Apple released Intelligent Tracking Prevention (ITP) 2.1 in March. It updates an already complicated set of rules first released in 2017 for how internet tracking works on Mac and iOS Safari browsers. In general, it makes this tracking much harder.
We’ll get to the details shortly, but it’s important to also mention the context of this update. Big tech and advertising players have for years been in a quiet arms race to impose their vision of data privacy on the internet. ITP 2.1 is Apple’s latest weapon of choice. ITP 2.2 has already been announced and is coming soon. Google just announced significant changes to its Chrome browser, which they claim enhance user privacy.
The technical details are important, but it’s no exaggeration to say that the fight over these tracking standards will affect businesses big and small around the world.
What is Intelligent Tracking Prevention (ITP)?
Before we dive into the recent changes, let’s start with the basics.
The Safari browser, both desktop and mobile versions, by default blocked third-party cookies before the ITP mechanism was introduced. But since this measure wasn’t enough to protect users’ privacy, Apple went one step further.
To tighten up protection of users’ privacy, Apple introduced a mechanism that changes how Safari deals with first-party cookies and restricts how AdTech companies track people online. The aim of this solution is to not only reduce the intrusion of tracking users but also minimize how long data is stored on an individual.
This is where Intelligent Tracking Prevention comes into the picture. It’s a feature developed by WebKit, an engine that powers Safari and other browsers, that “reduces cross-site tracking by further limiting cookies and other website data”. It was designed to recognize and then prevent domains with tracking capabilities from following users across the web using first-party cookies.
To get all the details on Apple’s tracking prevention method, including every single release of ITP, check out this comprehensive post:
What Is Intelligent Tracking Prevention and How Does It Work?
How ITP 2.1 affects web analytics and advertising
In a nutshell, the introduction of ITP 2.1 will disrupt the way you track, analyze, target and measure Safari users. It strikes at the core of the online advertising system since it impacts how you can identify a person browsing the Web. And there’s also GDPR to deal with, including its requirement to obtain user consent if you want to set a cookie on their bowser. For clarity’s sake, let’s break this down into smaller chunks.
Client-side cookies get 7 days to expire
Let’s start with some essential information on cookies. They can be set in two ways — either via server HTTP responses, i.e. server-side, or you can set them via JavaScript’s Document.cookie API, the so-called client-side.
The biggest modification in the latest ITP update applies to client-side cookies, which are now restricted to seven days. So now, all cookies (even first-party) created via the JS Document.cookie API will be set to expire in 7 days, regardless of their existing expiry date. On the other hand, server-side cookies set in HTTP won’t be affected.
As a result, JavaScript will be able to access cookies created via the HTTP response, as long as they don’t contain HttpOnly flag.
Cookies are inherently harmless and first-party cookies are an indispensable element of good user experience, making browsing more convenient. They are used in:
- session management: logins, shopping carts, game scores
- user privacy controls & settings
It’s hard to imagine the Web without them. But since they can be used for cross-site tracking of users, they are a significant concern of ITP 2.1.
If you want more information on the differences between cookies, have a look at:
First-Party vs Third-Party Cookies: Why First-Party Is the Way to Go
ITP will affect web analytics metrics and reports
Since ITP 2.1 changes the way cookies are handled, this will be reflected in your analytics metrics and overall reports. It will impact not only unique visitors and new vs. returning visitors but also sessions to conversion and days to conversions. Those are just a few examples.
What’s more, all metrics and reports based on visits from Safari will be valid only for seven days from the time the cookie is created. But things can get even trickier, because the cookie’s 7-day expiration date will be reset if the user visits the website again within seven days.
This 7-day cap will also result in an increase in the number of visitors (more new ones), because your analytics software won’t be able to recognize returning visitors if they come after seven days have passed.
However, only part of your data will be affected as Safari traffic is probably not the only type you get, and not all browsers have implemented ITP 2.1.
A/B testing will be impacted
Firstly, you’ve got only a 7-day window to test the performance of your site and track the results. This a significant drawback considering that your visitors who come less than once a week they will be treated as new ones. That means your A/B testing results will be inaccurate.
