
Last Updated on: June 25, 2026
Contents
Apple’s Intelligent Tracking Prevention (ITP) is a Safari privacy feature that blocks third-party cookies and limits first-party cookies set via JavaScript to seven days, disrupting how marketers track user behavior, attribute conversions, and run remarketing campaigns. With iOS 17 and Safari 17, ITP now strips tracking parameters like gclid and fbclid from URLs and blocks analytics tools like Google Tag Manager entirely in Advanced Tracking Protection mode.
Quick Recap: What is ITP?
Apple introduced ITP to limit cross-site tracking and enhance user privacy. The most significant update involved reducing the lifespan of cookies and effectively blocking third-party cookies. These changes have created new challenges for marketers and developers alike.
Contents
- ITP blocks all third-party cookies and caps JavaScript-set first-party cookies at 7 days in Safari
- iOS 17’s Advanced Tracking Protection strips UTM parameters, gclid, and fbclid from URLs
- Server-side tracking (via tools like Segment or GTM server-side) bypasses most ITP restrictions
- First-party data collection through CDPs is the most sustainable long-term solution
What are the impacts of ITP on marketing?
Ad tech and MarTech are less effective
ITP has made remarketing ads much less effective and tracking ad performance on Facebook and Google less accurate. Before ITP, tools like the Facebook Pixel could track and identify people across different devices using third-party cookies. Now, tracking is far less reliable because ITP causes these cookies to expire in as little as one day or up to seven days.
Attribution is more difficult
Shorter cookie lifetimes have made it harder to track returning users accurately. If someone visits a site more than seven days after their last visit, analytics tools using cookies will treat them as a new user, even if they’ve been there before.
For businesses selling high-consideration products, where buyers take longer than seven days between visits, this can cause problems. Tools like Google Analytics will see returning customers as new, disrupting data on user behavior.
ITP also impacts marketing attribution. First-touch and last-touch tracking often end up focusing only on the most recent interaction, making it harder to understand the full customer journey.
What exactly is Intelligent Tracking Protection (ITP)?
To recap: Apple’s Intelligent Tracking Protection (ITP) was designed to limit tracking of user behavior across websites. The biggest change was reducing the lifespan of third-party cookies. This made it much harder for platforms like Facebook and Google to track a user’s activity across different sites and devices, making user profiling much less effective.
What exactly is a first-party vs. a third-party cookie?
First-party cookies are made by the website you’re visiting. For example, when you visit Amazon.com, it sets a cookie on its own domain, “amazon.com,” to keep you logged in and track what you browse or buy.
Third-party cookies, on the other hand, are created by a different domain. For instance, Meta (Facebook) sets a “facebook.com” cookie when you visit a site with their tracking pixel. These cookies are mainly used to track your activity across various websites.
Third-party cookies present an obvious privacy challenge
Third-party cookies can track what you do across many websites, which is why they raise privacy issues. For example, if you look at shoes on one website, then go to another site, you might suddenly see ads for those same shoes.
This happens because companies like Meta and Google use third-party cookies to follow your activity and learn about your interests. While this helps them show ads you might like, it also means they know a lot about what you do online, which can feel like an invasion of privacy.
The rise of Apple Intelligent Tracking Protection
To address this problem, Apple rolled out ITP to block third-party cookies, but in doing so they largely changed the definition of what a first-party cookie is.
Not only does ITP take action against third-party cookies, but it has also started treating first-party cookies more like third-party cookies. Essentially, any cookie set by JavaScript will automatically expire seven days after the last time a user visits the website, even if the cookie has an expiration date longer than that.
iOS 17 has escalated the war on tracking technology
With the release of iOS 17 and Safari 17 on Mac, Apple’s Intelligent Tracking Protection (ITP) has made even bigger changes.
Blocking trackers that map subdomains to third-party IP addresses
With ITP blocking cookies from third-party trackers, companies found a workaround using a CNAME DNS record. This trick changed the tracker’s script to load from a website’s subdomain instead of a third-party domain.
For example, instead of loading from “x.tracker.com,” the tracker would load from “tracker.yoursite.com” and set what looked like a “first-party” cookie on “yoursite.com.”
Many tools, like Marketo, Pardot, Segment, and Google Tag Manager, use this trick to make tracking seem like it’s coming from the website itself.
But with Safari 17, Apple has figured out how to spot these “hidden” trackers.
Now, it treats these cookies just like third-party cookies, meaning they will only last for seven days.
Safari 17 Removes Tracking Parameters from Links
This feature removes tracking parameters from links, such as click identifiers like “gclid” (from Google Ads) and “fbclid” (from Facebook), preventing them from being passed when users click links in emails. It also applies to links clicked while using Private Browsing Mode or when “Advanced Tracking Protection” is enabled, which I’ll discuss further below.
For example, if a Google ad generates a link like “yoursite.com?gclid=1234,” the “gclid=1234” portion will be stripped, meaning analytics tools won’t detect it.
