The Signal Chain

A "pixel" is a JavaScript snippet that listens for browser events and sends HTTP requests to a platform's collection endpoint. It runs if and only if: the browser loads it, allows it to execute, and allows it to make the outbound request.

Ad blockers (uBlock Origin, Brave, Privacy Badger) maintain filter lists of known tracking domains. If connect.facebook.net is on the list, the Meta pixel never loads. Safari's ITP caps first-party cookies set by JavaScript to 7 days (24 hours if the user arrived via a known tracker). Firefox ETP blocks known third-party trackers by default. In 2026, pixel-only tracking typically loses 30-40% of conversion events. On audiences skewed toward iOS/Safari, the loss can reach 40-60%.

Approximately 30% of global internet users actively run ad-blocking tools. Over 50% have installed or used one at some point. Global tracking opt-in rejection rates run 50-60% (driven by Apple's ATT and GDPR consent requirements). These are directional ranges from multiple industry surveys, not precise measurements.

Each ad platform has its own list of "standard events" that its algorithm understands. If you fire a custom event called form_submitted_final2, Meta's optimisation engine doesn't know what to do with it. If you fire Lead, it does. The event name is the handshake between your site and the platform's machine learning.

GA4 renamed "conversions" to Key Events in 2024. Any GA4 event can be marked as a Key Event, but best practice limits this to 3-5 high-value actions. More than that, and you're feeding noise to the bidding algorithms.

When running both GA4 and Meta, map your events one-to-one. A generate_lead in GA4 should correspond to exactly one Lead event in Meta. If your GA4 fires generate_lead but Meta receives both Lead and CompleteRegistration for the same action, you're double-signalling.

Website platforms (Squarespace, Shopify, Wix, WordPress) offer "native" pixel integrations where you paste your Pixel ID into a settings panel and the platform handles injection. This is convenient. It is also a black box.

Native integrations fire a fixed set of standard events. Squarespace's native Meta integration fires Lead only on native newsletter blocks and promo popups. It does not fire on standard form block submissions (contact forms, enquiry forms, booking requests). If your business model is lead generation via form submissions, the native integration fires PageView on your thank-you page but never fires a Lead event for the form itself.

Native integrations inject the pixel in a way that does not appear in your page's HTML source. View Source shows nothing. Many pixel debugging tools miss it. Meta Pixel Helper will detect it (it watches network requests, not source code). You can have a native integration AND a manual Code Injection pixel running simultaneously without knowing it, causing double-counting across the entire site.

When a user crosses from your domain to a third-party domain (a booking engine, a payment gateway, a separate app), the browser creates a new cookie context. Without explicit cross-domain linking, the user's journey is split into two unrelated sessions and the conversion is attributed to "referral from your own site" instead of the original traffic source.

Redirects that strip query strings (security plugins, "clean URL" features). JavaScript-triggered navigation (window.location instead of <a> tags). Consent Mode blocking the linker before consent is granted. iframes loading the booking platform (separate browsing context). The booking platform stripping unknown query parameters on their end.

Unlike GA4, Meta's pixel has no native mechanism to follow users across domain boundaries. The _fbp (browser ID) and _fbc (click ID) cookies are first-party cookies scoped to the domain they were set on. When the user moves to a different domain, those cookies are invisible.

When a user clicks a Meta ad, the landing page URL contains ?fbclid=XXXX. If this parameter survives through to the conversion page on the third-party domain, the Meta pixel there can read it and attribute the conversion. But: Safari's Link Tracking Protection strips fbclid in Private Browsing and Mail/Messages. And many booking platforms strip unknown URL parameters.

Install the pixel on the third-party domain (if you have access). Use the Conversions API to send events server-side (bypasses the browser entirely). Check if the platform has a native "Pixel ID" field in its settings.

The browser pixel fires if it can. The server-side path fires regardless. Together, they provide resilience: the server path catches the 30-40% of events that ad blockers, Safari ITP, and privacy browsers prevent the client-side pixel from sending.

For Meta CAPI, simply sending events is not enough. Aim for EMQ > 8.0 by hashing first-party identifiers (email, phone, name, IP) via SHA-256. A low EMQ means Meta can't match your server events to users, which makes the whole server-side path pointless.

Deduplication is the mechanism that allows you to run client-side and server-side tracking simultaneously without double-counting. It is mandatory when using both Meta Pixel and CAPI. It is mandatory when using both gtag.js and Google Ads Enhanced Conversions.

1. Identical event_id: generated once (client-side), passed to both pixel and CAPI. 2. Identical event_name: must match exactly (case-sensitive). 3. Received within 48 hours: both signals must arrive within the deduplication window.

ITP blocks third-party cookies entirely (default, years running). JS-set first-party cookies capped to 7 days (24h if user arrived via known tracker). Advanced Fingerprinting Protection limits device APIs. Link Tracking Protection strips gclid/fbclid in Private Browsing and when links opened via Mail/Messages. Standard browsing does not strip click IDs by default (yet).

Third-party cookies NOT deprecated. Google reversed course in April 2025, scrapping both the forced deprecation and the planned "user choice" prompt. Cookies remain on by default. Privacy Sandbox APIs (Topics, Attribution Reporting) continue to be developed alongside cookies.

Four required signals: ad_storage, analytics_storage, ad_user_data, ad_personalization. Advanced mode enables conversion modelling (Google's benchmark: recovery of "more than 70%" of lost ad-click-to-conversion journeys). Requires 700 ad clicks per 7-day period (per country/domain) to qualify. As of June 15, 2026: ad_storage is the sole authority for ad data collection.

UTM parameters (utm_source, utm_medium, utm_campaign). Apple does not strip these. They are not cookies. They are not JavaScript. They are URL text. Properly tagged campaign URLs remain the most reliable source of channel attribution in GA4.

Each platform measures something slightly different. GA4 measures cross-channel journeys using machine learning. Meta measures only its own contribution. Google Ads measures only its own contribution. They will never agree. A 20-40% variance between platforms is normal, not a bug.

January 12: removed 7-day view and 28-day view attribution windows. Advertisers with long sales cycles reported immediate 15-40% drops in attributed conversions. Not a real performance drop. A measurement change. March: redefined "click-through" to count only link clicks (not social engagements). Introduced "engage-through" for non-click interactions with a 1-day window.

1. Backend / bank / CRM = ground truth. 2. GA4 = best available cross-channel attribution. 3. Ad platforms = best for platform-specific optimisation decisions (bidding, creative, audience).

Enhanced Conversions (Google) and advanced matching (Meta) use hashed first-party data (email, phone number) to match conversions to ad clicks, even when cookies and browser-based identifiers fail. This is the primary mechanism for recovering signal lost to privacy restrictions.

If your conversion is a form submission that captures an email address, Enhanced Conversions becomes extremely powerful. The user's email is the bridge between the ad click and the form fill. Without it, you're relying entirely on cookie-based attribution, which is increasingly unreliable.

Every tracking architecture should be tested at every hop before you spend a dollar on ads. Run it once at setup. Run it again every time you change a platform, update a CMS, switch a consent banner, or notice a reporting gap.

Test from the bottom up. If attribution is broken, check deduplication first (the cheapest fix). If dedup is fine, check server-side. If server-side is fine, check cross-domain. Most "tracking is broken" issues are found at step 2 (wrong event type) or step 5 (duplicate counting).

If a client says "I can see results but no conversions," the issue is almost always at step 2. The pixel is firing (PageView), but the conversion event is not (no Lead/Purchase). Either the event isn't configured, the custom conversion isn't set up, or the campaign is optimising for an event type that never fires.