Attribution Reporting API summary reports
The Attribution Reporting API is a Privacy Sandbox proposal that lets browsers measure ad conversions without third-party cookies or cross-site identifiers. It produces event-level and aggregatable reports; aggregatable reports are combined into noisy summary reports that give campaign-level conversion counts and values while limiting what can be learned about any individual.
What this means
The Attribution Reporting API moves conversion measurement into the browser. When a user sees or clicks an ad and later converts, the browser — not a cross-site cookie — links the two and emits reports. Event-level reports carry coarse data with limited fidelity; aggregatable reports carry encrypted contributions that an aggregation service combines.
The combined output is a summary report: aggregate conversion counts and values for a campaign, with statistical noise added and a contribution budget enforced so the result cannot be traced to one person.
Why noise and budgets matter
Because the design forbids cross-site identifiers, it cannot give per-user paths. Instead it gives aggregates that are deliberately imprecise: noise is added and each source has a bounded contribution budget. This protects individuals but means analysts must treat small slices cautiously and design measurement around aggregate keys.
W3C and Chrome documentation specify the report types, aggregation service, and noise model. For attribution practitioners the takeaway is structural: in a post-third-party-cookie browser, conversion data arrives as noised aggregates, not deterministic user journeys, which reshapes what attribution models can consume.
- Browser-mediated, no third-party cookies or cross-site IDs
- Aggregatable reports combine into noised summary reports
- Contribution budgets and noise limit individual disclosure
How it appears in analytics and logs
Summary-report counts are aggregate and intentionally noised, so small segments are unreliable; differences within noise bounds should not be over-interpreted.
Diagnostic use case
Use Attribution Reporting API summary reports to obtain aggregate conversion measurement in browsers that have removed third-party cookies, accepting noise for privacy.
What WebmasterID can help detect
WebmasterID's first-party measurement is complementary: it explains how privacy-preserving aggregate APIs change what attribution data is available.
Common mistakes
- Reading noised summary counts as exact figures.
- Expecting per-user paths from an aggregate-only API.
- Slicing summaries so thin that noise dominates the signal.
Privacy and accuracy notes
The API adds noise and enforces contribution budgets specifically to prevent re-identification. This page is educational and not legal advice.
Related pages
- Consent and attribution
Consent is upstream of attribution: under frameworks like the EU's GDPR and ePrivacy Directive, storing or reading identifiers for tracking generally requires the user's consent. When consent is declined or withheld, the touchpoints those identifiers would have recorded never enter the data, so attribution operates on partial paths. Understanding consent is therefore inseparable from reading attribution honestly.
- Modeled conversions
Modeled conversions are conversions a platform estimates statistically rather than observes directly. When direct measurement is blocked — by missing consent, cross-device journeys, or privacy protections — ad and analytics platforms model the likely conversions from observable trends and aggregated data, and report them alongside observed ones. Understanding which conversions are modeled is essential to reading attribution honestly.
- Deterministic vs probabilistic matching
Identity resolution in attribution uses two approaches. Deterministic matching links touchpoints when they share a known, persistent identifier (a logged-in user ID, a hashed email). Probabilistic matching infers that two touchpoints belong to the same user from circumstantial signals — IP, device, behavior — without a confirmed identifier. The two differ sharply in accuracy and privacy posture.
- Privacy-first analytics
Aggregate, identifier-free measurement by design.
Sources and verification notes
- W3C / Privacy Sandbox — Attribution Reporting APIMDN documents event-level and aggregatable (summary) reports and noise.
Last reviewed 2026-06-24. Facts are checked against primary/official sources where available; uncertain specifics are marked “Data not yet verified” rather than guessed.