Measurement and compliance are usually treated as two separate subjects. They aren’t. A site measures poorly because browsers and adblockers cut off data; and it is “compliant” with a cosmetic banner that doesn’t solve what the law actually requires. This article separates fact from hype - because, on this topic, the market gets it wrong in both directions: it overstates the conversion loss and overstates the fear of fines. Everything here comes from primary, recent sources (2023-2026).
Key takeaways
- The “death of cookies” didn’t happen: Google reversed the removal of third-party cookies in Chrome and retired several of the Privacy Sandbox’s main advertising APIs in October 2025 (Privacy Sandbox, 2025). The real measurement loss comes from Safari, Firefox and adblockers, not from Chrome.
- Server-side (sGTM) and the Meta CAPI recover part of the lost events - but the “lift” numbers come mostly from vendors; the famous “loss of 20-40% of conversions” has no verifiable independent source.
- In Brazil, compliance is not Europe: the LGPD (Brazilian data protection law) has no ePrivacy law, so legitimate interest can support part of analytics (with an impact report), and consent is the safest basis for non-essential cookies (ANPD Cookie Guide).
- Google’s Consent Mode v2 is required only for EEA/UK traffic - it is not a Google requirement for Brazil (Google Ads, 2024).
- The most concrete and recent compliance risk is not the banner: it is the international transfer of data (GA4, Meta in the US) without standard contractual clauses, required by the ANPD since August 2025 (ANPD Resolution 19/2024).
The measurement you actually lose (and the one you don’t)
For years the market sold the “cookiepocalypse”: Chrome would kill third-party cookies and tracking would end. It didn’t happen. In 2024 and 2025 Google reversed the decision, abandoned even the choice prompt and, in October 2025, retired several of the Privacy Sandbox’s main advertising APIs (Privacy Sandbox, 2025). Third-party cookies keep working in Chrome.
The real loss is older and quieter, and comes from three fronts that never backed down:
- Safari (ITP). Cookies created via JavaScript expire in 7 days without interaction - and drop to 24 hours when there are tracking parameters in the URL. Third-party cookies are already blocked by default (WebKit - Tracking Prevention).
- Firefox (ETP). Blocks cookies from known trackers by default.
- Adblockers. About 29.5% of global internet users use an adblocker at least sometimes (GWI, 2025) - in Brazil, reliable estimates sit closer to the 15-21% range, not the “40%” that circulates without a source.
The honest reading: you probably measure less than you think, but not because Chrome abandoned you - rather because a relevant slice of traffic (Safari, Firefox, adblockers) escapes client-side tracking.
How server-side recovers part of it
Server-side tagging (sGTM) moves collection from the browser to a server you control, in a first-party context - which withstands blocking better. Combined with the Meta Conversions API (CAPI), which sends events straight from your server to Meta, with deduplication by event_id within a 48h window (Meta - CAPI), it recovers events the pixel would lose.
How much do you recover? Here we need honesty about the sources:
- The most transparent case is the agency seoplus+, in a 4.5-month A/B test: +24% in Google Ads conversions with server-side, recovering ~12% of blocked interactions - published by Stape, an sGTM vendor (Stape).
- Google’s own data on the Tag Gateway (first-party) points to gains of around +11% in signals, published by a partner agency (Brainlabs).
There is no independent study validating the claim “you lose 20-40% of conversionswithout server-side”. It comes from vendor materials. The benefit is real and measurable - but it should be presented as a case, not as a law.
In other words: server-side improves measurement resilience and quality, with documented gains in the ~10-25% range in real cases. Anyone promising a fixed number is selling, not measuring.
Compliance in Brazil is not Europe
Here lies the most common mistake. Many people import the European yardstick and declare: “firing any tag before consent is illegal”. In Brazil, it’s not that simple - and the difference is structural.
Europe has a specific cookie law (the ePrivacy Directive) that requires prior consent. Brazil has no equivalent. The LGPD handles cookies through its ten legal bases (Art. 7), with no hierarchy among them (LGPD, Art. 7). The ANPD Cookie Guide sets the practical line:
- Strictly necessary cookies (technical, essential to operation) can be used without consent.
- Non-essential cookies need a legal basis. In restricted scenarios, essential or low-intrusion analytics can be assessed under legitimate interest (Art. 7, IX), provided there is a legitimate purpose, minimization, transparency, a balancing test and documentation (Impact Report, Art. 10). For advertising, remarketing and profiling cookies, consent remains the safest basis (ANPD Cookie Guide).
- Dark patterns are prohibited: no highlighted “accept all” with the refusal hidden, and no conditioning access to content on accepting all cookies.
The general rule applies: the choice between consent, legitimate interest and another legal basis always depends on the processing context - purpose, data type, transparency and risk to the data subject. There is no single shortcut.