Additionally, the chances are high that you employ third-party tools for split testing, and these tests very often rely on third-party cookies to make sure a given visitor will regularly see the same variation.
Disruption of conversion tracking, attribution, visitor profiles
In short, ITP 2.1 will make conversion tracking, attribution and visitor profile data less accurate. All cookies created by document.cookie will be set to expire in 7 days, unless the cookie is updated beforehand. Tracking, attribution and visitor profiles will be affected if the user is using Safari and if they don’t visit the website regularly — first-party cookies will expire if not reset within 7 days.
For example, if a visitor comes to your website from a Facebook ad, views the advertised product, leaves your site and then comes back 9 days later and purchases the product they viewed previously, then that conversion won’t be attributed to the Facebook ad.
But, if the visitor came back to your site within 3 days and made a purchase, then the conversion could be properly attributed to the Facebook ad, provided their cookie was recognized.
So, another process that falls prey to ITP 2.1 is attribution, which is generally now harder to execute. By cutting down the tracking window, marketers can only attribute conversions that happen within 7 days from a visitor’s first visit. That might skew reports since the credit for a campaign’s success can be misattributed, relying too much on the last marketing touch point. There’s a risk that you will overspend on a channel that isn’t necessarily the top performer.
Retargeting won’t be possible
Since online advertising relies on cookies, the changes introduced by ITP 2.1 will have profound implications on targeting and retargeting ad campaigns to Safari users. Technically, you will have 24 hours to carry them out, which totally negates the idea behind such campaigns.
This is not only because of the 7-day tracking window, but also because both targeting and retargeting rely heavily on third-party cookies which are blocked by default.
Removed support for Do Not Track (DNT)
One of the changes introduced by ITP 2.1 was to withdraw support for the Do Not Track setting. This was because many websites don’t respect visitors’ decisions and continue tracking people even when DNT was on.
However, when considering the advanced privacy mechanisms provided by ITP, this move won’t have a significant influence on users’ privacy.
17 new privacy laws around the world and how they’ll affect your analytics
Read our recap to learn more about and prepare for 17 new and upcoming data privacy laws from around the world.
The impact of ITP 2.1 on Piwik PRO
Piwik PRO of course uses cookies, just as all analytics platforms do. But we also have ways of collecting data without cookies by employing anonymous data. We are working on finding the best means of protecting individual privacy,just like Apple is, but still meet the needs of our analytics clients.
Since users’ identities are of fundamental importance, maybe it’s time for AdTech companies to take their privacy-friendly marketing to the next level. For instance, in Piwik PRO we offer two solutions to respect people’s choice to remain anonymous online while simultaneously letting you implement marketing initiatives.
The first relies on anonymous data. This method delivers numerous benefits. Above all, it offers you a reasonable middle ground between doing useful analytics, digital marketing and ITP. Cookies used for anonymous data collection are deleted automatically after 30 minutes, and are not used for persistent tracking.
Furthermore, anonymous data collection helps you stay compliant with GDPR, as you don’t collect personal data, but you can still run various marketing campaigns. Also, under GDPR this kind data doesn’t require any additional safety measures.
To get all the essential info on data anonymization we recommend reading:
Anonymous Tracking: How to Do Useful Analytics Without Personal Data
Another solution where cookies don’t cut it is device fingerprinting. This technique creates some confusion mostly related to privacy issues. But there’s a safe and lawful way to employ it without intruding on people’s online privacy – this is consent.
If your organization wants to track users unobtrusively, ask your site visitors for consent. It will help you match ads with user profiles and run targeted advertising in a compliant way.
Show visitors that you respect their rights and inform them about your intentions – ultimately, leave the decision to them. For instance, in Piwik PRO we store a browser fingerprint, but by default we use it only to have accurate information on user sessions.
We’ve covered all these issues in detail, so make sure to check these posts out:
How ITP 2.1 affects GDPR consent
Talking about the implications of ITP concerning cookies, it’s worth considering users’ consents.
