Cookies are the standard for tracking user behavior through their journey and touchpoints. However, due to the increase in use of ad blockers, and due to Apple establishing Intelligent Tracking Prevention (ITP), as well as regulations such as GDPR and CCPR becoming the norm, many users are able to block advertisers’ attempts to track their interactions.
Contents
- What Is Apple ITP?
- What Are Third-Party Cookies vs First-Party Cookies?
- How Does ITP and Ad Blocking Work?
- 6 Methods for Bypassing ITPs That Work
- #1 Use Google Tag Manager server-side tagging
- #2 Proxy analytics scripts through your own domains
- #3 Integrate tracking scripts into your site’s main JavaScript file
- #4 Set cookies via a web server rather than JavaScript
- #5 Use first-party data as much as possible
- #6 Follow GDPR and CCPA guidelines and get informed consent
- #7 Anonymize the User Data Sent to Any Ad Platform
- Build Your Perfect Marketing Stack
A study found that almost half (47%) of global internet users worldwide used an ad blocker. In the United States, 38.8% of internet users did the same.
Here’s why this matters to marketers:
- 15% to 30% of your conversion data will disappear.
- US-based businesses could miss up to 36% of data on average.
- 80% of advertisers rely on third-party cookies to reach their online prospects
With ITPs, it’s a lot more difficult for marketers to access consumer data essential to get clients along the sales funnel. Fortunately, there are ways analytics tracking can bypass ad blockers.
In this article, we’ll teach you how to bypass Safari’s ITP and ad blockers. It won’t be about dirty tricks that won’t work next month anymore. We’ll show you 6 methods that we apply in our consulting practice, that are made to withstand the evolving privacy climate, and that respect the interests of the user. Let’s dive in:
- What Is Apple ITP?
- Third-party Cookies vs First-party Cookies
- How Does ITP and Ad Blocking Work
- 5 Methods for Bypassing ITP and Ad Blockers That Work
What Is Apple ITP?
Apple’s Intelligent Tracking Prevention (ITP) is an algorithm that blocks third-party cookies. This means that the site you visited is blocked from setting cookies that could share the user’s data for advertising on another website or platform.
Apple’s ITP also limits the use of cookies in a first-party context. Using machine learning technology, the solution can track domains users have visited in the past 24 hours. Sites without a direct relationship to the user won’t be able to drop cookies for retargeting or attribution.
For context, ITP was first released in September 2017 alongside Safari 12 and iOS 11. In 2021, Apple required advertisers to get a user’s consent before they can track their activities—and major search engines like Chrome and Firefox have followed suit.
Furthermore, Apple requires apps and websites to ask permission before they can track user activity. When refused, you won’t be able to identify the user, create analytics reports on the user’s behavior, or send advertising messages. Users also have the ability to stop tracking activity on apps they previously approved.
Third-Party Cookies vs. First-Party Cookies
First-party cookies are stored in the domain or website you visited. They track user data only on the website where they were placed, and they are not used to send user information to other websites, servers, or platforms. For example, first-party cookies also collect data such as sign-in information, language settings, and products viewed. The data will only be used within the environment of the website that sets them for the user. This type of cookies does not track user activity in other domains. First-party cookies can be within an e-commerce website, but also within a big social network. So for instance, if Facebook cookies a user, but does not share the data with another platform for retargeting, and only uses the cookies for their own marketing, it’s still first-party.
Third-party cookies are those that are passed between websites, often for retargeting. So when you browse an ecommerce website about electric kettles, and then you see an ad about an electric kettle on Facebook, it’s because of third-party cookies. The ecommerce website passed the cookie onto an aggregating server, which then sold the data to advertising platforms, including Facebook.
Finally, here’s a how the two types of cookies affect your advertising differently:
- Privacy issues: Passing user behavior data between multiple parties makes it hard to respect privacy. This is at the core of the reason for ITP.
- Ad blocking: Majority of browsers support first-party cookies, while ad blockers often block third-party cookies. Both cookie types can be deleted by users.
