In a previous blog post, I covered what the end of third-party cookies means for marketers.
A lot changed since I first wrote about Apple’s Intelligent Tracking Protection (ITP). Over the past year, ITP has become even more disruptive, significantly altering how user behavior is tracked online.
Quick Recap: What is ITP?
Apple introduced ITP to limit cross-site tracking and enhance user privacy. The most significant update involved reducing the lifespan of cookies and effectively blocking third-party cookies. These changes have created new challenges for marketers and developers alike.
Contents
What are the impacts of ITP on marketing?
Ad tech and MarTech are less effective
ITP has made remarketing ads much less effective and tracking ad performance on Facebook and Google less accurate. Before ITP, tools like the Facebook Pixel could track and identify people across different devices using third-party cookies. Now, tracking is far less reliable because ITP causes these cookies to expire in as little as one day or up to seven days.
Attribution is more difficult
Shorter cookie lifetimes have made it harder to track returning users accurately. If someone visits a site more than seven days after their last visit, analytics tools using cookies will treat them as a new user, even if they’ve been there before.
For businesses selling high-consideration products, where buyers take longer than seven days between visits, this can cause problems. Tools like Google Analytics will see returning customers as new, disrupting data on user behavior.
ITP also impacts marketing attribution. First-touch and last-touch tracking often end up focusing only on the most recent interaction, making it harder to understand the full customer journey.
What exactly is Intelligent Tracking Protection (ITP)?
To recap: Apple’s Intelligent Tracking Protection (ITP) was designed to limit tracking of user behavior across websites. The biggest change was reducing the lifespan of third-party cookies. This made it much harder for platforms like Facebook and Google to track a user’s activity across different sites and devices, making user profiling much less effective.
What exactly is a first-party vs. a third-party cookie?
First-party cookies are made by the website you’re visiting. For example, when you visit Amazon.com, it sets a cookie on its own domain, “amazon.com,” to keep you logged in and track what you browse or buy.
Third-party cookies, on the other hand, are created by a different domain. For instance, Meta (Facebook) sets a “facebook.com” cookie when you visit a site with their tracking pixel. These cookies are mainly used to track your activity across various websites.
Third-party cookies present an obvious privacy challenge
Third-party cookies can track what you do across many websites, which is why they raise privacy issues. For example, if you look at shoes on one website, then go to another site, you might suddenly see ads for those same shoes.
This happens because companies like Meta and Google use third-party cookies to follow your activity and learn about your interests. While this helps them show ads you might like, it also means they know a lot about what you do online, which can feel like an invasion of privacy.
The rise of Apple Intelligent Tracking Protection
To address this problem, Apple rolled out ITP to block third-party cookies, but in doing so they largely changed the definition of what a first-party cookie is.
Not only does ITP take action against third-party cookies, but it has also started treating first-party cookies more like third-party cookies. Essentially, any cookie set by JavaScript will automatically expire seven days after the last time a user visits the website, even if the cookie has an expiration date longer than that.
iOS 17 has escalated the war on tracking technology
With the release of iOS 17 and Safari 17 on Mac, Apple’s Intelligent Tracking Protection (ITP) has made even bigger changes.
Blocking trackers that map subdomains to third-party IP addresses
With ITP blocking cookies from third-party trackers, companies found a workaround using a CNAME DNS record. This trick changed the tracker’s script to load from a website’s subdomain instead of a third-party domain.
For example, instead of loading from “x.tracker.com,” the tracker would load from “tracker.yoursite.com” and set what looked like a “first-party” cookie on “yoursite.com.”
Many tools, like Marketo, Pardot, Segment, and Google Tag Manager, use this trick to make tracking seem like it’s coming from the website itself.
But with Safari 17, Apple has figured out how to spot these “hidden” trackers.
Now, it treats these cookies just like third-party cookies, meaning they will only last for seven days.
Safari 17 Removes Tracking Parameters from Links
This feature removes tracking parameters from links, such as click identifiers like “gclid” (from Google Ads) and “fbclid” (from Facebook), preventing them from being passed when users click links in emails. It also applies to links clicked while using Private Browsing Mode or when “Advanced Tracking Protection” is enabled, which I’ll discuss further below.
For example, if a Google ad generates a link like “yoursite.com?gclid=1234,” the “gclid=1234” portion will be stripped, meaning analytics tools won’t detect it.
This change disrupts Google Ads and Google Analytics attribution, as these parameters are essential for identifying which ad a user clicked.
It’s worth noting that this is blocking click IDs that can identify an individual user, but it does not block parameters such as “utm_source” or other more generic tracking. This makes UTM hygiene more critical than ever to be able to attribute users to sources.
Moreover, having a query string with any ad tech identifier, such as Google Ads gclid causes all cookies set by the browser with JavaScript to expire in one day, not just the cookie for the ad tech platform.
Example: The cookie Segment sets is called ajs_anonymous_id, and when loading a page without a gclid in the URL, the cookie is set to expire in one year (although, in reality, it expires in seven days after the last interaction on the site).
But when the user comes back with a referrer from a known tracking domain, like Facebook or Google, and a click identifier from that platform, such as gclid or fbclid, all cookies expire in less than 24 hours.
This has huge implications because having a click tracker reduces the effectiveness of the entire MarTech stack. This means that even the most innocent cookies, such as cookies used to keep users logged in, will get cleared after 24 hours if they are set via JavaScript and a user clicks on a link from Facebook.
Facebook attaches click identifiers to all events. This means that clicking any Facebook link, ad or organic link will cause your “good” cookies to be cleared after 24 hours if set by JavaScript.
