TL;DR
Most Northern European e-commerce brands are overspending on “anonymous visitor personalization,” but the math doesn’t add up. The reality: ~65–70% of traffic comes from Apple/Safari devices, where WebKit wipes cookies every 7 days, and another 30–40% of visitors decline cookies outright. That leaves a world-class identification rate at just 25–30% — most brands sit at 10–15%. So the addressable audience for anonymous personalization is a thin slice, and the ROI is structurally low. Worse, some anonymous-tracking techniques (like fingerprinting) are non-compliant under EU e-privacy rules and have triggered six-figure fines. The smarter play: invest in raising identification rates — loyalty incentives, soft identification via email clicks, and merging pre-identification browsing data into customer profiles. Before any vendor pitch, ask one question: “What percentage of our actual traffic does this work on?”
Most e-commerce brands in Northers Europe are investing heavily in anonymous visitor personalization, but the math doesn’t support the promise. Here’s what the data says, and where the real opportunity lies.
Walk into any MarTech demo in 2026 and you’ll hear a version of the same pitch: personalize for every visitor, even the ones you don’t know. Identify anonymous traffic. Activate your unknown audience. Turn browsers into buyers before they’ve shared their name.
The promise sounds compelling. The numbers tell a different story.
It all sounds like a significant competitive advantage. For most European retailers, it isn’t. Understanding why requires taking an honest look at how e-commerce tracking works, and what percentage of your traffic any of this can realistically reach.
First, let’s define the terms, because most people get this wrong
When e-commerce teams talk about “anonymous visitors”, they’re often using the term to describe three very different types of traffic. Treating them as one category is where most of the confusion, and overspending, begins.
- Level 1: Truly anonymous traffic
This is a visitor who has actively said no to cookies and other identifiers. No consent, no tracking, no data. No CRM platform, personalization engine, or analytics tool can see them. At any given moment, this accounts for roughly 30–40% of all traffic hitting an e-commerce site in Northern Europe.
- Level 2: Non-identified traffic
This visitor has accepted cookies, so the site can see them, but hasn’t identified themselves. There’s no email, no phone number, no login. The platform assigns them an anonymous session ID and can observe their behavior: what they browse, what they click, what they add to a basket.
These behavioral signals can be used to personalize the experience in the session, surfacing relevant products or content based on what the visitor is doing in that very moment, but there’s still no person attached to any of it.
- Level 3: Identified traffic
This visitor has made themselves known through a purchase, a newsletter sign-up, a login, or clicking through from an email. Now you have a profile. Now you can personalize, segment, communicate, and build a relationship. This is where personalization works.
Understanding which tier you’re talking about matters enormously, because the capabilities, the ROI, and the compliance implications are completely different across all three.
The identification rate problem nobody talks about honestly
Here’s the part that tends to surprise e-commerce and marketing leaders when they first look at the real numbers.
In Northern Europe, approximately 65–70% of all e-commerce traffic comes from Apple devices — iPhones and Macs running Safari. Safari is built on a browser engine called WebKit, which has a specific behavior that most marketing teams aren’t aware of: it clears all cookies and tracking scripts every seven days.
What that means in practice is that even a visitor who accepted your cookie banner, browsed your site, and added something to their basket will be completely unknown to your platform if they return two weeks later. The session is gone. The history is wiped. You’re starting from scratch.
Layer on top of that the 30–40% of visitors who decline cookies entirely, and the realistic window of traffic you can identify and act on starts to look very different from what most vendor pitches imply. A world-class identification rate for a European e-commerce business is around 25–30% of traffic at any given moment. Most brands are operating somewhere between 10 and 15%. That’s not a failure of technology or strategy. It’s the structural reality of how the internet works in a post-GDPR, Safari-dominated market.
What this means for the ROI of anonymous personalization
When you understand those numbers, the ROI case for heavy investment in anonymous visitor capabilities starts to unravel quickly.
If you’re reaching 10–15% of your traffic as identified customers, and another portion as non-identified visitors, and a further 30–40% are invisible entirely, the addressable audience for anonymous personalization is a thin slice.
This plays out in practice in ways that are rarely discussed openly. Brands that have been sold aggressively on anonymous personalization capabilities often find, once they look at actual usage data, that the feature is reaching a fraction of a percent of real visitors. Impressive in a demo. Marginal in production.
The honest conclusion is uncomfortable but important: the ROI of use cases built on anonymous visitors is structurally low compared to use cases built on people you know. Not because the technology is bad, but because the addressable audience is fundamentally constrained by regulation and device behavior.
The compliance dimension most brands aren’t thinking about
There’s a second layer to this conversation that moves from ROI into legal risk, and it’s one that European brands should pay close attention to.
EU e-privacy regulation is clear: to track, profile, or personalize for any visitor, you need explicit, active consent. Not a pre-ticked box. Not a deliberately confusing consent UI. Explicit consent.
Some tracking techniques go further than cookies and operate in ways that sidestep consent requirements entirely. Fingerprinting is the most common example. It works by combining signals that a browser sends automatically when it connects to a server — IP address, geolocation, screen resolution, installed fonts — to build a unique identifier for a device without ever asking for permission. It doesn’t need a cookie. It doesn’t need a yes. It is also fundamentally non-compliant under EU regulation.
Across Europe, businesses in sensitive verticals – have faced significant fines and regulatory scrutiny for this type of tracking. In some cases, penalties have reached into the hundreds of thousands of euros, often for sharing customer data with advertising platforms through tracking pixels without sufficiently clear consent. These aren’t edge cases; they’re examples of what happens when platforms built for US regulatory standards are deployed in a European context.
The distinction matters: many vendors offering sophisticated anonymous tracking capabilities have built those features for markets where the regulatory framework is more permissive. European brands using those features are taking on compliance risk they may not fully understand, often because the capability was presented as standard functionality in a sales process.
Where the real personalization opportunity is
None of this means that non-identified traffic is worthless, or that brands should stop trying to do more with visitors they don’t yet know. The case for increasing identification rates, improving loyalty program sign-up flows, and building better data capture at every touchpoint is stronger than ever, precisely because identified customers are so much more valuable than unidentified ones.
The shift worth making is in where brands direct their energy and investment. Rather than trying to extract more from the anonymous tier, where the ceiling is low and the compliance risk is real, the more durable opportunity is in growing the identified base and doing significantly more with it.
That means using loyalty mechanics to give visitors a reason to identify themselves. It means implementing soft identification so that a click from an email reconnects a returning customer to their profile automatically. It means merging browsing behavior captured before identification with the customer profile the moment they make themselves known, so that no behavioral data is wasted. It also means being honest about what personalization can realistically mean for someone you don’t know.
The question worth asking before your next vendor conversation
The next time a platform pitches you on anonymous visitor personalization, there’s one question worth asking before anything else: What percentage of our traffic does this work on?
Not in theory. Not in a best-case scenario with full cookie consent. In the real traffic mix of a Northern European retailer, with Safari at 65–70%, cookie rejection at 30–40%, and a 7-day tracking window that resets by default. The answer will tell you a lot about the feature. And about the vendor.
The bottom line
Anonymous visitor personalization is not a myth. For the traffic it can reach, it does something. But the industry has significantly oversold its potential in a European context, and many brands are investing in capabilities that will never reach most of their audience.
The smarter investment, and the one with a clearer ROI path, is in raising identification rates, building stronger loyalty program entry points, and doing more with the customers you already know. That’s where the addressable audience is large enough to move the needle. That’s where personalization can be personal.
And in a market where privacy regulation is only getting stricter, building on a compliant foundation isn’t just the responsible choice — it’s the smart one.
About Author