- Connecting cookies: A first-party cookie is connected to a publisher’s web server or domain. Third-party cookies are set by third-party service providers like ad tech vendors and servers.
- Availability: First-party cookies can only track user activity within the domain where the cookies were set. In comparison, third-party cookies can be accessed on multiple third-party domain.
How Do ITP and Ad Blocking Work?
Ad blockers seek to eliminate online advertisements in a webpage through filtering rules. As the website loads, the ad blocker evaluates the site’s scripts and finds scripts to block. The blocked ad content is replaced by alternative content or broken links, or it is left out.
Intelligent Tracking Prevention uses machine learning to identify websites that track users through cookies. Then, it blocks them from placing tracking data in the user’s device. Apple ITP is turned on by default in Safari, allowing users to safeguard their privacy with zero effort. What’s more, Google has announced that they will join the bandwagon, and block third-party cookies in Chrome starting from 2023.
The ITP uses machine learning algorithms designed not just to block particular tags, but to block scripts with suspicious behavior patterns. It’s similar to antivirus software, and it helps Apple stay ahead of workarounds that provide a temporary solution without actually respecting user privacy.
7 Proven Methods to Bypass ITPs and Ad Blockers
The death of cookies is a good thing for the increasingly privacy-conscious consumer. As it turns out, it can be a positive sign for marketers too. Transitioning to first-party cookies offers more control to all parties involved. It also makes advertisers care more about user relationships where the users are happy to share first-party data.
At the same time, Apple and Google do not offer optimal solutions that enable marketers to continue doing good advertising.
Add in ad blockers that can block scripts entirely and it is increasingly difficult for marketers to track the performance of their campaigns. But not all is lost and there are a few ways that marketers can use to limit the impact of both ITP and ad blockers, and maintain a high return on ad spend.
The common theme of creating workarounds for ITP and ad blockers is to utilize first-party tracking. Using your own servers helps a lot.
#1 Use Google Tag Manager server-side tagging
While Google Tag Manager isn’t blocked by Safari’s ITP, any third-party scripts that load through it will fall under ITP and their cookies will be blocked. Google Tag Manager is also generally blocked by most ad blockers. Fortunately, advertisers can use Google Tag Manager server-side to mitigate this issue.
By tagging server-side you load Google Tag Manager from a domain you control and reduce the amount of third-party JavaScript that loads in the user’s browser meaning that, in many cases, you can potentially avoid loading third-party scripts in the user’s browser entirely.
This improves performance — by speeding up page load times due to less JavaScript being loaded, and security — by keeping tracking IDs out of the user’s browser which can prevent issues like spamming Google Analytics with fake traffic.
While using Google Tag Manager server-side can mitigate ITP tracking and some ad blockers, the tag still can be detected because it has “gtm.js” in the name of the file, which is detectable by many ad blockers. As a workaround, you can use something like a Cloudflare Worker or an AWS Lambda function to essentially transform the tag name and then modify the tag script to use the new name. The tag would go from having “gtm.js” detectable:
<
script > (function(w, d, s, l, i) {
w[l] = w[l] || [];
w[l].push({
'gtm.start': new Date().getTime(),
event: 'gtm.js'
});
var f = d.getElementsByTagName(s)[0],
j = d.createElement(s),
dl = l != 'dataLayer' ? '&l=' + l : '';
j.async = true;
j.src =
'https://www.googletagmanager.com/gtm.js?id=' + i + dl;
f.parentNode.insertBefore(j, f);
})(window, document, 'script', 'dataLayer', 'GTM-xxxxxx'); < /script> <
!--End Google Tag Manager -->
to something like this:
<
script > (function(w, d, s, l, i) {
w[l] = w[l] || [];
w[l].push({
'gtm.start': new Date().getTime(),
event: 'gtm.js'
});
var f = d.getElementsByTagName(s)[0],
j = d.createElement(s),
dl = l != 'dataLayer' ? '&l=' + l : '';
j.async = true;
j.src =
'https://cdn.mcgaw.io/43234234.js;f.parentNode.insertBefore(j,f);
})(window, document, 'script', 'dataLayer', 'GTM-xxxxxx'); < /script> <
!--End Google Tag Manager -->
#2 Proxy analytics scripts through your own domains
If you use customer data platforms (CDPs) like Segment, you can load their analytics.js tag from their CDN (cdn.segment.com), but you can also setup a CNAME record and have it load from your own domain (e.g. cdn.mcgaw.io) which will mitigate the impact of ad blockers.
