Ad-click IDs are how conversions get attributed after the third-party cookie died — but browsers and privacy tools quietly strip or expire them. This matrix maps every major click-ID parameter to which browsers degrade it and how to recover it server-side.
The 2026 headline: Chrome (still the majority browser) strips nothing and still allows third-party cookies — Google reversed the deprecation. Brave is the most aggressive, stripping Google's click IDs by default. Safari attacks the cookie (ITP), not the URL — though Safari 26 now strips click IDs in Private Browsing, Mail, and Messages. Firefox-Strict strips fbclid but spares gclid. Everything you lose, you recover by capturing the ID at click and replaying it through a server-side conversions API.
Which browsers strip click IDs
What each browser or privacy feature actually does to an ad-click ID — and whether it touches the URL parameter, the cookie, or both. Current as of July 2026.
Browser / feature
Strips URL param?
Blocks 3rd-party cookies?
Caps 1st-party JS cookie?
What actually happens
Chrome (2026 default)
No
No
No
The friendly environment. Third-party cookies kept (Google reversed deprecation, Apr 2025); most Privacy Sandbox APIs retired Oct 2025. Click IDs pass through untouched.
Chrome Incognito
No
Yes
Session-only
Blocks 3rd-party cookies and clears everything at session end, so nothing persists — but the URL parameter itself still arrives.
Safari — ITP
No
Yes
Yes
Doesn't touch the URL — it kills the cookie the ID is stored in: 7 days for JS-set cookies, 24 hours if the landing URL was link-decorated by a known tracker, 7 days for CNAME/IP-cloaked server cookies.
Safari 26 — Link Tracking Protection
Yes*
Yes
Yes
Strips click IDs (reported: gclid, fbclid, msclkid) in Private Browsing, Mail, and Messages. UTM parameters are not stripped. *Normal-browsing stripping was unconfirmed at the iOS 26 launch, and Apple hasn't published the exact list.
Firefox — ETP Strict
Partial
Yes
Capped
Query-stripping runs only in Strict mode. Release default list strips fbclid (plus mc_eid, mkt_tok, _hsenc, others) — but not gclid. Hurts Meta more than Google out of the box.
Firefox — Standard
No
Partitioned
—
Query-stripping is Strict-only, so the default install leaves click IDs intact (third-party cookies are partitioned by Total Cookie Protection, not stripped).
Brave (default)
Yes
Yes
Yes
The most aggressive. Strips gclid, gbraid, wbraid, fbclid, msclkid, dclid, twclid and more by default, for every user — including Google's IDs that Firefox's default spares.
Ad blockers (uBO / AdGuard)
If enabled
Blocks pixels
—
Can strip click IDs via URL-tracking filter lists ($removeparam), but uBlock Origin ships that list off by default. Effect is configuration-dependent, not guaranteed — plus the pixel requests themselves get blocked.
iOS App Tracking Transparency (ATT) is a separate, app-layer constraint — it's why Google issues the aggregate gbraid/wbraid IDs instead of user-level gclid on iOS web↔app journeys, rather than stripping anything from a URL.
Every click ID, and how to recover it
The ad-click and affiliate click-ID parameters you'll see in the wild, the platform each belongs to, and the server-side channel that replays it when the browser drops it. Filter by name or platform:
Parameter
Platform
What it is
Recover via
gclid
Google Ads
Google Click ID — the deterministic per-click identifier (auto-tagging).
Web-to-app aggregate ID under ATT (measures app conversions).
Conversion modeling + offline import
wbraid
Google Ads · iOS
App-to-web aggregate ID under ATT (measures web conversions).
Conversion modeling + offline import
dclid
Google CM360 / DV360
DoubleClick click ID for display / non-search click attribution.
Campaign Manager 360 (Enhanced Attribution)
fbclid
Meta (FB / IG)
Facebook Click ID — captured and rebuilt into the fbc cookie value.
Conversions API (CAPI) via fbc + fbp
ttclid
TikTok
TikTok Click ID — window follows your Attribution Manager setting (not a fixed 7 days).
Events API
msclkid
Microsoft Ads
Microsoft Click ID — auto-tagging on by default; can't be retrieved after the fact.
Offline import / Microsoft CAPI
li_fat_id
LinkedIn
First-party ads tracking UUID — unusually stable across domains (doubles as a match key).
LinkedIn Conversions API
twclid
X (Twitter)
X Click ID — deterministic per-click identifier.
X Conversions API
epik
Pinterest
Pinterest click ID (stored as _epik) — a strong deterministic match signal.
Pinterest Conversions API (click_id)
rdt_cid
Reddit
Reddit Click ID — routes a conversion to the right ad account.
