[kcartlidge]

> Since the only cookie that is endangered is the « third party cookie »

Data protection regulations (esp. GDPR) are totally unconcerned with the distinction between first and third party cookies. They are concerned with data collection permissions and scopes, regardless of the technology used.

If you are capturing information which is not essential to the service/product you are offering at that moment and in that session, then you need specific permission - even for your own cookies. And if you did not have that permission at the time it was collected then you cannot merge it into records after conversion.