Ad Attribution by Country in 2026 | Blog

If you run an e-commerce store and advertise internationally, here is a reality you need to face: the same Google Ads campaign will give you completely different attribution accuracy depending on where your customer is located.

A US customer clicks your ad and buys three days later? You will almost certainly know which ad drove the sale. A German customer does the exact same thing? There is roughly a 50/50 chance that conversion becomes invisible to your reporting.

This is not a technical limitation. It is a legal one. And the gap between countries is far larger than most store owners realize.

I spent time researching the actual consent laws, enforcement actions, and realistic consent rates for every major market. This article gives you the full picture so you can make informed decisions about your ad spend, your tracking setup, and your expectations for each country.

The Complete Country Comparison

This table covers every major e-commerce market. It shows the consent model (whether users must opt in or opt out), how aggressively the law is enforced, and what percentage of ad-driven orders you can realistically attribute with Click ID tracking.

How to read the "realistic attribution" column: This is the estimated percentage of ad-click conversions where you will have the Click ID (GCLID, FBCLID) attached to the order. It accounts for consent rates, ad blockers, and technical losses. Higher is better.

Country	Consent model	Enforcement	Realistic attribution	Risk level
United States	Opt-out	Low	95-98%	Low
Australia	No cookie law (yet)	Very low	95-98%	Low
Canada (excl. Quebec)	Opt-out	Low	90-95%	Low
Poland, CEE	Opt-in (weak enforcement)	Low	60-75%	Low-Medium
Slovenia, Croatia	Opt-in (same EU law)	Low	60-75%	Low-Medium
United Kingdom	Opt-in (PECR + UK GDPR)	Moderate (rising)	45-60%	Medium
Canada (Quebec)	Opt-in (Law 25)	Moderate	45-60%	Medium
Brazil	Opt-in (LGPD)	Moderate	50-65%	Medium
Switzerland	Opt-in (high-risk profiling)	Moderate	45-60%	Medium
Spain	Opt-in (LSSI-CE)	Moderate	45-60%	Medium
Italy	Opt-in (Art. 122 CCE)	Moderate	40-55%	Medium-High
Belgium	Opt-in (GDPR direct)	Moderate-High	40-55%	Medium-High
Austria	Opt-in (TKG 2021)	Low (rising fast)	40-55%	Medium-High
Netherlands	Opt-in (Telecommunicatiewet)	High	35-50%	High
Germany	Opt-in (TDDDG)	Very high	30-50%	High
France	Opt-in (CNIL)	Strictest globally	28-40%	Very High
South Korea	Opt-in (PIPA)	Very high	30-45%	Very High

Key insight: If you sell to US customers, you can track nearly every ad-driven conversion. If you sell to French or German customers, expect to lose more than half of your attribution data to consent requirements. This is not optional. These are enforceable laws with real fines.

The Good News for US Clients

If your customer base is primarily in the United States, you are in the best position globally for ad attribution.

The US has no federal cookie consent law. There is no opt-in requirement. No consent banner is legally required for ad tracking cookies. The only obligation is:

Disclose your tracking practices in your privacy policy
Provide an opt-out mechanism for California (CCPA/CPRA "Do Not Sell" link) and a handful of other states (Colorado, Connecticut, Oregon) that require honoring Global Privacy Control signals
Honor "Do Not Sell or Share" requests when they come in

The practical opt-out rate in the US is 1-5%. The vast majority of Americans either do not see a consent banner (because many US sites do not show one) or click through it without changing settings.

What this means for Enalitica users: With server-side Click ID tracking, Enalitica can attribute 95-98% of your ad-driven orders for US traffic. This is near-complete visibility into which campaigns, ad groups, and keywords are driving real revenue.

The same applies to Australia (no cookie law yet, reforms pending for 2026-2027) and Canada outside Quebec (opt-out model under PIPEDA).

19 US State Privacy Laws (and Counting)

As of January 2026, 19 US states have comprehensive privacy laws in effect: California, Colorado, Connecticut, Delaware, Indiana, Iowa, Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Rhode Island, Tennessee, Texas, Utah, and Virginia.

