What is privacy-preserving ad measurement?
Privacy-preserving ad measurement lets advertisers prove ROI without tracking individual users. Here's how it works, and where it still falls short.
Linnea Zielinski · 8 min read
Think about how a sealed ballot box works. Nobody watches how any one person votes, and no election official could tell you how you personally voted even if they wanted to. But once the box is opened, you still get a real, trustworthy result: a final tally that tells you exactly who won. That's the same trade privacy-preserving ad measurement makes. Advertisers lose the ability to see what any single person did after seeing an ad, but they still get a dependable readout of what worked.
This trade has never been more relevant for anyone reporting on marketing performance. The tools advertising teams used to track individual users across the web are being dismantled from multiple directions at once, by browser makers, device makers, and increasingly by state lawmakers. Whatever combination of restrictions hits your stack first, the way you prove ROI to leadership needs to hold up regardless. Understanding how this kind of measurement actually works, and where it still comes up short, is the first step toward building a measurement approach that doesn't fall apart the next time a browser update or a new state law changes the rules.
Key takeaways
- Privacy-preserving ad measurement reports on ad performance in aggregate, without identifying individual users.
- Apple, Google, and Meta each built their own system, and they don't work the same way or report the same data.
- These systems typically rely on on-device processing, differential privacy, delayed reporting, and aggregation thresholds to keep any one person's activity hidden.
- Third-party cookie restrictions and mobile tracking limits started this shift, but a growing wave of state privacy laws is now restricting individual data collection independent of what any browser does.
- This kind of measurement has real limits: delayed data, suppressed results on smaller campaigns, and no way to connect activity across channels.
- Marketing mix modeling doesn't rely on individual-level signals in the first place, so it isn't affected by browser, app, or platform restrictions.
What is privacy-preserving ad measurement?
It's a category of security-focused technology that lets advertisers understand whether their campaigns are working without collecting or exposing any individual user's personal data. Instead of matching a specific person to a specific ad and a specific action, these systems report on what happened across a group of users, small enough to stay useful but large enough that no one person's activity can be picked out.
The techniques as privacy protections vary quite a bit depending on who built them, but they share the same basic goal: give advertisers a version of the value they used to get from cookies and device IDs, minus the part where any individual gets tracked. Most rely on first-party data the advertiser already has permission to use, matched or aggregated in a way that never exposes a single customer's record.
How it works on the browser level
Most of what people mean by privacy-preserving ad measurement today comes down to a handful of systems built into browsers and apps, and Apple's Private Click Measurement (part of its broader Privacy Preserving Attribution framework) gets the most attention. Instead of a third-party cookie following someone from website to website, the browser itself becomes the secure go-between.
Here's the general shape of how it works, whether you're looking at Safari's default settings, Firefox's own protections, or a similar system on another platform:
- Someone clicks an ad, and the event gets logged locally on the device instead of being sent to an ad server.
- If that person later completes a purchase or another tracked action on the advertiser's website, the match between the click and the action happens locally, without exposing anything to the ad server.
- After a delay, a stripped-down, aggregated summary goes to the advertiser. It contains no personally identifiable information (PII), just enough to show whether the campaign drove results.
Experienced marketers will immediately notice that this is a significant shift from how ad tracking used to work, when a cookie planted in a user's browser did the matching between an ad click and an onsite action, and could follow that same person across sites and sessions. Now, with third-party cookies restricted and mobile identifiers locked down by default, that matching happens locally, and nothing about a specific user ever leaves their device.
The different flavors of privacy-preserving measurement
One company isn't building all of this. If you've felt confused comparing notes with other marketers, it's probably because you're each describing a different system, built with different technology and different controls. A few of the major approaches:
- Private Click Measurement / Privacy Preserving Attribution: Built into Safari and WebKit, using on-device matching and delayed, aggregated reports, as described above.
- Privacy Sandbox (Attribution Reporting API): Chrome's answer to the same problem, also aggregating and delaying data, with its own thresholds and reporting windows that differ from other browsers.
- Aggregated Event Measurement: Built for advertisers who send conversion events through a pixel or conversions API, this feature caps how many events can be optimized for per domain and reports results in aggregate rather than per user.
- Data clean rooms: A different approach entirely, sometimes built on multi-party computation. Two parties, say a retailer and an advertiser, can test and match their first-party data sets against each other inside a secure, access-controlled environment without either side ever seeing the other's raw customer data.
- Server-side and first-party conversion APIs: Instead of relying on a browser to track a click, these send conversion data directly from an advertiser's own server to a platform, reducing dependence on cookies while still needing consented first-party data and clear user privacy controls to work.
None of these systems are interchangeable, and none of them talk to each other. A campaign measured through one platform's aggregated reporting and a campaign measured through another's local attribution aren't producing numbers you can stack side by side. That's worth keeping in mind before you try to reconcile reports from different sources into one dashboard.
