Tracking pixels: how they work and where they're going

What a tracking pixel actually is, from 1×1 image beacon to JavaScript event tag, taken apart on a live first-party pixel: the fields one request carries, what browsers now strip or cap, and why pixels are moving server-side rather than dying.

Kay Vink
Kay Vink

Paste the snippet, and from then on a single request leaves the browser every time someone views a page or checks out. What that request carries, and how much of it still arrives, is the whole game. A tracking pixel was originally a 1×1 transparent image whose HTTP request logged a visit. Today the word is shorthand for the JavaScript tag and collection endpoint that report pageviews and events: the mechanism behind the Meta pixel, the TikTok pixel, and every "add this snippet" install. Pixel vs cookie in one line: the pixel collects, the cookie remembers.

Search "what is a tracking pixel" and the 1×1 GIF definition comes back a hundred times over; a dissection of a live one is rarer. Buron ships and runs a first-party pixel, so instead of describing the concept we can open the hood on a real one: what a single request carries, which fields browsers have taken away, and what a well-built pixel does when it can't see.

The words get used interchangeably; the jobs are distinct.

  • The tag is the delivery vehicle: the JS snippet (or the original <img> element) placed on the page, usually via a tag manager.
  • The pixel is the collection act: the request the tag fires to an endpoint, carrying the event payload.
  • The cookie is the memory: a small identifier stored in the browser so the next request is recognizable as the same visitor.

So "pixel vs cookie" is a false rivalry: block the cookie and the pixel still collects, but every visit looks like a stranger; block the pixel and the cookie remembers a visitor nobody is recording. Every tracking stack you've installed (Meta, GA4, TikTok) is all three parts working together.

#Anatomy of a pixel: what one request contains

Here is what a single event request from Buron's first-party pixel carries, field by field, representative of what any modern pixel collects:

  • Event. What happened: page_view, form_submit, purchase, with an event-level payload (value, currency, form ID).
  • URL and referrer. Where it happened and where the visitor came from, including the query string: UTMs and click IDs ride in here, which is what makes the pixel the capture point for Click IDs: what gclid, fbclid, and wbraid do.
  • Identifiers. The first-party visitor ID (from the cookie the pixel set), plus captured click IDs; post-login, a hashed email can be added to the payload. These are the keys Identity resolution: how user stitching actually works stitches on.
  • Timestamp and page context. Event time, page title, viewport.
  • Client hints. Browser and device class, used mostly to segment degradation (below), not to fingerprint.

Delivery detail that matters operationally: events that fire as the visitor leaves the page (a click out to checkout, a form redirect) can be lost if sent as ordinary requests, which is why well-built pixels use the browser's Beacon API (navigator.sendBeacon): it hands the payload to the browser to deliver after navigation. Losing exit events is one of the quieter reasons platform numbers disagree.

#What pixel data is used for

Four jobs, in ascending order of stakes:

  1. Events. The raw record: who did what, when, on which page.
  2. Audiences. Visitors matched into retargeting and lookalike pools.
  3. Conversions. Events reported back to ad platforms as the outcomes bidding optimizes toward; this is where pixel data stops being reporting and starts spending your money.
  4. Identity. The captured identifiers become the keys that connect anonymous traffic to leads and revenue (Identity resolution: how user stitching actually works).

The stakes rise down the list: a gap in events is a reporting annoyance; a gap in conversions mis-trains Smart Bidding and Advantage+, the signal quality argument the whole Conversion tracking & signal quality makes.

#What browsers took away

The pixel of 2019 saw everything; the pixel of 2026 works inside enforced limits. The big four:

  • Cookie lifetime caps. Safari's ITP caps JavaScript-set first-party cookies at 7 days (24 hours in some link-decoration cases), so the "remember" half of the system forgets weekly for a large slice of traffic. The full cookie-lifetime table lives in Tracking after third-party cookies: what actually still works.
  • Referrer trimming. Browsers default to sending only the origin cross-site: the pixel sees google.com, not the full path it used to.
  • Ad blockers and script blocking. A meaningful share of visitors never load third-party pixel scripts at all, and blocklists target known third-party endpoints far more than first-party ones.
  • Consent gating. Where consent platforms run, the pixel legally fires only after opt-in; every pre-consent event is dark by design (Consent Mode v2 without losing your signal covers what's recoverable).

Third-party pixels absorb all four at full force. A first-party pixel (your domain, your endpoint) dodges much of the blocking and gets the friendlier first-party cookie treatment, which is the structural reason the ecosystem is moving that direction.

#Graceful degradation: what a good pixel does when it can't see

A pixel that can't see everything should say so, not guess. The failure mode to design against isn't data loss (that's now guaranteed), it's silent loss that reads as real decline. Buron's pixel handles it by degrading explicitly: when the cookie is capped, events still arrive and are flagged as identity-degraded rather than dropped or double-counted as "new visitors"; when the referrer is trimmed, attribution falls back to captured UTMs and click IDs; when JS is blocked entirely, the gap is measured: server-side order and CRM feeds record what the pixel should have seen, so coverage is a monitored number instead of an assumption. The browser split is the durable pattern (illustrative shares): full payloads on the large majority of Chrome events, a several-fold higher degraded share on Safari and Firefox, and a small JS-blocked remainder that only the order and CRM feeds can count.

#Where pixels are going

Pixels aren't dying; they're moving. Client-side collection keeps thinning (more caps, more blocking, more consent gates), so the load shifts to server-side paths (Server-side tracking: what it fixes, what it costs, and whether you need it) and first-party identifiers (First-party data: the definition and the operating model): the browser tag becomes a thin capture layer, and durability lives behind it, on infrastructure you own. The operating posture that follows: treat pixel coverage as a monitored metric, not an installed checkbox, which is exactly what Buron's continuous audits do with ours.

#Which pixel guide you actually need

If you came here on your way to a task: the Meta pixel as an entity (what it sees and where your ID lives) is The Meta Pixel: what it is, what it sees, where to find your ID; installing pixels on Shopify's sandboxed web-pixel system is Shopify pixel setup: native web pixels and the Meta Pixel, done right; Meta conversion tracking end-to-end is Meta conversion tracking end to end: pixel, CAPI, and events that dedup; and the click-ID parameters your pixel should be capturing are Click IDs: what gclid, fbclid, and wbraid do.

Frequently asked questions

What's the difference between a pixel and a cookie?

A pixel collects; a cookie remembers. The pixel is the request that carries data about a pageview or event to a collection endpoint. The cookie is a small stored value that lets the next request be recognized as the same visitor. They're complements in one system, not competing technologies.

What is another name for ad tracking?

Tracking pixels go by web beacon, pixel tag, 1×1 GIF, clear GIF, or just 'tag.' In ad platforms the same mechanism is branded per platform: Meta pixel, TikTok pixel, LinkedIn Insight Tag. All name the same thing: code that reports visits and events to an ad or analytics endpoint.