All of them use an opt-out model, not opt-in. You must let users opt out of targeted advertising and the sale or sharing of their data, but you do not need prior consent to set tracking cookies.

A bipartisan Consortium of Privacy Regulators (California, Colorado, Connecticut, Delaware, Indiana, New Jersey, Oregon) now coordinates enforcement across states. This is worth watching, but the fundamental opt-out model is unlikely to change.

EU Countries: The Detailed Breakdown

Every EU country requires opt-in consent before you can store cookies or use localStorage for ad tracking. This is based on the ePrivacy Directive (2002/58/EC), which each member state has transposed into national law. The ePrivacy Regulation (which would have replaced this directive) was formally withdrawn by the European Commission in February 2025. The existing rules remain in force indefinitely.

One critical legal point: localStorage is treated identically to cookies under the law. The European Data Protection Board confirmed this in their Guidelines 2/2023 (final version adopted October 2024). Switching from cookies to localStorage does not avoid consent requirements.

France

Law: Article 82 of the Loi Informatique et Libertes Enforcer: CNIL Realistic attribution: 28-40%

France is the strictest market in the world for cookie enforcement. The CNIL has issued the largest cookie-related fines globally:

Google: EUR 325 million (September 2025) for biased consent flows
SHEIN: EUR 150 million (September 2025) for placing advertising cookies before any user interaction with the consent banner
Criteo: EUR 40 million (2023) for failing to verify that partners obtained valid consent
Google: EUR 150 million (2021) and EUR 100 million (2020) for earlier cookie violations

Between December 2022 and December 2024, CNIL issued combined fines exceeding EUR 139 million for cookie violations alone.

The CNIL requires that "Accept" and "Reject" buttons have equal friction. If it takes 2 clicks to accept and 6 clicks to reject (as Google was doing), that is a violation. The "Continue without accepting" option must be equally prominent.

With compliant banners, only about 28-37% of French users consistently consent to marketing cookies. This means you lose attribution data for roughly two-thirds of your French ad traffic.

What the Criteo ruling means for you: If your site stores GCLID/FBCLID for ad platforms, you could be held liable for the entire tracking chain, not just your own code.

Germany

Law: TDDDG Section 25 (formerly TTDSG, renamed in 2024) Enforcer: BfDI + 16 state-level DPAs Realistic attribution: 30-50%

Germany has some unique developments that make it especially strict:

A Hannover court ruled in March 2025 that Google Tag Manager itself requires consent before activation, not just the tags it fires. This means even your tag management infrastructure needs to be gated behind consent.
A Frankfurt court ruled in December 2025 that technology companies placing third-party cookies face direct liability even when the website operator failed to obtain consent.
Germany's Consent Management Ordinance (EinwV, effective April 2025) is creating a standardized consent framework. No services have been certified yet, but this is unique to Germany.

Fines under TDDDG can reach EUR 300,000 per violation. GDPR fines (up to EUR 20 million or 4% of global turnover) apply on top when personal data is involved.

With 16 independent state DPAs that can each enforce separately, the enforcement landscape is fragmented but active. Typical consent rates in Germany are 25-54% depending on banner design.

Netherlands

Law: Telecommunicatiewet Article 11.7a Enforcer: AP (Autoriteit Persoonsgegevens) Realistic attribution: 35-50%

The Dutch DPA runs the largest systematic cookie monitoring program in the EU: approximately 10,000 websites scanned annually, with plans to warn 500 organizations per year.

In April 2025, the AP issued warnings to 50 organizations (retailers, media companies, insurers) for misleading cookie banners. Those who received warnings were given 3 months to comply before formal investigations began.

The Dutch government has allocated dedicated funding for cookie enforcement: EUR 500,000 per year for three years, followed by a permanent EUR 350,000 per year increase from 2027.

The AP has sent specific "cookie letters" about Google Analytics 4 usage, requiring proper consent before GA4 can set any cookies. If you serve Dutch customers, expect your site to be scanned.

