What is Safari´s ITP impact on your business?

No matter if you are spending millions or a few hundred on digital marketing, Safari´s anti-tracking is still crumbling your cookies and consequently, your marketing data.


Website tracking is an essential practice for many businesses, yet most marketers don´t realize that they are losing up to 36% of data because of anti-tracking mechanisms – like ITP. If you don´t want to do marketing based on guesswork, you should care. After all, all the web data that you see on your Google Analytics or Facebook are collected through cookies.

Recently, you may have heard of cookies in relation to privacy concerns. Indeed, many browsers started blocking third-party cookies which are used to track users across different websites. In this view, first-party cookies become more and more valuable. They do not belong to the controversy and can be used for tracking on your own website, without infringing consumer privacy. And this, dear reader, is an opportunity for you.

Most marketers do not realize that Safari´s ITP is restricting first-party cookies too. This is an “unintended impact”. And it is your own responsibility to claim them back.

This is ITP´s impact on your business in a nutshell:

  • Inconsistent measurements because Safari collects data differently
  • With 1st party cookies lasting only a max of 7 days, you struggle to identify users
    • User-based metrics and analytics overall are biased and misleading
    • Customer journeys reset every week at most
    • Invalid A/B testing and no consistent personalization
    • Broken attribution models and no visibility on performance
    • Small audiences, which affects retargeting, lookalike audience and ad frequency
    • Poor user experience and difficulties to credit your partners in affiliate marketing
  • With the block on 3rd party cookies, you cannot hope to rely on Walled Gardens either
    • Embedded contents must obtain access to their cookies from the Storage Access API

The bottom line? you are missing a lot of data.

Cookie Saver helps you get your data back. We deal with the nerdy stuff, so that you can keep using first-party cookies to track user behavior on your website. Obviously, in a GDPR aligned way.

So, while others are sleeping on it, this is your chance to learn about the issue and eventually turn it into an opportunity to outperform your competitors.

If this sounds interesting to you, this article will elaborate further on these points:

At the end of it, you will have a solid enough understanding of the situation to form an opinion on the whole cookie issue.

What are web cookies?

Cookie = a small piece of data, normally containing an identifier. Cookies are stored in the user´s browser and are used by websites to identify specific users.

Cookie types

When talking about cookies, it is common in marketing parlance, to differentiate between first-party cookies and third-party cookies. However, In IT there is no such kind of cookies. What matters is the context of access.

It makes more sense to talk about first-party context and third-party context. Where:

  • First-party context: the operations of creating and accessing the cookies happen within the same website.
  • Third-party context: the operations creating and accessing the cookies happen cross-site, between different websites.

For the sake of clarity, we will adopt the use of first-party and third-party cookies terminology.

Cookie functions

Cookies can be used for different things, i.e., web functionality, personalization, and tracking. Thanks to them you can improve the browsing experience of your user by retaining preference settings, cookie consents, login information, etc.

From a marketing perspective, they are mostly used to track users, so that you can attribute conversion, measure the effectiveness of campaigns and performance, deliver personalization and much more.

Cookies and privacy concerns

Cookies are very useful, but they have also been abused, which raised privacy concerns. This is especially true when talking about cross-tracking, which is done with third-party cookies.

Cross-site tracking = tracking done across different websites – also known as third-party tracking or tracking in a third-party context.

3rd party cookies = cookies that are not created and accessed by the website the user is visiting, but by another website (third-party). Often, the other party is an advertiser that uses cookies to track users around the Internet. This is called 3rd party tracking and is what anti-tracking mechanisms are trying to stop.

At this point, Apple started a privacy war against cross-tracking by developing ITP. Apple is a pioneer in the privacy trend, and as such, it is the strictest browser too (if you understand ITP, you will also understand other anti-tracking mechanisms).

Cookies are a key element in data collection. Restricting cookies means restricting your access to data.

What is Safari´s anti-tracking – Intelligent Tracking Prevention?

Intelligent Tracking Prevention is a privacy mechanism that Apple developed to reduce cross-site tracking in Safari. ITP was introduced in 2017 to block third-party cookies. However, as trackers found workarounds to cross track in other ways, ITP tried to eradicate them by releasing updates with more restrictions.

As of May 2021, ITP impacts:

  • third-party cookies,
  • first-party cookies set with a scripting language like JavaScript,
  • other web storage set with a scripting language,
  • (other mechanisms – CNAME cloaking, referrer decoration, bounce tracking, iOS browsers, etc.).

If you are ready for a technical dive, this article elaborates more on the restrictions.

Contrary to common belief, ITP has never been about third-party cookies, but it restricts all practices that can be used for cross-tracking. However, there is still something odd in the list: first-party cookies.

1st party cookies = cookies that can be create and viewed only by the website a user is visiting. This website can use them to collect data to learn more about their visitors (1st party tracking).

Web tracking is a form of market research and works by collecting online data to provide you with insights on your marketing. This has been done with cookies till now. There is nothing wrong with doing 1st party tracking if the user consented to it (cookie consent banner).

