A Practical Guide to utm tags
TL;DR — Quick Answer
4 min readBrowsers now send only the domain (not full URL) as referrer for cross-origin requests, and strip referrers entirely for HTTPS-to-HTTP. Compensate by tagging every link you control with UTM parameters.
This guide explains utm tags in practical terms, with a focus on privacy-first analytics decisions.
Referrer data used to feel simple: someone clicked a link, the destination site received the previous page URL, and analytics reported where the visit came from. Modern browsers are more careful. That is good for privacy, but it changes attribution.
If your analytics reports show more "direct" traffic than expected, fewer full referral URLs, or missing campaign detail, referrer policy may be one reason.
What the Referrer Header Does
The HTTP Referer header, misspelling included, tells a destination page where the request came from. Analytics tools use it to classify traffic as search, referral, social, or direct.
Without any extra campaign tagging, a visit from:
https://partner.example/reviews/best-analytics-toolsmight historically arrive with the full referring URL. That allowed the analytics tool to show not just partner.example, but the exact article.
Today, browsers commonly send less. MDN documents strict-origin-when-cross-origin as the default referrer policy in modern browsers, and Chrome announced the same default beginning with Chrome 85. Under that policy:
- same-origin requests can send the full URL
- cross-origin HTTPS-to-HTTPS requests send only the origin, such as
https://partner.example - HTTPS-to-HTTP requests send no referrer
That means your analytics tool may know the domain, but not the exact page.
Why Browsers Reduced Referrer Detail
Full referrer URLs can leak sensitive information. A URL might contain search terms, account IDs, reset tokens, document names, email addresses, or private paths. If that full URL is sent to every third-party resource on a page, privacy risk grows quickly.
Reduced referrer defaults are a browser-level attempt to limit passive data leakage. This is separate from cookies, pixels, and link tracking parameters. Even a site with no cookies can be affected by referrer policy.
How It Affects Analytics Reports
The biggest impact is loss of detail, not total loss of attribution.
You may still see that traffic came from github.com, news.ycombinator.com, linkedin.com, or a partner domain. You may not see which specific thread, profile, repository, or article sent it.
You may also see more direct traffic when:
- the source app does not send referrers
- the click happens inside a native app or email client
- the source uses
rel="noreferrer" - traffic moves from HTTPS to HTTP
- privacy tools strip referrers
- redirects remove attribution before the visitor lands
This is why "direct" traffic is not the same as "people typed the URL." It often means "the analytics tool did not receive a reliable source."
Why UTM Tags Still Matter
UTM parameters are campaign labels you add to links you control. Google Analytics documents manual tagging with UTM parameters as a way to collect traffic-source dimensions, and the same concept works in privacy-first analytics tools.
Flowsery
Start Free Trial
Real-time dashboard
Goal tracking
Cookie-free tracking
A clean campaign URL looks like this:
https://flowsery.com/?utm_source=newsletter&utm_medium=email&utm_campaign=product_launchUse UTMs for links in:
- email newsletters
- paid ads
- social posts
- partner campaigns
- QR codes
- creator sponsorships
- webinars
- downloadable PDFs
Do not use UTMs on internal links. Internal UTMs overwrite the original acquisition source and make reports worse.
A Practical UTM Naming System
Keep names lowercase, predictable, and boring:
| Parameter | Use | Example |
|---|---|---|
utm_source | where the click came from | linkedin, newsletter, partnername |
utm_medium | channel type | social, email, cpc, referral |
utm_campaign | campaign name | privacy_audit_2026 |
utm_content | creative or placement | footer_cta, carousel_2 |
utm_term | paid keyword, when needed | cookieless_analytics |
Document allowed values. If one person uses LinkedIn, another uses linkedin.com, and a third uses li, your reports fragment.
Privacy Caveats
UTM tags should describe campaigns, not people. Never put personal data in URL parameters. Avoid:
- email addresses
- names
- phone numbers
- customer IDs
- account IDs
- invoice IDs
- free-form search terms from private contexts
URLs are copied, logged, shared, indexed, and sent through referrer headers in some contexts. Treat every campaign parameter as potentially visible.
What to Configure on Your Site
Set an explicit referrer policy. For most websites, strict-origin-when-cross-origin is a sensible default because it preserves same-origin functionality while reducing cross-site leakage:
Referrer-Policy: strict-origin-when-cross-originIf you handle especially sensitive paths, consider stricter policies such as same-origin or no-referrer for those areas. For example, account, billing, health, legal, or admin pages should not leak full URLs to third parties.
Also check redirects. If a campaign link passes through a shortener, affiliate system, consent manager, or redirect service, confirm that UTMs survive until the final landing page.
The Right Mental Model
Referrers are opportunistic. UTMs are intentional.
Use referrer data to understand organic mentions and uncontrolled traffic. Use UTMs to measure campaigns you control. Use both, but do not expect browser referrers to provide full-fidelity attribution in a privacy-conscious web.
That tradeoff is healthy. You can still measure marketing performance without demanding that browsers leak every page a visitor came from.
QA for Campaign Links
Before a campaign launches, test the full click path. Click from the email, ad preview, social scheduler, partner page, QR code, and short link. Confirm the final landing page keeps the expected UTM parameters, uses HTTPS, avoids duplicate redirects, and does not add personal data to the URL.
Then check what your analytics tool records. The source, medium, campaign, landing page, and conversion should match the naming plan. If a link passes through a payment page, consent manager, or app store, document where attribution may be lost. This small QA routine catches campaign mistakes while there is still time to fix them, and it reduces the temptation to rely on invasive referrer recovery techniques later.
Flowsery
Start Free Trial
Real-time dashboard
Goal tracking
Cookie-free tracking
Referrer QA Checklist
Before a campaign launches, test the full click path from each placement and confirm that HTTPS, redirects, referrer policy, and UTM handling behave as expected. Then compare what analytics records with the naming plan. If attribution disappears at a shortener, consent step, payment page, or app-store handoff, document that gap instead of trying to rebuild the visitor's path with more invasive tracking.
Was this article helpful?
Let us know what you think!
Before you go...
Flowsery
Revenue-first analytics for your website
Track every visitor, source, and conversion in real time. Simple, powerful, and fully GDPR compliant.
Real-time dashboard
Goal tracking
Cookie-free tracking
Related Articles
A Practical Guide to ad campaign tracking
Ad campaign tracking does not have to depend on third-party cookies. Learn how to measure paid performance with UTMs, conversion goals, and first-party data in a cookieless setup.
A Practical Guide to 404 errors
404 errors hurt user experience, search visibility, and conversions. Learn how to spot broken pages in your analytics, prioritize the worst issues, and fix them with redirects and cleaner links.
A Practical Guide to ab testing tracking
This AB testing tracking guide shows how to compare variants with tags, measure conversions, and run lightweight experiments in privacy-focused analytics.