And Google’s Consent Mode v2? It is a Google requirement only for those reaching users in the EEA, UK and Switzerland (since March 2024), and only for personalization/remarketing (Google Ads, 2024). For Brazil, Google does not impose it - what applies is the LGPD, a legal obligation independent of Google. A Brazilian advertiser only needs Consent Mode v2 for the share of traffic coming from Europe.
A technical detail that undoes another myth: consent is captured client-side (the banner), and sGTM merely consumes that signal - it does not replace the banner (Google - Consent mode server-side).
The real risk, without the marketing fear
The LGPD fine exists and is heavy: up to 2% of revenue in Brazil, capped at R$50 million per violation - and the count is per violation, not per proceeding (LGPD, Art. 52). But the fear needs context: as of this article’s verification, we found no ANPD sanction specifically over a cookie banner or website tracking. The first fine (2023) was for using data without a legal basis, not for cookies (ANPD). Still, the topic is not off the radar: the ANPD’s 2026-2027 Priority Topics Map includes the secondary use of data for targeted advertising and privacy by design (ANPD - priority topics). In other words: the banner alone is still not the center of enforcement - but targeted advertising, secondary processing and data governance are already entering the radar.
So where is the most concrete, current risk? In two points almost nobody looks at:
- International transfers. Tools like GA4 and Meta can involve the international transfer - or processing - of personal data, depending on configuration, the contractual chain and the data flow (the ANPD distinguishes this from mere direct collection from the data subject). ANPD Resolution 19/2024 regulated international transfers and the standard contractual clauses, with an adaptation deadline that expired in August 2025 (ANPD Resolution 19/2024). In practice: beyond the banner, you need to review legal basis, processors, DPAs and the transfer mechanisms applicable to your case.
- Incident response. ANPD Resolution 15/2024 requires notifying data subjects of relevant security incidents within 3 business days (ANPD Resolution 15/2024).
Notice: the cookie banner, which everyone treats as “the” compliance topic, is the least urgent item on the list. What matters is documented legal basis and international transfers - exactly what a cosmetic banner doesn’t solve.
The takeaway
Mature tracking means measuring well and being genuinely compliant - not displaying a cosmetic banner on top of data you’ve already lost.
Measuring well is technical resilience: server-side, CAPI, deduplication, measurement that survives Safari, Firefox and adblockers. Being compliant is having a documented legal basis, genuinely respecting consent (no dark patterns) and covering international transfers. Most companies have one of the two, or neither. Doing both, together, is engineering - and that is exactly where the difference lives.
At Inodus, tracking comes in the right measure: server-side when the investment justifies it, consent implemented for real and within the law. Want to know where yours stands? Run the free online audit.
Frequently asked questions
Are third-party cookies gone?+
Not in Chrome - Google reversed the removal and retired several of the Privacy Sandbox's main advertising APIs in 2025 (Privacy Sandbox). Safari and Firefox, however, already block them, and Safari caps first-party cookies at 7 days. The measurement loss is real in those browsers.
Does server-side tracking recover 40% of conversions?+
There is no independent source for that number. Vendor case studies show gains of ~11% to 24% (Stape; Brainlabs). The benefit is real, but the fixed number is marketing.
In Brazil, do I need consent before firing any tag?+
Not necessarily. Unlike Europe, the LGPD (Brazilian data protection law) has no ePrivacy law. Strictly necessary cookies don't require consent; for non-essential ones, consent is the safest basis, but legitimate interest can support part of analytics if documented (ANPD Cookie Guide).
Is Google's Consent Mode v2 mandatory in Brazil?+
No. It's a Google requirement only for traffic from the EEA, UK and Switzerland (Google Ads). In Brazil what applies is the LGPD, a legal obligation independent of Google.
What is the biggest compliance risk companies ignore?+
International data transfers. Using GA4/Meta (servers in the US) requires standard contractual clauses since August 2025 (ANPD Resolution 19/2024) - something no banner solves.
How we interpret the sources in this article
This content distinguishes four types of evidence: official documentation, case studies published by recognized sources, proprietary market studies, and emerging research or analyses. Official data is treated as normative reference. Proprietary studies and benchmarks are used as directional signals, not universal rules. Academic research and log analyses on AI are presented as evolving technical evidence, especially when vendors have not yet defined public thresholds.
Methodology and sources
Legal grounding in primary sources: the text of the LGPD (Planalto), the Cookie Guide and ANPD Resolutions 15/2024 and 19/2024official. Technical data: WebKit (ITP), Privacy Sandbox/Google (cookie status), Google (Consent Mode and sGTM), Meta (CAPI)official. Market benchmarks (GWI, eyeo)proprietary and vendor cases (Stape)case study are explicitly cited as such. This article is informational and does not constitute legal advice.
