party data for retargeting is consented email addresses, because these enable hashed email matching across major ad platforms. Beyond email, server-side event data (page views, add-to-cart events, purchases) collected through your own infrastructure gives you the conversion signals needed to build and optimise retargeting audiences. CRM data, loyalty programme data, and account login data are all valuable inputs. The common requirement across all of these is explicit user consent for the specific use case of advertising.

Similar Posts