Third-party cookies are disappearing. Safari blocked them years ago. Firefox followed. Chrome is phasing them out through the Privacy Sandbox. For deep linking, this matters because many deferred deep linking and attribution systems relied on third-party cookies to match a web click to an app install.<\/p>\n\n\n\n
The core deep linking functionality (opening the right content in the right app) is completely unaffected. Universal Links and App Links do not use cookies. What changes is the attribution and tracking layer that sits on top of deep links. This guide covers how to adapt. For privacy changes broadly, see privacy changes and their impact on deep linking<\/a>. For deferred linking without fingerprinting, see deferred deep linking without fingerprinting<\/a>.<\/p>\n\n\n\n Before cookie restrictions, a typical deferred deep linking flow looked like this:<\/p>\n\n\n\n The third-party cookie was the matching mechanism. It connected step 1 (web click) to step 5 (app open) across different contexts.<\/p>\n\n\n\n Third-party cookies are blocked because they enable cross-site tracking. A cookie from Deep link services used this same mechanism for legitimate purposes (matching a click to an install), but browsers do not distinguish between "good" and "bad" third-party cookies. All are blocked.<\/p>\n\n\n\n The simplest post-cookie approach: carry attribution data in the URL itself.<\/p>\n\n\n\n No cookies needed. The attribution data travels with the link.<\/p>\n\n\n\n First-party cookies (set by your own domain) still work everywhere. If your deep link URL is on your own domain, you can use first-party cookies:<\/p>\n\n\n\n If the user later visits your website (on the same domain) after installing the app, the first-party cookie matches the click:<\/p>\n\n\n\n Move the matching logic from the browser (cookies) to the server:<\/p>\n\n\n\n Google Play's Install Referrer API<\/a> is the most reliable post-cookie attribution method on Android. It passes referral parameters through the install:<\/p>\n\n\n\n This is first-party Google data, privacy-compliant, and works without cookies.<\/p>\n\n\n\n iOS has no equivalent to the Install Referrer API. Alternatives:<\/p>\n\n\n\n Pasteboard (clipboard):<\/strong> Copy a token to the clipboard on web click, read it in the app. Since iOS 16, users see a permission prompt for clipboard access, reducing reliability.<\/p>\n\n\n\n SKAdNetwork:<\/strong> Provides aggregate campaign attribution (which campaign drove installs) but not user-level deep link matching. It does not help with deferred deep linking to specific content.<\/p>\n\n\n\n App Store overlay:<\/strong> When Apple's Smart App Banner is used, the If the user installs via the Smart App Banner, the app receives the What Third-Party Cookies Did for Deep Linking<\/h2>\n\n\n\n
The Old Model<\/h3>\n\n\n\n
1. User clicks deep link on Website A\n2. Deep link service drops a third-party cookie (on its own domain)\n3. User goes to the app store, installs the app\n4. App opens, SDK checks for the cookie (via a web view or redirect)\n5. Cookie matches \u2192 user is routed to the original content\n<\/code><\/pre>\n\n\n\nWhy This Broke<\/h3>\n\n\n\n
tracking.example.com<\/code> set on Site A could be read when the user visits Site B, creating a browsing profile across sites.<\/p>\n\n\n\nFirst-Party Data Strategies<\/h2>\n\n\n\n
URL Parameter Passing<\/h3>\n\n\n\n