Italy

Law: Article 122 of the Codice delle comunicazioni elettroniche Enforcer: Garante per la protezione dei dati personali Realistic attribution: 40-55%

The Garante issued detailed cookie guidelines in 2021 with specific requirements:

"Accept All" and "Reject All" buttons must be present and equally formatted on the first layer
An "X" close button must function as rejection, not acceptance
Scrolling does not constitute consent
Cookie walls are not allowed

Enforcement has been less aggressive on cookies specifically compared to France or Germany, but the Garante has imposed significant GDPR fines in other areas (EUR 79.1 million against Enel Energia in 2024), signaling willingness to enforce.

Spain

Law: LSSI-CE Article 22 Enforcer: AEPD Realistic attribution: 45-60%

Spain is moderately strict. Notable fines include EUR 30,000 for Vueling and EUR 20,000 for SEAT for cookie consent failures. Maximum cookie-specific fines are capped at EUR 30,000 under LSSI-CE, though GDPR fines can apply on top.

An interesting development from January 2024: Spain now exempts certain analytics cookies from consent, but this only covers basic audience measurement without cross-site tracking. Advertising click IDs (GCLID, FBCLID) are explicitly not exempt.

Belgium

Law: GDPR implementation law (cookie rules merged into GDPR in 2021) Enforcer: APD/GBA Realistic attribution: 40-55%

Belgium is unique because cookie violations are treated as direct GDPR violations since 2021. The APD uses an aggressive daily penalty payment model:

Mediahuis (September 2024): EUR 25,000 per day per website for non-compliant banners
RTL Belgium (October 2024): EUR 40,000 per day for missing "Reject All" button

These are not one-time fines. They accumulate every day until compliance is achieved.

Austria

Law: TKG 2021 Section 165(3) Enforcer: DSB Realistic attribution: 40-55%

Enforcement has been low so far (maximum cookie-specific fine is EUR 50,000), but there is a significant risk factor: noyb (None of Your Business), the most active privacy activist organization in Europe, is headquartered in Vienna. noyb files complaints across the EU, and any non-compliance by companies serving Austrian users could quickly become a test case.

Central and Eastern Europe

Poland, Czech Republic, Hungary, Romania, Croatia, and other CEE countries all have opt-in consent requirements (with Poland being a partial exception due to a browser-settings loophole in Article 173). Enforcement is generally low compared to Western Europe.

The Czech Republic switched from opt-out to opt-in on January 1, 2022, and has since conducted 39 in-depth cookie analyses with modest fines totaling approximately EUR 60,000.

For practical purposes, stores targeting CEE markets can expect 60-75% attribution with compliant consent banners, though the legal requirement for consent is the same as in Germany or France.

United Kingdom

Law: UK GDPR + PECR Enforcer: ICO Realistic attribution: 45-60%

The UK's Data Use and Access Act 2025 (DUAA, Royal Assent June 2025) introduced new exemptions for statistical/analytics cookies, but advertising cookies still require opt-in consent.

The ICO launched a national cookie compliance sweep in January 2025, scanning the UK's top 1,000 websites. The first batch of 200 sites found widespread non-compliance, with 134 companies warned. In just the first half of 2025, the ICO issued GBP 5.6 million in fines (6 fines), double the entire 2024 total of GBP 2.7 million across 18 fines.

PECR fine caps are being aligned with UK GDPR levels under the DUAA: up to GBP 17.5 million or 4% of global turnover. This is a major increase from the previous GBP 500,000 cap.

Switzerland

Law: nFADP (new Federal Act on Data Protection, effective September 2023) Enforcer: FDPIC Realistic attribution: 45-60%

Switzerland has a hybrid model. Simple analytics may operate under disclosure plus opt-out, but ad Click ID tracking that enables cross-site profiling is classified as "intensive intrusion" / high-risk profiling and requires explicit opt-in consent.

The enforcement model is unusual: the FDPIC cannot impose administrative fines directly. Instead, violations are subject to criminal prosecution by cantonal authorities, with fines up to CHF 250,000 against responsible individuals (not the company). The FDPIC can also publicly disclose investigated parties (naming and shaming).

The FDPIC updated its cookie guidelines in October 2025, significantly tightening requirements.