Some questions arise, like:
How do you save consents?
Can you store consents for longer than 7 days for Safari users?
When it comes to Piwik PRO Consent Manager, a user’s consent is stored in a first-party cookie, so the mechanism is very similar to the one we use to store analytics visitor ID. And that’s even more crucial since we don’t want to display consent pop-ups every 7 days. Also, with ITP 2.1, opt-out cookies will be deleted after this period.
Intelligent Tracking Prevention 2.2 (ITP 2.2) in brief
As we’ve already mentioned, we’ll explain in detail the important aspects of ITP 2.2 once it’s released and up and running. However, there are some issues we want to point out now so you can get a better idea of what’s coming up.
The newest iteration of ITP, 2.2, limits first-party cookies’ lifespan to 24h. That’s a really big deal.
As noted by Amanda Martin from Goodway Group:
“Many actions advertisers are interested in attributing back to digital marketing efforts happen outside the newly implemented 24-hour window, creating a blind spot for advertisers and brands”
This means that when a user clicks on your product’s ad on Friday and they spend the whole weekend thinking it over, when they come back to your site on Monday the cookie has disappeared. This person will be recognized by the browser as a new visitor.
However, Intelligent Tracking Prevention 2.2 affects only some specific first-party cookies. It’s aimed at persistent cookies that are dropped on the visitor’s browser on behalf of another company that Apple recognizes as one that can perform cross-site tracking.
ITP 2.2 targets a method called link decoration which lets you attach information to a URL clicked by a visitor in order to send this data to the destination site. That’s a common and harmless practice used for ad click attribution. This attribution should provide information on which ad a visitor clicked and on which website, but without capturing the user’s identity. It can be used, for instance, in newsletters to know that a person landed on your page from a link in your email.
But tech giants use this approach as an ITP workaround, pass data to other sites, and then persistently track people. The practice is called cross-site tracking via link decoration.
17 new privacy laws around the world and how they’ll affect your analytics
Read our recap to learn more about and prepare for 17 new and upcoming data privacy laws from around the world.
How to work with ITP and still get good data
As we’ve seen, ITP poses some serious challenges to marketers and web analysts. But with the right approach you can adjust your methods to it, obtaining useful data without invading users’ privacy. Here are some practical solutions.
You can start with using the browser’s localStorage as a fallback mechanism to make sure that the visitor ID cookie won’t expire after 7 days. LocalStorage in this case can be used to recreate cookies after the visitor returns to the website.
Another option would be to set cookies on the server side. For this, you would create a subdomain to act as an endpoint (e.g. cookies.example.com) for setting cookies on the server side on both the root domain (e.g. example.com) and all subdomains (e.g. blog.example.com). Cookies created in this way won’t be impacted by ITP 2.1.
There are a few options available to web analytics software users that will allow them to continue gathering valuable analytics data from visitors on Safari browsers, such as using the browser’s localStorage as a fallback mechanism and setting the analytics cookies on the server side (Simo Ahava explains in detail some solutions in this post).
Ultimately, your choice of one of the many available solutions will depend on a number of factors, such as the number of domains you want to track.
Most of these solutions will require both the web analytics platform and the person operating the website (e.g. web analyst or web developer) to make some additional configurations.
Tech giants competing for the crown of most “privacy-conscious”
ITP 2.1 might feel like a dark cloud hanging over the digital ecosystem. Some even call it a “war on cookies”. But in fact it’s just a response to privacy concerns about cross-site tracking of users. Apple has made this a big part of their selling point to users, but they are far from the only one. Take, for instance, Firefox, which blocks third-party cookies by default. And Google some time ago broke the news that upcoming changes to Chrome will provide more privacy protections.
We’re happy to see privacy issues taking a more prominent place in public discussions. But it still remains to be seen what all this talk about privacy protection will mean in practice.
Worry not, we’re here to help and keep you updated. If you have questions about how all these changes could affect your analytics, drop us a line.