Web page click \u2192 https:\/\/links.yourapp.com\/products\/shoes?click_id=abc123&source=blog\n \u2192 App store (referrer carries parameters on Android)\n \u2192 App opens \u2192 reads click_id from referrer \u2192 looks up click context server-side\n<\/code><\/pre>\n\n\n\n\/\/ Server: generate a click with server-side context\napp.get('\/link\/:slug', async (req, res) => {\n const clickId = crypto.randomUUID();\n\n \/\/ Store click context server-side\n await clickStore.save({\n clickId,\n slug: req.params.slug,\n source: req.query.utm_source,\n campaign: req.query.utm_campaign,\n ip: req.ip,\n userAgent: req.headers['user-agent'],\n timestamp: Date.now()\n });\n\n \/\/ Build app store URL with click ID\n const storeUrl = buildStoreUrl({\n referrer: `click_id=${clickId}&utm_source=${req.query.utm_source}`\n });\n\n res.redirect(302, storeUrl);\n});\n<\/code><\/pre>\n\n\n\nFirst-Party Cookies<\/h3>\n\n\n\n
\/\/ Set a first-party cookie on your domain\napp.get('\/link\/:slug', (req, res) => {\n const clickId = crypto.randomUUID();\n\n res.cookie('tolk_click', clickId, {\n maxAge: 30 * 24 * 60 * 60 * 1000, \/\/ 30 days\n httpOnly: true,\n secure: true,\n sameSite: 'lax',\n domain: '.yourapp.com' \/\/ your domain\n });\n\n \/\/ Continue with the redirect flow\n redirectToAppOrStore(req, res, clickId);\n});\n<\/code><\/pre>\n\n\n\n\/\/ On your website, after user installs and visits\napp.get('\/welcome-back', (req, res) => {\n const clickId = req.cookies.tolk_click;\n if (clickId) {\n const originalClick = await clickStore.get(clickId);\n \/\/ Match: this user came from our deep link campaign\n }\n});\n<\/code><\/pre>\n\n\n\nServer-Side Click Matching<\/h3>\n\n\n\n
\/\/ Server-side click matching\nclass ClickMatcher {\n async matchInstallToClick(installData) {\n const { ip, userAgent, timestamp, referrer } = installData;\n\n \/\/ 1. Try exact match via referrer (Android Install Referrer)\n if (referrer) {\n const clickId = new URLSearchParams(referrer).get('click_id');\n if (clickId) {\n return await this.getClick(clickId);\n }\n }\n\n \/\/ 2. Try probabilistic match (within strict time window)\n const recentClicks = await this.getRecentClicks({\n ip,\n userAgent,\n maxAge: 60 * 60 * 1000 \/\/ 1 hour window\n });\n\n if (recentClicks.length === 1) {\n return recentClicks[0]; \/\/ High confidence single match\n }\n\n \/\/ 3. No match found\n return null;\n }\n}\n<\/code><\/pre>\n\n\n\nPlatform-Specific Solutions<\/h2>\n\n\n\n
Android: Install Referrer API<\/h3>\n\n\n\n
val client = InstallReferrerClient.newBuilder(context).build()\nclient.startConnection(object : InstallReferrerStateListener {\n override fun onInstallReferrerSetupFinished(responseCode: Int) {\n if (responseCode == InstallReferrerResponse.OK) {\n val details = client.installReferrer\n val referrer = details.installReferrer\n \/\/ referrer = "click_id=abc123&utm_source=blog&utm_campaign=summer"\n\n val params = Uri.parse("?$referrer")\n val clickId = params.getQueryParameter("click_id")\n val source = params.getQueryParameter("utm_source")\n\n \/\/ Fetch the original click context\n fetchClickContext(clickId) { context ->\n navigateToContent(context.slug)\n }\n }\n client.endConnection()\n }\n\n override fun onInstallReferrerServiceDisconnected() {}\n})\n<\/code><\/pre>\n\n\n\niOS: Pasteboard and SKAdNetwork<\/h3>\n\n\n\n
app-argument<\/code> parameter can carry a URL:<\/p>\n\n\n\n<meta name="apple-itunes-app" content="app-id=YOUR_ID, app-argument=https:\/\/yourapp.com\/products\/shoes">\n<\/code><\/pre>\n\n\n\napp-argument<\/code> URL on launch.<\/p>\n\n\n\nAttribution Models in the Post-Cookie World<\/h2>\n\n\n\n
Deterministic vs. Probabilistic<\/h3>\n\n\n\n