Brazil

Law: LGPD (Lei Geral de Protecao de Dados) Enforcer: ANPD Realistic attribution: 50-65%

Brazil requires opt-in consent for non-essential cookies. The ANPD has imposed over BRL 98 million (approximately USD 20 million) in fines since 2023, including ordering Meta to suspend using personal data for AI training without consent.

Enforcement is maturing rapidly, and a potential EU adequacy decision for Brazil could further align standards. For stores targeting Brazilian customers, GCLID/FBCLID tracking requires consent, but compliance across Brazilian e-commerce is still inconsistent.

Canada (Quebec)

Law: Law 25 (Act to modernize legislative provisions as regards the protection of personal information) Enforcer: CAI (Commission d'acces a l'information) Realistic attribution: 45-60%

Quebec is the only North American jurisdiction with a GDPR-style opt-in requirement for cookies. Fully in force since September 2023, with penalties up to CAD 25 million or 4% of global revenue.

If you serve both Quebec and other Canadian customers, you need to either detect Quebec visitors and apply stricter rules, or apply the Quebec standard universally.

Federal privacy reform (Bill C-27, which would have modernized PIPEDA) died when Parliament was prorogued in January 2025. A new federal statute is expected in late 2025 or early 2026.

US vs EU customer attribution funnel: US customers get 95-98% full attribution, while EU customers lose ~65% of attribution data due to cookie consent

Understanding this is critical because it affects your attribution even when you follow the rules perfectly.

Mandatory for all EEA, UK, and Swiss advertisers since March 2024. When a user denies consent:

GCLID is redacted from network requests (Google strips it out). On iOS, Google uses privacy-safe alternatives called gbraid and wbraid instead.
GA4 sends anonymous pings without cookies (basic timestamp, user agent, referrer only)
Google applies conversion modeling to estimate missed conversions
No remarketing audiences can be built from non-consented users

Google claims their modeling recovers approximately 70% of lost ad-click-to-conversion journeys. However, this requires a minimum of 700 ad clicks over 7 days per country and domain. At an average CPC of EUR 2.50, that is approximately EUR 7,500 per month in ad spend. Smaller advertisers will not qualify for modeling.

Even with modeling, a 30-50% data gap remains compared to full-consent scenarios. And modeled data is an estimate, not observed reality.

Meta similarly requires CMP integration for EU advertisers. When consent is denied:

The Meta Pixel switches to privacy-preserving mode (no advertising data transmitted)
CAPI filters personal data and sends only aggregated signals
Meta applies statistical modeling to estimate conversions

Meta removed the previous 8-event-per-domain limit in June 2025, but the fundamental data loss from consent denial remains.

How Server-Side First-Party Tracking Changes the Equation

Here is where the picture gets more nuanced, and more hopeful.

Browser-based tracking (GA4, Meta Pixel, standard JavaScript) is hit by three problems simultaneously: consent denial, ad blockers, and Safari ITP cookie limits. Server-side first-party tracking avoids two of those three.

Factor	Browser-based GA4	Server-side first-party
Session capture rate	60-70% (EU)	95%+
Ad blocker impact	Blocked by most	Resistant (your own server)
Safari ITP cookie limit	24 hours for click IDs	Up to 2 years (server-set)
Consent still required?	Yes	Yes (for EU)

The key difference: Server-side tracking eliminates ad blocker losses and Safari ITP losses. Consent requirements still apply in opt-in countries, but for the users who do consent, you capture nearly 100% of their conversions instead of losing 15-30% to ad blockers and cookie expiration.

For US traffic, where consent is not required, server-side tracking approaches near-complete attribution coverage. You are not fighting any of the three problems.