This change disrupts Google Ads and Google Analytics attribution, as these parameters are essential for identifying which ad a user clicked.
It’s worth noting that this is blocking click IDs that can identify an individual user, but it does not block parameters such as “utm_source” or other more generic tracking. This makes UTM hygiene more critical than ever to be able to attribute users to sources.
Moreover, having a query string with any ad tech identifier, such as Google Ads gclid causes all cookies set by the browser with JavaScript to expire in one day, not just the cookie for the ad tech platform.
Example: The cookie Segment sets is called ajs_anonymous_id, and when loading a page without a gclid in the URL, the cookie is set to expire in one year (although, in reality, it expires in seven days after the last interaction on the site).

But when the user comes back with a referrer from a known tracking domain, like Facebook or Google, and a click identifier from that platform, such as gclid or fbclid, all cookies expire in less than 24 hours.

This has huge implications because having a click tracker reduces the effectiveness of the entire MarTech stack. This means that even the most innocent cookies, such as cookies used to keep users logged in, will get cleared after 24 hours if they are set via JavaScript and a user clicks on a link from Facebook.
Facebook attaches click identifiers to all events. This means that clicking any Facebook link, ad or organic link will cause your “good” cookies to be cleared after 24 hours if set by JavaScript.
“Advanced Tracking Protection” escalates the stakes of ITP by blocking tags entirely.
This is where iOS 17 and Safari 17 have dramatically changed the way ITP works. The big change is that Safari on iOS 17 and Safari 17 on Mac have introduced a new privacy setting called “Use Advanced tracking and fingerprinting protection.”

The big impact of this change is huge: Google Tag Manager and Google Analytics are completely blocked.
ITP Advanced Tracking Protection also blocks tags for CDPs like Segment or analytics systems like Amplitude even if they are loading outside of Google Tag Manager by blocking their respective script CDN domains (i.e.: “cdn.segment.com” or “cdn.amplitude.com”)

While this feature is now opt-in, it could very well become opt-out in the future, much like Apple’s changes to mobile ad attribution.
Consider that, in the US, iOS devices account for 56% of the smartphone market. The impact of this is potentially catastrophic for tracking if you are using Google Tag Manager to handle your tagging.
What can you do about this?
Why Should Marketers Collect First-Party Data to Counter ITP?
Fundamentally, marketers are going to have to shift from relying on third-parties to handle attribution and will need to collect attribution data themselves.
This means collecting users’ email addresses and setting static identifiers when a user signs up or logs in so that multiple visits are tied back to a single user.
Marketers need to build their marketing journeys around users continuously opting to provide first-party data so that returning sessions can be tied together. Especially with cookies expiring in as little as seven days.
Amazon provides a great example of overcoming ITP. By keeping users signed in, Amazon avoids tracking issues entirely.
For some businesses, users naturally stay logged in or sign in regularly.
For others, it’s harder to achieve. However, finding ways to encourage users to log in every time they visit is crucial to bypass ITP challenges.
Many ad tech platforms let you upload first-party data to improve ad targeting and match rates.
For example, Facebook and Google allow marketers to share users’ email addresses and phone numbers tied to conversion events. This provides an additional way to track conversions, even if website tracking is fully blocked.
Own your user journey
ITP makes remarketing much harder, so you need to focus on owned channels like email, SMS, and push notifications. These tools let you stay in touch with your audience without worrying about tracking issues.
With owned channels, you get clearer data and can track how well your campaigns work for each user, instead of guessing like with remarketing.
To succeed, give users good reasons to sign up and stay connected to your content. This helps you keep marketing to them, even as tracking rules change.
How Can Marketers Mitigate ITP’s Impact on Tracking?
With these radical changes in ITP, marketers need to take steps to mitigate the potential loss in tracking and site functionality by updating their marketing tech stack to take these changes into account.
Use a CDP for data acquisition and activation
Using a CDP like Segment is a way to build a full picture of a user’s journey because it can combine multiple customer touchpoints using deterministic data to tie together sessions.
Furthermore, it helps leverage your first-party data to do things like sync audiences with marketing automation systems like Braze and with ad tech vendors like Facebook and Google to create powerful, multichannel campaigns.
Self-host all your tools to mitigate ITP and Advanced Tracking Protection
While ITP is always going to be an arms race, self-hosting or proxying your analytics stack will help mitigate a lot of the impact of Advanced Tracking Protection and ad blockers in general, both of which block scripts entirely. Some examples of ways you can do this include:
- Migrating to Google Tag Manager server-side tagging to load GTM from your own domain.
- Using domain proxying with Segment.
Reduce dependence on tag managers and third parties
The less client-side exposure your analytics and marketing stack has, the more resistant it will be to ITP and other tracking blockers. To improve this, here are some steps you can take:
1. Adding client-side tracking code directly to your site
Sometimes, tag managers may get blocked. To ensure you can still track important data, add your key tracking tags directly to your site’s front-end code. However, if these scripts are blocked as well, this won’t help.
