How does Safari´s ITP impact your cookies?
As browsers are starting to implement privacy-first restrictions, there have been heated debates on the future of cookies. However, there also seems to be confusion around what role cookies play in cross-tracking and how they have been handicapped by initiatives like Safari´s ITP.
In the past years, browsers like Safari have been proactive in implementing limitations and restrictions blocking tracking practices. This led many advertisers, analytics professionals, and publishers alike to doubt the sustainability of cookies in the future.
Many marketers have the impression that either all cookies or that only third-party cookies will deprecate. It seems that there is a lot of confusion around the whole situation. As you look to stay afloat of current browser changes, it is essential to understand how mechanisms like ITP truly impact cookies.
What is Safari´s Intelligent Tracking Prevention?
ITP was introduced in 2017 with its first iteration ITP 1.0, and was defined as follows:
“Intelligent Tracking Prevention is a new WebKit feature that reduces cross-site tracking by further limiting cookies and other website data.” – WebKit.
Since 2017, there have been numerous iterations (currently at 2.3+) that progressively introduced more and more restrictions. Currently, ITP impacts third-party cookies, script-writable first-party cookies, and DOM storage too. Contrary to common belief, ITP has never been about third-party cookies, but it restricts all practices that have been classified as having cross-site tracking capabilities.
This means that even first-party analytics cookies (e.g. Adobe Analytics cookies, Google Analytics cookies, etc.) used within a first-party context (for your use in your website) are also restricted. This happens because they have the potential of being abused for cross-tracking. In this sense, Safari is the most restrictive browser when it comes to tracking prevention.
Browsers like Chrome, Firefox, and Edge recognize that much of digital analytics would be impacted and hence, decided to not restrict them.
What are web cookies?
Simply put, cookies are a small piece of data that are stored on the user´s computer.
Cookies are used for multiple purposes, but in a marketing context, they allow a website to learn about users and their behavior, e.g. users´ history on the site, the content they engaged with, what purchases they made, etc.
Most times, this information help businesses learn about their consumers. However, they can also be abused by advertisers tracking users around the web, infringing users’ privacy.
What are first-party cookies and third-party cookies?
When talking about cookies and tracking prevention, it is usual in marketing jargon to differentiate among two types of cookies: first-party cookies and third-party cookies.
- First-party cookies are cookies that belong to the domain of the website the user is visiting.
- Third-party cookies are cookies that belong to domains different from the website the user is visiting.
In technical terminology, there is no such thing as first-party and third-party cookies. What matters is the context of how cookies are accessed. First-party context means that operations happen within the same domain. Whereas third-party context means that operations happen cross-site, between different domains. That is why Apple talks about preventing cross-site tracking and ITP does not limit its impact to third-party cookies only.
Nevertheless, we will adopt the use of first-party and third-party cookies to align with marketing parlance.
How are cookies set and accessed?
- HTTP response header (server-side)
When a user visits a website, the browser receives a cookie from the website as part of the HTTP response. The browser stores this cookie on the user´s computer and makes it accessible to the website for future reference. This happens because the Internet is stateless.
The website can access this cookie and use this information.
Whenever a user is browsing a website, the website can use a piece of code loaded on the page to read the cookies set in the current domain or even create new ones.
If a third-party has a script running on the website, the script can access the cookies stored in the user´s computer and/or create a new identifier cookie for tracking purposes. This is how cross-tracking works at its basics.
Let´s consider an example of cross-tracking:
URL decoration works on passing unique tracking IDs as query string of fragmented identifiers in the URL. Trackers have third-party scripts in the destination site that can read these IDs in the URL and create a cookie with the same ID values. With this cookie, trackers can collect data about the user and send it to a central ad server. If the user visits another page with the same tracker script, another cookie with the same identifier is set and information is sent to the ad server.
4 ways ITP impacts your cookies
As you may have inferred already, Safari´s ITP can impact cookies on different levels.
- ITP blocks all third-party cookies by default.
- ITP can grant exceptions to third-party cookies with Storage API.
- ITP caps first-party cookies set by the server using CNAME cloaking to 7 days.
1. ITP blocks all third-party cookies by default (ITP 1.0 – 1.1)
This means that all operations (both reading and writing) regarding cookies coming from a third-party domain are blocked.
2. ITP allows certain third-party cookies with Storage Access API (ITP 2.0)
There is an exception to third-party cookies. Services that have embedded content cross-site can be exempted from the impact of ITP on third-party cookies if the user recently interacted with the third-party domain in a first-party context.
As blocking all third-party cookies defeats the purpose of embedded content (third-party resources loaded on the first-party website), Apple introduced the Storage Access API. With it, the third-party website can use third-party cookies. To use the Storage Access API, the user must have visited the website of the embedded resource in a first-party context within 30 days.
Examples are social logins, embedded video, live chat boxes, etc.
Furthermore, such cookies are capped to 24 hours of expiration if:
- the referring domain is a known tracker
- the URL has query parameter and/or fragments
This is called link decoration which consists of adding tracking information like an ID to URLs leading to other websites.