This works really well, but much like with Google Tag Manager, ad blockers can still detect the tracking because the JavaScript file is usually named something like “analytics.js”, which is still detectable by ad blockers even if served from your own domain.
You can do similar things as with Google Tag Manager with a Cloudflare Worker to change the name of the file to something an ad blocker won’t recognize, but there is an easier way to potentially do this — integrate the tracking tag directly into your main site script.
#3 Integrate tracking scripts into your site’s main JavaScript file
Many tracking scripts, such as Segment’s Analytics.js, have an NPM package that can be ingested into the main site script with a modular bundle like webpack.
This method removes the “analytics.js” script and ensures that there aren’t any subdomains serving the tag (e.g. cdn.mcgaw.io), which means the only way for ad blockers to block it would be for it to block all JavaScript entirely.
This also has the benefit of increasing performance because the user’s browser won’t have to do another DNS lookup to load another script.
#4 Set cookies via a web server rather than JavaScript
One of the biggest impacts of ITP is that it expires cookies that have been set by JavaScript after 7 days. In particular, for identifying returning users it’s important to have an anonymous or user ID that persists for as long as possible.
The solution to solving this is simple in concept: set a browser cookie via your web server. In practice, this is a bit more tricky, as there isn’t a turnkey solution to set a cookie via a web server. Also, implementing this solution will depend on what your website is built on and how much control you have.
If you’re using a WordPress site, you could create a function in your theme that would set a cookie. If you’re using a platform that you have less control over, you have to be more creative in setting this up and you’d need to use something like a Cloudflare Worker for setting a cookie on the site.
Once this cookie has been generated it will then stay there as long as you set it and as long as the user comes back to the browser. You will be able to tie all of their sessions back together even if they come back to the site more than a week later.
Depending on which approach you take, you’ll likely need to configure each. But as we all know, users don’t use a single browser or device anymore; most users will probably view your site on more than one device or browser. This makes tying sessions together more difficult. But there is a solution: use first-party data.
#5 Use first-party data as much as possible
First-party cookies expire after 7 days and users that come back to the site from a different browser or device will lead to the same issue: returning users are seen as new users.
The most effective way to mitigate this issue is to collect first-party data about the user as early and as often to tie their sessions together.
For example, if you run an ecommerce business, getting a user’s email address on their first visit will not only allow you to include them in your email marketing campaign, but it will also let you identify them in an analytics platform like Amplitude or Mixpanel. The user’s mobile device will be tied to that user identity for 7 days at a minimum until the cookie expires (unless you mitigate it with server-side cookies).
If the user comes to the site on their desktop and then completes a purchase with the same email address, Amplitude will tie together the session on their phone and the session on the desktop to a single user, providing you with accurate attribution of where the user came from.
Collecting first-party user data and keeping it within your own analytics is not just good for your own marketing, but it provides better privacy for your users. Much of the privacy issues and the laws that address them are around sharing data with third parties rather than companies using the data internally to understand their users.
I personally don’t have any issues with my grocery store giving me discounts based on my purchase behavior, but I would have issues with them selling my information to a direct mail company or to a data broker that would potentially do something harmful.
#6 Follow GDPR and CCPA guidelines and get informed consent
Your advertising must follow data protection laws like the General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA). In general, regulators mandate website owners to ask for web visitors’ consent first prior to tracking their data.
Consent management solutions such as the Segment Consent Manager allow you to send consent forms to meet these requirements. The solution uses the common tracking consent forms or pop-ups, so the user can tell tracking tools which data they’re allowed to receive.
Leave a Reply