2. Set “server” cookies
ITP affects all cookies set by JavaScript, whether they’re on your domain or not. However, cookies set by a server—like those that keep you logged in—are not impacted by ITP and stay active even after seven days.
For example, when you return to Amazon weeks later, you’re still logged in because they use server-side cookies, which ITP doesn’t block.
To improve tracking, you can use server-side coding to set tracking cookies. This method can be more reliable than JavaScript cookies.
You can use a CDN like Cloudflare to run tracking functions across your entire site without changing any code.
One example is Segment’s “Edge Functions,” which uses Cloudflare workers. These workers can do things like set server-side cookies, remove the source write key from the browser, and pull user traits from Segment Engage to include in the event context.
3. Use your own database as an event stream via reverse ETL
You likely store a lot of data in a data warehouse or data lake. For example, e-commerce businesses track detailed records of orders and customer data, which helps with accurate revenue tracking.
To use this data with ad platforms and analytics tools, you need to move it efficiently.
First, extract the data from your internal systems into a data warehouse like Snowflake using tools like Fivetran.
Next, use a Reverse ETL tool like Segment to send the data from Snowflake to your marketing stack and ad platforms, helping you create remarketing audiences.
Dan McGaw, CEO of McGaw.io and former Head of Marketing at Kissmetrics, has helped hundreds of companies navigate privacy changes like ITP by building compliant, first-party data strategies. McGaw.io specializes in analytics audits, CDP implementations, and server-side tracking setups that maintain measurement accuracy without relying on third-party cookies.
Frequently Asked Questions About Apple ITP
What is Apple’s Intelligent Tracking Prevention (ITP)?
ITP is a privacy feature built into Safari that blocks cross-site tracking by restricting third-party cookies and capping first-party cookies set through JavaScript to seven days. It uses machine learning to classify tracking behavior and applies restrictions automatically.
How does ITP affect marketing analytics?
ITP breaks multi-touch attribution models by deleting cookies that connect user sessions across days. It also blocks third-party analytics pixels, prevents retargeting campaigns from reaching Safari users, and can strip URL tracking parameters like gclid and fbclid.
Does ITP block Google Analytics and Google Tag Manager?
Standard Google Analytics (GA4) still works through ITP because it uses first-party cookies, but those cookies expire after 7 days for JavaScript-set values. Google Tag Manager loads normally unless the user enables Safari’s Advanced Tracking and Fingerprinting Protection, which can block GTM entirely.
How long do cookies last under ITP?
Third-party cookies are blocked completely. First-party cookies set via JavaScript (document.cookie) expire after 7 days. First-party cookies set via HTTP response headers from your own server have no ITP-imposed expiration limit, which is why server-side tracking bypasses most restrictions.
What is the difference between ITP and Advanced Tracking Protection?
ITP is Safari’s default tracking prevention that applies to all users automatically. Advanced Tracking and Fingerprinting Protection is an opt-in setting in iOS 17+ and Safari 17+ that goes further by stripping tracking parameters from URLs and blocking known tracking scripts including some analytics tools.
How can marketers work around ITP?
The most effective approaches are server-side tracking (setting cookies via HTTP headers instead of JavaScript), implementing a Customer Data Platform like Segment for first-party data collection, using server-side Google Tag Manager, and building authenticated user experiences that don’t depend on third-party cookies.
Conclusion
Mitigation of tracking block is always going to be an arms race
While the mitigations above help reduce ITP’s impact for now, it’s important to acknowledge a harsh reality: every workaround marketers use will eventually prompt WebKit developers to counteract it.
That’s why it’s crucial to view marketing analytics as directional rather than your sole source of truth. Analytics should focus on identifying which channels drive the most revenue and understanding typical user behavior—such as “what actions users take to complete a specific goal.”
You don’t need to track 100% of users; instead, focus on aggregated patterns to make informed decisions.
Despite this ongoing “arms race,” marketers should still take steps to adapt to ITP’s changes and minimize their impact on tracking and analytics.
Allow me to ask to clarify some doubts that I have:
1 – “Many tools, like Marketo, Pardot, Segment, and Google Tag Manager, use this trick to make tracking seem like it’s coming from the website itself.” How and fwhat for does GTM (script) use CNAME?
2 – “1. Adding client-side tracking code directly to your site”. Are you talking about GA events directly in the source code???
3 – “3. Use your own database as an event stream via reverse ETL”. Is this privacy led? I mean a company can track record ecommerce attributes of the product and some of the user, like id, phone, email….but it’s privacy oriented to reverse engineering this informations to measure or ads platform?
The point about moving logic to edge networks like Cloudflare Workers to handle tracking/analytics post-ITP is spot on. We’ve been using that same edge-first approach for image generation with Nano Banana API. It’s Flux on Cloudflare’s edge, ~$0.02/image, no subscription. By keeping the generation logic near the user, we get the same privacy and performance benefits you described for marketing data.
Thanks for sharing this with us, it gave me a lot to think about!