The impact of ITP on cookies extends to analytics cookies too. For example, Adobe Analytics and Google Analytics cookies that would have previously lasted for up to 2 years are now deleted after 7 days. This has big impacts on advertising, web analytics, and digital marketing in general.
Only first-party cookies set in the HTTP response header are not concerned, with exception of CNAME cloaking (see below). They are not affected by ITP and have no expiration restrictions on them.
4. ITP sets an expiration on first-party cookies set with HTTP header using CNAME records (ITP 2.3 update)
One of the most popular and solid workarounds to ITP was to use CNAME records to set cookies as part of the HTTP header. However, this was shut down with the latest ITP 2.3 update about CNAME cloaking mitigation.
Now, cookies set as first-party in the HTTP response header using CNAME cloaking have a maximum expiration of 7 days. You can read more about how it works and how ITP detects it here.
The impact of ITP does not limit to cookies only. The next section will give an overview of other restrictions that are implemented in Safari.
Non-cookie ITP restrictions in Safari.
Other browser storage (ITP 2.3)
Other storages on the user’s device can also be used by trackers to save and access tracking information by executing scripts in a first-party context.
ITP prevents this by capping a 7-day expiration on all script-writable storage.
This includes other browser storage in a third-party context like IndexedDB and localStorage as well.
Referrer decorations (ITP 2.3)
Referrer decoration is another technique that works similarly to link decoration. The difference is that, instead of decorating the destination URL, the tracking information such as an ID is added to the originating URL, linking to the page. The tracker´s script on the target page can read this ID in the HTTP header or by using document.referrer and set a first-party cookie of the same ID value.
ITP responded by downgrading all third-party referrers (both HTTP referrer headers and document.referrer property) to origin.
Furthermore, it downgrades the document.referrer property to eTLD+1 if:
- the referring domain is a known tracker,
- the referring page has query parameters and/or fragments.
Bounce tracking (ITP 2.0)
Bounce tracking consists of redirecting the user through other domains which can set cookies before navigating the user to the target domain.
ITP detects bounce tracking domains and clears all website data on the domain.
ITP extended to all browsers on iOS
Wit Safari 14, ITP will be extended to all browsers running on iOS platforms.
The impact of ITP on cookies and other restrictions as of March 2021.
Stay clear of ITP 2.1, 2.2 & 2.3’s unintended impact
with Cookie Saver
What is the impact of Safari´s cookie restrictions?
The impact of Safari´s ITP on cookies is evident – it restricts their lifetime. Yet, what this means for marketing may be a bit less clear.
Cookies are at the backbone of marketing data, as they allow you to learn about your website visitors. For example, to attribute conversion, measure your campaigns and performance, deliver personalization, and improve UX. Hence, limiting the lifetime of cookies means limiting the data you can collect, which you base your marketing decisions on.
As a rule of thumb, if you are using Google Analytics, Facebook pixels or any other platform using cookies, your marketing has already been affected.
Let´s see more in detail how ITP´s impact on cookies affects your operations.
Block on third-party cookies
Cross-domain advertisers that have third-party cookies cannot use them anymore to gather data to build profiles based on the behavior on different websites. Without being able to build profiles, advertisers are not able to offer effective retargeting anymore.
Advertising through Walled Gardens also has been affected. They are allowed to drop third-party cookies, only if they are granted permission through Safari´s Storage API.
This means that if your visitor takes longer than 7 days between a visit to another, you cannot map their journey anymore.
It seems clear that you are not able to differentiate between new users and returning users anymore. You may see a boost in traffic to your website when in reality, it is returning users. All your user-level metrics are inaccurate, which leads to issues in segmenting your audience, measuring metrics, assessing the performance of campaigns, etc.
If your customers do not convert within a week from their first touchpoint, your customer journey is incomplete. Who is your audience persona? What are their touchpoints? Have they converted? What you can do to answer these questions is to take a guess.
URL decoration is a method used to add extra information in links. In marketing, it is used to pass information from a site to another. Just think of UTM. UTM are decorated links used to pass information about the campaign, source, medium, and type of content.
ITP either limits the related cookie´s expiry to 7 days or 24 hours and in a specific scenario, it removes the parameters from the decorated URL. This affects marketing practices such as attribution and affiliate marketing.
Other browser data
Cookies are not the only storage that is affected. All types of script-writable storage suffer from a limited expiration. This wipes your efforts at personalization and may conflict with the functioning of your website.
For some businesses, it is critical to provide a good user experience in terms of both personalization and website optimization. But, because ITP makes it impossible to identify a user beyond the 7 days window, the website can no longer learn about the user preferences and offer a personalized experience.
This is even more relevant if you are running A/B testing to optimize your website. If the test runs for longer than a week, there would be no way for the website to assign the test to the correct segments.
If local settings, cookie consent or abandoned cart data are also stored in script-writeable storages, the returning user may have to set them again continuously.