Reddit Conversions API (click_id)
ScCid
Snapchat
Snapchat Click ID (case-insensitive variable).
Snap Conversions API (sc_click_id)
irclickid
impact.com
Impact affiliate/partnership click ID (injected on redirect).
Impact tracking / conversion postback
cjevent
CJ Affiliate
Commission Junction click ID — links affiliate conversions to clicks.
CJ conversion tag (captured server-side)
Not shown, deliberately: publisher-defined sub-IDs (subid, aff_sub, clickref, afftrack, u1/s1) are pass-through segmentation values you set — not deterministic click IDs the platform mints. Awin's awc and ShareASale's sscid are network click IDs but weren't confirmed against primary docs — verify with each network before relying on them.
The one rule that saves attribution
Everything above collapses into a single pattern. Whatever the browser strips or expires, you keep attribution by moving the click ID off the browser and onto your server:
Capture at click. Read the click ID from the landing-page URL the instant the visitor arrives — before any cap or re-strip matters.
Store it first-party, server-set. Write it into a first-party cookie via an HTTP Set-Cookie response, not JavaScript's document.cookie. Under Safari's ITP, server-set first-party cookies persist far longer than JS-set ones (which are capped to 7 days, or 24 hours when link-decorated). This is the entire reason server-side tagging works.
Replay it server-to-server. When the conversion fires, attach the stored click ID and send it through the platform's server-side API — Conversion API, Google Enhanced Conversions, TikTok Events API, and the rest — so attribution never depends on the browser retaining anything.
One caveat: the ITP cookie-lifetime benefit only holds if your server-side endpoint is a genuine first-party subdomain whose IP matches your main site. If Safari detects CNAME cloaking or a mismatched IP, it re-caps the cookie to 7 days. See the postback URL and tracking setup references for the full wiring.
Frequently asked questions
Do browsers strip gclid?
Depends on the browser. Chrome (majority share in 2026) doesn't strip it and still allows third-party cookies. Brave strips gclid, gbraid, and wbraid by default. Firefox only strips in Strict mode and its release default spares gclid. Safari's ITP doesn't strip the URL parameter — it caps the cookie — though Safari 26's Link Tracking Protection strips gclid in Private Browsing, Mail, and Messages.
Does Safari remove fbclid?
Safari's long-standing ITP does not remove the fbclid parameter from the URL; it caps the cookie it gets written into (7 days for JavaScript-set cookies, 24 hours when the landing URL was link-decorated by a known tracker). Safari 26's separate Link Tracking Protection does strip click IDs including fbclid — but at launch that stripping was reported only in Private Browsing, Mail, and Messages, not confirmed for normal browsing. Firefox in Strict mode does strip fbclid by default.
Are third-party cookies gone in Chrome in 2026?
No — Google reversed course. It dropped the auto-deprecation timeline in July 2024 and, in April 2025, confirmed it won't even ship the user-choice prompt; third-party cookies stay on by default. In October 2025 it retired most Privacy Sandbox technologies (Topics, Attribution Reporting API, and more), keeping only CHIPS, FedCM, and Private State Tokens. The "cookieless Chrome" narrative is out of date.
How do I recover a stripped or expired click ID?
Capture it from the URL on landing, store it in a server-set first-party cookie (HTTP Set-Cookie, not document.cookie), and replay it on the conversion event through the platform's server-side API (Meta CAPI, Google Enhanced Conversions, TikTok Events API, etc.). Server-set first-party cookies survive Safari's ITP caps, which is why server-side GTM is the standard recovery pattern.
What's the difference between gbraid and wbraid?
Both are Google's privacy-preserving iOS click IDs under ATT, feeding aggregated conversion modeling. gbraid is appended on web-to-app journeys (app conversions); wbraid on app-to-web journeys (web conversions). Standard gclid remains the fully deterministic ID. Most secondary sources reverse this pair — the direction here is per Google's own docs.
Which browser is worst for click-ID tracking?
Brave is the most aggressive by default — it strips gclid, gbraid, wbraid, fbclid, msclkid, dclid, and twclid from URLs on every user, with no configuration. Safari degrades tracking heavily too, but through cookie caps (ITP) plus click-ID stripping in Private/Mail/Messages. Firefox only strips in Strict mode and spares gclid by default. Chrome does neither by default.
Sources
Verified against primary documentation as of July 11, 2026:
Educational reference, not legal or financial advice. Browser privacy behavior changes frequently — items marked with an asterisk (Safari 26 normal-browsing behavior, exact stripped-parameter lists) were unconfirmed against a vendor primary source at time of writing. Spotted something out of date? Verify against the sources above.
Keep going
The rest of the tracking stack.
Definitions for each ID, the pixel-vs-API decision, and the server-side plumbing that makes recovery work.