Full Answer

Privacy tools, from browser features to extensions, increasingly remove parameters that match known tracking patterns, and the literal strings utm_source, utm_medium, and utm_campaign are about as recognisable as patterns get. Trying to keep those exact parameters "invisible" while leaving them in the URL is a losing game, because they're on every blocklist worth maintaining.

The workable approach attacks the problem from two sides. First, presentation: instead of exposing standard UTM names, route the click through your own domain with a short coded token, then decode that token server-side back into the real source, medium, and campaign. A first-party, non-obvious parameter doesn't trip the same pattern matches, and because the decode happens on your server, your analytics still receive clean, standard values. Second, timing: read and persist whatever attribution arrives at the very first request, before redirects or stripping run.

The key shift is conceptual. Once attribution is captured and stored server-side, a privacy tool stripping the URL afterwards is harmless, you already have the data, and it flows to GA4 and ad platforms from your server. You're not hiding tracking from users so much as refusing to depend on the browser to carry it. That's both more robust and more honest than fragile cloaking tricks, and it keeps reporting accurate without fighting each new privacy release.