ServicesAboutNotesContact Get in touch →
EN FR
Note

First-Party Data and Compliance Hub

Hub connecting the browser restrictions, server-side infrastructure, EU/US legal frameworks, and identity resolution approaches that together determine how much advertising and analytics signal you can legally collect in 2026.

Planted
ga4google adsanalyticsdata quality

Analytics and advertising measurement are constrained by two independent forces: browser restrictions on tracking cookies and regulatory requirements for consent before setting them. Browser restrictions, server-side infrastructure, consent law, and identity resolution form a stack where gaps in any layer affect the others. This hub connects the notes covering each layer.

Browser Restrictions

Browser Cookie Restrictions in 2026 — How Safari ITP, Firefox Total Cookie Protection, and Chrome handle tracking cookies differently. Safari’s 7-day JavaScript cap, the iOS multiplier that extends ITP to all iPhone browsers, Firefox’s per-site cookie partitioning, and why Chrome’s permissiveness doesn’t save you. The combined effect: 20-40% of visitors are invisible to client-side tracking before consent rates enter the picture.

Server-Side Infrastructure

Server-Side Cookies and Safari ITP Bypass — The FPID mechanism: setting cookies via HTTP Set-Cookie header from a same-domain server bypasses Safari’s JavaScript cookie cap. The catch: Safari 16.4 added IP address verification, so a standard Cloud Run deployment still triggers the 7-day cap. Three approaches solve the IP problem (First Party Mode, reverse proxy, Stape Cookie Keeper), with realistic data recovery estimates by audience type.

EU Cookie Consent Legal Framework — The ePrivacy Directive covers device storage; GDPR covers personal data; both point to the same requirement: explicit prior consent for non-essential cookies. What valid consent actually means (freely given, specific, informed, unambiguous), which cookies are exempt, and why legitimate interest doesn’t apply to analytics. EDPB scope expansion to tracking pixels, tracking links, and device fingerprinting. Enforcement context: €6.7 billion in cumulative GDPR fines through 2025.

Consent Mode US Privacy Requirements — The US opt-out model: 20 states with comprehensive privacy laws, GPC signal recognition mandatory in 8 states, California 2026 regulations adding dark pattern prohibitions and risk assessment requirements. Also covers Google’s product-level requirements: ad_user_data for Enhanced Conversions and ad_personalization for remarketing apply regardless of geography.

Consent Mode v2 Hub — The complete Consent Mode v2 implementation cluster: parameter architecture, basic vs. advanced mode, implementation mechanics (default states, CMP integration, the wait_for_update race condition), server-side propagation, debugging, and the ten most common failure modes. This is the technical infrastructure that connects user consent choices to tag firing behavior.

Identity Resolution

Identity Resolution Ad Measurement — Enhanced Conversions (first-party data hashing + SHA-256, 5-25% conversion uplift, requires ad_user_data granted), Unified ID 2.0 and EUID (hashed email for cross-site targeting with explicit consent, major SSP adoption), and data clean rooms (Google Ads Data Hub, Meta Advanced Analytics, cloud-native options for cross-platform attribution at scale). These approaches complement server-side tracking for scenarios where cookies can’t operate.

Privacy Constraints for Linked Analytics Data — When linking GA4 cookie identifiers to CRM records, the CNIL consent exemption for analytics cookies disappears, right-to-deletion cascades across your entire identity graph, and data retention limits apply. The compliance implications of Customer 360 models.

GA4 BigQuery Number Discrepancies — Consent Mode behavioral modeling is typically the largest source of variance between GA4 interface numbers and BigQuery exports. Understanding this gap is important context for any data quality work downstream.

Common Implementation Stack

A combination that covers the main data loss scenarios while satisfying both EU and US privacy requirements:

  • A server-side GTM container on a properly configured custom domain (solving the Safari ITP problem)
  • A certified CMP with Consent Mode v2 integration (satisfying EU opt-in and US opt-out requirements)
  • Enhanced Conversions on key conversion events (recovering attribution for cleared-cookie users)

Beyond that baseline, audience mix determines what to add next. High Safari traffic makes IP matching worth solving. A significant EEA audience means hosting should sit in EU regions. Heavy Meta spend warrants CAPI with event deduplication. Each layer becomes easier to add once the server-side infrastructure exists.

The source article First-party data, cookies, and the compliance landscape provides the full narrative with current enforcement figures, browser version details, and specific CMP recommendations.