What it's replacing
Two separate forces are behind this shift, and most coverage only talks about one of them:
Browser and mobile restrictions
Third-party cookies have been on the way out for years, first through Apple's Intelligent Tracking Prevention in Safari, then through Apple's App Tracking Transparency limiting mobile identifiers on iOS, and now through Chrome's own Privacy Sandbox changes. Each of these narrowed what advertisers could see about individual users, and each pushed the industry toward the aggregated systems covered above.
State privacy legislation
This gets less attention, and it's a bigger deal than most marketers realize. More than 20 states now have comprehensive consumer data privacy laws on the books, covering everything from the right to opt out of targeted advertising to restrictions on selling personal data, and that number keeps growing. New York doesn't have one yet, but a version of the New York Privacy Act has been introduced repeatedly and continues to move through the state legislature, which means advertisers assuming this is only a browser problem are missing where the next restriction is likely to come from. At the federal level, proposals like the American Data Privacy and Protection Act show the same pressure building nationally, even without a federal law passed yet.
Put those two forces together and the pattern is clear: even if cookies came back tomorrow, the regulatory pressure toward measurement built without individual tracking would still be building from state legislatures. Any approach that only accounts for one of these forces is planning for half the problem.
Where this kind of ad measurement runs into trouble
None of this is a knock on these systems. They're doing exactly what they were built to do. But they come with real tradeoffs that don't get much attention, and marketers should go in with clear eyes about what they're not getting.
- Delayed reporting. Aggregated summaries don't arrive in real time. Depending on the system, that delay can be anywhere from a few hours to several days, which makes fast budget optimization harder.
- Suppressed data on smaller campaigns. These systems only surface a result once enough people have converted to protect individual privacy. Smaller campaigns or niche audiences can fall below that threshold and produce nothing at all.
- No cross-device visibility. Someone who sees an ad on their phone and converts on their laptop looks like two separate, unconnected people to most of these systems.
- No cross-channel view. Each platform's privacy-preserving system only measures activity that happened inside that platform. None of them can tell you how a campaign on one channel might have driven a purchase somewhere else entirely, like through branded search, organic traffic, or a retail platform like Amazon.
These systems were built to protect individual users, not to give advertisers a complete picture of what's driving revenue. Those are two different problems, and solving the first one doesn't solve the second.
Where Prescient comes in
Marketing mix modeling (MMM) was never built around tracking individual users, so none of the tradeoffs above really apply to it. Prescient's marketing mix model uses aggregated, first-party business data and statistical modeling to understand what's driving performance. There's no cookie to lose, no device ID to restrict, and no individual signal that a browser update or a new state law could take away.
That also means Prescient can do something none of the systems above can: connect campaign performance to results across your entire business, including halo effects that show up in branded search, organic traffic, direct visits, and retail channels. If you want to see what a measurement approach built for a world with fewer individual signals actually looks like, book a quick demo and we'll walk you through it.
FAQs
Is privacy-preserving ad measurement as accurate as cookie-based tracking used to be?
It depends on what you mean by accurate. These systems are reliable for the aggregated results they're built to produce, but they report less granular data than the old approach did. What they trade in precision, they make up for in being built to survive further privacy restrictions.
Does privacy-preserving ad measurement work the same way on every browser?
No. Apple's Safari implementation, Google's Privacy Sandbox in Chrome, and Firefox's anti-tracking features all use different mechanics and thresholds for when data gets suppressed, so a campaign's reported performance can look different depending on which browser your audience is using.
Do I need to change my setup to use this kind of ad measurement?
In most cases, yes, at least partially. Many of these systems require specific tags, consent settings, or server-side integrations, and the setup varies across ad platforms and apps. Check each ad platform's own documentation before assuming your existing pixel setup is fully compatible.
Will privacy-preserving ad measurement eventually replace all cookie-based tracking?
Third-party cookies are already restricted in most major browsers, and that trend isn't reversing. Combined with the growing number of state privacy laws limiting user data collection outright, privacy-preserving and consent-based methods are likely to keep becoming the default rather than the exception.
The Halo
Exclusive insights, every week.
Subscribe to The Halo for sharper marketing thinking.
You're subscribed to The Halo!
Quick question (optional): How familiar are you with MMM?
Thanks for sharing! Enjoy The Halo.
Keep reading
View allBest identity graph for cross-device tracking in martech
Read articleWhat is a tracking pixel audit (and how do you run one)?
Read article
What cross-device attribution is and why it matters
Read articlePixels vs. cookies: What they are, how they differ, and what's changing
Read articleWhat is server-side tracking and why are marketers switching to it?
Read article
How to know if your audience planning is actually working
Read article