Every six months a platform ships a privacy update that quietly changes what your attribution data means. iOS 14.5 was the loud one. iOS 17 was the quieter one. Android Privacy Sandbox is the one most DTC operators have not priced in yet.
These are field notes from a month of auditing stores whose operators thought nothing had changed.
What iOS and Android privacy updates changed for attribution
Three rollouts matter for a DTC operator thinking about attribution windows in 2026.
iOS 14.5 (April 2021) shipped App Tracking Transparency. Meta lost view-through attribution on iPhone users who opted out, which was most of them. Most operators remember this one because the Ads Manager numbers dropped 20 to 40 percent in a week.
iOS 17 (September 2023) went quieter but deeper. Link tracking parameters get stripped from shared links in Messages and Mail. Private Relay hides IPs. The Safari side of Shopify traffic lost another layer of deterministic match signal. I covered the specific pixel failure mode in a separate postmortem.
Android Privacy Sandbox started rolling in Q2 2024 and has been tightening since. Chrome's third-party cookie phase-out, plus the Attribution Reporting API replacing direct cookie reads, means Android browser traffic is now in a transitional state. The default Meta attribution window on Android looks the same on paper. The underlying data is measurably quieter.
Field note, April 15: the windows I trust in 2026
I spent this morning reconciling three DTC brands' Meta reported conversions against their Shopify counts. Same pattern in all three. Same windows behaving differently than they did 18 months ago.
The 7-day click window still works for DTC stores with clean server-side CAPI. It is noisier than it used to be, but the relative signal (which campaigns convert, which creatives outperform) remains usable. I still trust it for optimization decisions.
The 1-day view window is dead for any DTC brand under $10M annual revenue. The sample size on iOS is too small to be reliable post-ATT, and the view signal on Android is degrading on the Privacy Sandbox side. I tell operators to stop looking at the view column unless they are running enough spend to survive the variance.
Modeled conversions are now a material share of what Meta reports. Meta fills the gap between what it can deterministically observe and what it thinks actually happened. For a DTC brand with clean server-side CAPI, modeled conversions are a reasonable estimate. For a brand with broken CAPI, they are an amplifier of whatever garbage goes into the matching signal.
Field note, April 17: the Android side nobody talks about
Audited a brand this week that ships to a majority-Android market. Their operator had never thought about Android privacy as a distinct axis. Everything I had read had framed privacy shifts as an iOS story.
Chrome's Privacy Sandbox replaces third-party cookies with the Attribution Reporting API. Ad clicks get matched to conversions through a browser-mediated aggregate report, not a direct cookie read. The consequence for DTC: server-side CAPI goes from 'nice to have for iOS recovery' to 'required for Android deterministic match.' The browser layer simply stops giving you the signal Meta needs.
I ran the usual 14-point CAPI leak scan on the store. Match quality sat at 4.9 with mostly Android traffic. Added external_id on every authenticated event, tightened the event_source_url handling, and it climbed to 7.4 inside 72 hours of ramp. Still below where I want it (8.5+) but the gap was obviously Android-traffic-related.
Field note, April 19: the windows by acquisition channel
Spent the morning mapping attribution-window trust by channel. Not all of them degrade the same way.
Meta click-through (7-day click): still works if server-side CAPI is clean. This is the window I default to for DTC optimization reporting.
Meta view-through (1-day view): abandoned for sub-$10M DTC. The iOS opt-in rate and the Android Privacy Sandbox degradation between them make the view column unreliable at normal DTC spend levels.
TikTok view-through: the TikTok pixel is more browser-dependent than Meta's, and post-iOS-17 the view-through signal on iPhone users has collapsed to near zero. I treat TikTok view-through as a creative-testing hint, not an attribution source.
Google click (Enhanced Conversions): different problem, different fix. Google's Enhanced Conversions hashes first-party data and passes it server-side, similar in shape to Meta's CAPI. Attribution window concerns for Google traffic cluster around Consent Mode v2 behavior more than ATT. That is its own postmortem.
What the month of notes taught me
Three principles for setting attribution windows in 2026.
Default to 7-day click. Stop looking at view columns unless your spend is large enough that the variance does not dominate. If your server-side CAPI is clean, 7-day click is the window that still ties to business reality. If your CAPI is broken, no window will help.
Treat modeled conversions as an estimate. They are useful for directional decisions and dangerous for precise ones. When Meta reports a modeled conversion share above 30 percent on a campaign, I stop using that campaign's reported ROAS as a gospel number and start using lift-test data or server-side deterministic counts as the reality check. The lift-test playbook is the method I walk operators through when last-click stops being trustworthy.
Audit windows quarterly. Privacy rollouts keep happening. Every six months something on Chrome or Safari or iOS changes what your reports actually contain. Put a calendar reminder on it. The diagnostic sequence walked through in the 31 percent attribution audit is the one I use; it takes about 90 minutes end to end.
“The 1-day view window is dead for any DTC brand under $10M annual revenue. Stop looking at it. The variance is larger than the signal.
”
FAQ
Should DTC brands still use a 7-day click attribution window in 2026?
Yes, provided your server-side CAPI is implemented cleanly. The 7-day click window remains the most reliable default for DTC optimization decisions. The alternative, running lift tests as the primary source of truth, is expensive at sub-$10M spend levels. Clean CAPI plus 7-day click is the working baseline.
What is Android Privacy Sandbox and how does it affect attribution?
Privacy Sandbox is Chrome's replacement for third-party cookies. Ad clicks get matched to conversions through the Attribution Reporting API, a browser-mediated aggregate report, instead of direct cookie reads. The consequence for DTC: if you were relying on browser-side pixel data for Android traffic, that signal is degrading as the phase-out completes through 2026.
How much does server-side CAPI help recover attribution lost to iOS 17?
On the rebuild I catalogued, match quality went from 6.2 to 9.1 and approximately 35 percent of conversions newly became visible to Meta's algorithm. That figure varies by store and by how much traffic comes from Safari and iOS. Expect 25 to 40 percent recovery on a brand with significant US iOS traffic and no prior server-side stack.
When should I stop trusting modeled conversions?
When the modeled share of reported conversions on a campaign exceeds 30 percent. At that point, Meta is guessing about a third of the outcome, and directional decisions based on reported ROAS start carrying material error bars. Cross-check with a lift test or against server-side deterministic counts before changing spend allocation.
Do these attribution window notes apply to Google Ads?
Partly. Google's Enhanced Conversions path is shaped similarly to Meta's CAPI, so server-side implementation matters the same way. The window mechanics are different because Google reports conversion windows per campaign type and because Consent Mode v2 changes behavior at the consent-signal layer. I treat Google as its own attribution story, not a mirror of the Meta story.
Sources and specifics
- iOS 14.5 ATT rollout: April 2021. iOS 17 link-tracking and Private Relay tightening: September 2023.
- Android Privacy Sandbox Attribution Reporting API rolled in Q2 2024, phase-out of third-party cookies in Chrome continues through 2026.
- Match-quality figures (6.2 to 9.1) are from a Q2 2024 rebuild on a Shopify DTC brand. See the pattern-library guide to Meta CAPI for the full pattern catalogue and the tracking gap case study for production details.
- Attribution window recommendations are based on a month of audits across multiple DTC stores, not a single brand.
- For stores evaluating whether their stack is even measuring the gap, the DTC Stack Audit is the self-serve diagnostic that scores tracking, analytics, theme performance, and attribution.