Case studies from server-side implementations show:

28% of previously lost conversion data recovered with improved data accuracy of 42% (mid-market retailer case study)
11-48% more conversions tracked compared to browser-only tracking
29% increase in conversion rates from social traffic when using Meta CAPI with server-side data

Enalitica captures Click IDs at the order level, server-side. For every order that comes through your WooCommerce or Shopify store with a Click ID attached, Enalitica reads it directly from the order data, not from a browser cookie that might have been blocked or expired. This means:

US/Australia/Canada traffic: Near-100% attribution for consented orders (which is nearly all of them)
EU/UK traffic: Full attribution for consented orders, with no additional losses from ad blockers or cookie expiration
Server-side conversion tracking: Enalitica sends conversions back to Google Ads (Enhanced Conversions) and Meta Ads (Conversions API) from your server, bypassing browser limitations entirely

What You Should Do Right Now

If most of your customers are in the US, Australia, or Canada (outside Quebec)

Implement Click ID tracking on your store (PHP + JavaScript, see our guide to capturing GCLID and FBCLID in WooCommerce)
Disclose tracking in your privacy policy
Add a "Do Not Sell" link for California compliance
Enjoy near-complete attribution. You are in the best position globally.

If you sell to EU, UK, or Swiss customers

Install a Consent Management Platform (CookieBot, CookieYes, or Complianz) that blocks tracking code until consent is given
Gate Click ID capture behind consent. Your CMP must block both cookie and localStorage code until the user consents to marketing cookies
Set up Google Consent Mode v2 with default "denied" for EEA visitors
Accept the data gap and focus on maximizing what you can capture from consented users
Use server-side tracking to eliminate ad blocker and cookie expiration losses for consented users
Invest in your cookie banner design. Studies show that transparent banners with clear value propositions can push consent rates significantly higher

If you sell globally

Apply the strictest rules by default (opt-in consent for all visitors), or use geo-targeting to apply country-specific rules
Set up server-side conversion tracking to maximize data quality for every consented user
Use multi-touch attribution to get value from partial data. Even in strict markets, attributing 40-55% of conversions is far better than the 20-30% you get from GA4 alone after accounting for consent, ad blockers, and cookie expiration combined

Frequently Asked Questions

Is localStorage really treated the same as cookies under EU law?

Yes. The EDPB (European Data Protection Board) confirmed this explicitly in their Guidelines 2/2023, adopted in final form in October 2024. Article 5(3) of the ePrivacy Directive is technology-neutral. It applies to "storing of information, or gaining access to information already stored, in the terminal equipment." This covers cookies, localStorage, sessionStorage, IndexedDB, and any other client-side storage mechanism. Switching from cookies to localStorage does not avoid consent requirements.

Not in the EU. Even if you capture the Click ID from the URL on your server (never writing it to client-side storage), you are still processing personal data (the Click ID is linked to an identifiable individual). GDPR consent requirements apply to the data processing, not just the storage mechanism. The ePrivacy Directive covers the storage aspect, while GDPR covers the processing aspect. You need consent for both in opt-in countries.

What is the minimum ad spend for Google's conversion modeling to work?

Google requires at least 700 ad clicks over 7 days per country and domain for their conversion modeling to activate. At typical CPCs, this translates to roughly EUR 5,000-10,000 per month in ad spend per country. Smaller advertisers will not qualify, and their non-consented conversions will simply be invisible.

Enalitica reads Click IDs directly from your order data (server-side), not from browser cookies. For every user who consents and their Click ID gets saved to the order, Enalitica captures it with 100% reliability, no losses to ad blockers or cookie expiration. Additionally, Enalitica's server-side conversion tracking (Enhanced Conversions for Google, CAPI for Meta) sends conversion data back to ad platforms from your server, which is more reliable than browser-based pixels. In markets like the US where consent is not an issue, this gives you near-complete attribution coverage.

There is no legal requirement to show cookie consent banners to US visitors (except for the "Do Not Sell" link for California). Many stores use geo-targeting to show consent banners only to EU/UK/Swiss visitors and skip them for US traffic. This maximizes your US attribution while staying compliant in Europe. Your CMP should support this configuration.

How often do privacy laws change?

Frequently. In 2025 alone: the EU withdrew the ePrivacy Regulation, proposed the Digital Omnibus Regulation, Germany enacted the Consent Management Ordinance, the UK passed the Data Use and Access Act, and multiple US states enacted new privacy laws. We recommend reviewing your compliance setup at least quarterly. At minimum, check your consent rates, verify your CMP is blocking correctly, and review any new enforcement actions in your key markets.