“Advanced Tracking Protection” escalates the stakes of ITP by blocking tags entirely.
This is where iOS 17 and Safari 17 have dramatically changed the way ITP works. The big change is that Safari on iOS 17 and Safari 17 on Mac have introduced a new privacy setting called “Use Advanced tracking and fingerprinting protection.”
The big impact of this change is huge: Google Tag Manager and Google Analytics are completely blocked.
ITP Advanced Tracking Protection also blocks tags for CDPs like Segment or analytics systems like Amplitude even if they are loading outside of Google Tag Manager by blocking their respective script CDN domains (i.e.: “cdn.segment.com” or “cdn.amplitude.com”)
While this feature is now opt-in, it could very well become opt-out in the future, much like Apple’s changes to mobile ad attribution.
Consider that, in the US, iOS devices account for 56% of the smartphone market. The impact of this is potentially catastrophic for tracking if you are using Google Tag Manager to handle your tagging.
What can you do about this?
Collect your own data
Fundamentally, marketers are going to have to shift from relying on third-parties to handle attribution and will need to collect attribution data themselves.
This means collecting users’ email addresses and setting static identifiers when a user signs up or logs in so that multiple visits are tied back to a single user.
Marketers need to build their marketing journeys around users continuously opting to provide first-party data so that returning sessions can be tied together. Especially with cookies expiring in as little as seven days.
Amazon provides a great example of overcoming ITP. By keeping users signed in, Amazon avoids tracking issues entirely.
For some businesses, users naturally stay logged in or sign in regularly.
For others, it’s harder to achieve. However, finding ways to encourage users to log in every time they visit is crucial to bypass ITP challenges.
Many ad tech platforms let you upload first-party data to improve ad targeting and match rates.
For example, Facebook and Google allow marketers to share users’ email addresses and phone numbers tied to conversion events. This provides an additional way to track conversions, even if website tracking is fully blocked.
Own your user journey
ITP makes remarketing much harder, so you need to focus on owned channels like email, SMS, and push notifications. These tools let you stay in touch with your audience without worrying about tracking issues.
With owned channels, you get clearer data and can track how well your campaigns work for each user, instead of guessing like with remarketing.
To succeed, give users good reasons to sign up and stay connected to your content. This helps you keep marketing to them, even as tracking rules change.
Technological fixes to mitigate ITP
With these radical changes in ITP, marketers need to take steps to mitigate the potential loss in tracking and site functionality by updating their marketing tech stack to take these changes into account.
Use a CDP for data acquisition and activation
Using a CDP like Segment is a way to build a full picture of a user’s journey because it can combine multiple customer touchpoints using deterministic data to tie together sessions.
Furthermore, it helps leverage your first-party data to do things like sync audiences with marketing automation systems like Braze and with ad tech vendors like Facebook and Google to create powerful, multichannel campaigns.
Self-host all your tools to mitigate ITP and Advanced Tracking Protection
While ITP is always going to be an arms race, self-hosting or proxying your analytics stack will help mitigate a lot of the impact of Advanced Tracking Protection and ad blockers in general, both of which block scripts entirely. Some examples of ways you can do this include:
- Migrating to Google Tag Manager server-side tagging to load GTM from your own domain.
- Using domain proxying with Segment.
Reduce dependence on tag managers and third parties
The less client-side exposure your analytics and marketing stack has, the more resistant it will be to ITP and other tracking blockers. To improve this, here are some steps you can take:
1. Adding client-side tracking code directly to your site
Sometimes, tag managers may get blocked. To ensure you can still track important data, add your key tracking tags directly to your site’s front-end code. However, if these scripts are blocked as well, this won’t help.
2. Set “server” cookies
ITP affects all cookies set by JavaScript, whether they’re on your domain or not. However, cookies set by a server—like those that keep you logged in—are not impacted by ITP and stay active even after seven days.
For example, when you return to Amazon weeks later, you’re still logged in because they use server-side cookies, which ITP doesn’t block.
To improve tracking, you can use server-side coding to set tracking cookies. This method can be more reliable than JavaScript cookies.
You can use a CDN like Cloudflare to run tracking functions across your entire site without changing any code.
One example is Segment’s “Edge Functions,” which uses Cloudflare workers. These workers can do things like set server-side cookies, remove the source write key from the browser, and pull user traits from Segment Engage to include in the event context.
3. Use your own database as an event stream via reverse ETL
You likely store a lot of data in a data warehouse or data lake. For example, e-commerce businesses track detailed records of orders and customer data, which helps with accurate revenue tracking.
To use this data with ad platforms and analytics tools, you need to move it efficiently.
First, extract the data from your internal systems into a data warehouse like Snowflake using tools like Fivetran.
Next, use a Reverse ETL tool like Segment to send the data from Snowflake to your marketing stack and ad platforms, helping you create remarketing audiences.
Conclusion
Mitigation of tracking block is always going to be an arms race
While the mitigations above help reduce ITP’s impact for now, it’s important to acknowledge a harsh reality: every workaround marketers use will eventually prompt WebKit developers to counteract it.
That’s why it’s crucial to view marketing analytics as directional rather than your sole source of truth. Analytics should focus on identifying which channels drive the most revenue and understanding typical user behavior—such as “what actions users take to complete a specific goal.”
You don’t need to track 100% of users; instead, focus on aggregated patterns to make informed decisions.
Despite this ongoing “arms race,” marketers should still take steps to adapt to ITP’s changes and minimize their impact on tracking and analytics.
Leave a Reply