Link Tracking Protection and attribution loss: how to keep campaigns measurable without breaking compliance
- Marc Alexander
- Jan 7
- 4 min read
You launch a campaign. The clicks arrive. The spend is spent. GA4 then looks you dead in the eye and tells you most of it was “Direct”.
That used to mean “someone forgot UTMs”. It often means something more mundane and more annoying: modern browser privacy protections have made link-based attribution less reliable, while most campaign measurement still depends on link-based signals arriving intact and being readable at precisely the right moment.
This article is the plain-English explanation of why attribution drops out, what Safari’s Link Tracking Protection is doing, and how to keep campaigns measurable without building a solution you’d rather not describe in writing.
What Link Tracking Protection actually does
Safari’s Link Tracking Protection targets tracking information embedded in destination URLs during cross-site navigation. WebKit describes two behaviours that matter for marketers.
First, Safari removes certain query parameters that have been identified as being used for cross-site tracking at a user or click level, and it does this before navigation so those values never even reach your site.
WebKit also explicitly distinguishes campaign-attribution parameters from click- or user-level tracking parameters, noting that campaign-style parameters are allowed through.
Second, after a cross-site navigation, third-party scripts that attempt to read the full URL using common APIs can be shown a version of the URL with no query parameters or fragment, and cross-site document.referrer is also hidden from script access in Private Browsing.
That second part is the quiet killer. Even if some parameters arrive, the very scripts you rely on to capture them for analytics may not be allowed to see them in the way you expect.
Why GA4 calls it “Direct”
GA4 attribution is only as good as the signals it can capture at session start. If the campaign context is missing, stripped, or unreadable at the moment GA4 tries to establish session acquisition, GA4 defaults to Direct because it has no reliable evidence of source, medium, or campaign.
That’s not GA4 being difficult. It’s GA4 refusing to make something up. The problem is that your reporting now looks like your marketing has become inexplicably brilliant at “brand awareness” and inexplicably terrible at everything else.
The compliance constraint you can’t ignore
When teams see attribution loss, the temptation is to “just capture it earlier” or “store it somewhere else” so the campaign doesn’t disappear. This is where otherwise sensible organisations accidentally create a compliance issue while trying to solve a reporting issue.
In the UK, the ICO’s PECR cookies guidance is explicit that analytics cookies are not strictly necessary and require consent.
In the EU, the direction of travel is equally clear: the EDPB has highlighted that techniques such as tracking links and pixels sit within the technical scope of ePrivacy rules, specifically to reduce the temptation to sidestep consent obligations by swapping cookies for alternative tracking mechanics.
So the objective is not “recover attribution at all costs”. The objective is “keep campaigns measurable in a consent-aware way, with an approach you can defend”.
The strategy that actually holds up
If Link Tracking Protection can prevent third-party scripts from reliably reading URL details after cross-site navigation, the strategic response is straightforward.
Stop betting your attribution on one fragile, browser-dependent moment where a script reads location.search and hopes it’s still there.
Instead, design for session continuity: preserve campaign context safely through real-world browsing behaviour, and only apply it to analytics once consent has been granted (where consent is required). Robust and lawful. Both.
The Session Integrity Layer: the implementation that fits this problem
This is exactly why I built the Session Integrity Layer (SIL).
It is a lightweight, browser-side layer deployed through Google Tag Manager, and it activates only after the user consents to analytics. It doesn’t send data anywhere new; it governs how GA4 interprets what is already there, so sessions and attribution behave more like real visits rather than technical accidents.
In the context of attribution loss and Link Tracking Protection, the key capability is consent-based attribution recovery: campaign URLs can use harmless hash/anchor fragments, and once a user gives consent, SIL converts those fragments into standard query parameters so GA4 can recognise campaign attribution properly, without trying to do analytics processing before consent.
Separately, SIL also tackles the messier “sessions don’t behave like humans” problem by aligning session continuity to GA4’s own session signals, which reduces the number of bizarre edge cases where GA4 starts a new session without a clean landing event and attribution gets muddied.
Where an audit fits
The Session Integrity Layer is the fix you install. An audit is how you avoid installing the fix blindly.
A proper Session Integrity Audit maps your real campaign entry points and identifies exactly where attribution is being lost: which browsers, which modes (including Private Browsing), which redirect patterns, and which consent timing behaviours.
It then tells you whether SIL is the right solution, how it should be configured, and what success should look like in your reporting.
That keeps the work grounded in evidence rather than vibes, which is the preferred mode for anyone who has ever tried to explain a sudden Direct spike to a paid media lead.
If you’re seeing Direct inflate, UTMs “disappear”, or campaign performance become suspiciously hard to prove on iOS journeys, this is the symptom set SIL was built to address.
I work directly with marketing and analytics teams to implement the Session Integrity Layer in GTM, align it with the consent setup you actually run, and make sure GA4 reflects what is really happening on your site.
Or explore my specialised services:
Comments