So, why is first party tracking restricted? Because 1st party cookies could, in some scenarios, be used to mimic cross-tracking. There is such a risk. In front of the tradeoff between (a) being extra sure and protect users from cross-tracking, and (b) making things difficult for marketers by disrupting 1st party tracking, Safari decided to side with end-users. Their policy is to always have the user as a priority.

But we are not only end-users, we are marketers too. We need to have visibility on our marketing data to know what works and what does not

Disrupting 1st party tracking is a side effect of ITP – an unintended impact.

Safari´s ITP restrictions on 1st party cookies.

ITP fights cross-tracking mainly by limiting the lifetime of cookies. Before ITP, cookies could live up 90 days to 2 years. This means you had a window of 2 years to track your visitors and collect data.

With ITP, your marketing cookies can identify and track your users for a max of 7 days only.

For first-party cookies:

  • Expiration of 7 days if the cookie is set with JavaScript.
  • Expiration of 24 hours if the cookie is set with JavaScript + link decoration is used, and the referring website is a ´known tracker´.

URL decoration = a URL ´decorated´ with extra information as URL parameters, e.g., “click IDs” and “UTM parameters”. These parameters do not change the link but are used to pass information from a site to another.

Link decoration = a type of URL decoration, where the destination URL is decorated.

Known tracker = A website that is classified as having the ability to cross-track based on a machine learning model. This algorithm runs on-device, so the list of ´known trackers´ differs for each user.

A workaround to ITP´s restrictions was CNAME cloaking. However, Safari proceeded to eliminate CNAME cloaking in its latest update. If you are ready for a technical dive, you can read about it here.

Win on first-party tracking with Cookie Saver

Start free trial

What is Safari´s ITP impact on your business?

Marketing platforms like Facebook, Google Analytics, Awin, etc. all use cookies, which they set with JavaScript. This means that even if they are first-party cookies used within a first-party context (for your use in your website), they are also restricted unintendedly.

This has a big impact on web analytics, advertising, personalization and digital marketing in general.

Safari´s ITP impact on web analytics

First-party marketing cookies have a limited duration of 7 days because they are set with JavaScript. This compromises the accuracy of first-party analytics.

Measurement and customer journey

The reduction in the lifespan of cookies means a reduction in the amount and quality of that data linked to individual users.

If you have users who visit your website very frequently (within 7 days between each interaction), you are probably fine. Analytics platforms still recognize them as ´returning users´ at each visit, and you can continue to map your customer journeys. On the other hand, if your visitors do not return before the 7 days reset, they will erroneously be regarded as ´new users´ by analytics platforms.

Customer journey - Example 1

Day 1: John Doe visits your website for the first time. A cookie is set for him with ID: 123abc as ´new user´.

Day 7: The cookie with ID 123abc that identifies John Does is deleted.

Day 8: John Doe returns but you don´t recognize him anymore. A new cookie is set for him with ID: 234def as ´new user´.

Customer journey - Example 2

Day 1: John Doe visits your website for the first time. A cookie is set for him with ID: 123abc as “new user”.

Day 3: John Doe returns and you recognize him as “returning user” with ID: 123abc. You keep building his profile and the cookie is extended for other 7 days.

Day 12: The cookie with ID 123abc that identifies John Does is deleted.

Day 13: John Doe returns but you don´t recognize him anymore. A new cookie is set for him with ID: 248dhj as “new user”.

It seems clear, that a reset of cookies every 7 days of inactivity also means that your customer journey resets every 7 days.

Given the difficulty in identifying users correctly, all user-level metrics and data in your analytics platforms are skewed. E.g., more new users and fewer returning users are reported than it is in reality. On the same line, the inability to accurately identify users undermines your segmentations efforts and decreases your retargeting audiences.

Accurate analytics is not possible because the customer journey is incomplete, and the count of unique visitors on your website is incorrect.

At the same time, with Safari collecting data differently from other browsers, all your measurements are inconsistent and misleading.

Attribution and reporting

Analytics platforms often add extra information in URLs to pass data from a website to another – think of Click IDs or UTM.

Urchin Tracking Module (UTM) parameters = URL parameters that are used to track campaign information. This is a form of URL decoration.

ITP may flag this as link decoration and cap the expiration of the corresponding cookies to 24 hours. This means that the conversion window is of 1 day or else your attribution model breaks. For comparison: if URL decoration is not used, the conversion window is of 7 days. Before ITP, the conversion window was spanning from 90 days to 2 years, regardless of URL decoration.

Link decoration - Example

A user clicks a Facebook ad and is sent to the advertiser’s website.

Links in ads usually contains a link containing extra information like unique click IDs. The Facebook pixel on your website grabs the ID from the URL and stores it in a cookie.

The Facebook pixel collects data and sends it back to Facebook along with the ID. By saving the cookie, Facebook can identify who clicked and attribute ad clicks to users who do not convert immediately.

Safari detects a link decoration from a known tracker and will set a set an expiration of 24 hours to the Facebook cookie on the website.

Conversion attribution - Example

Day 1: A user see an ad, clicks and is sent to your website. A cookie is created for the user. The user leaves the website without converting.

Day 8 (without ITP): The user receives an email from you, clicks and visits your website again. You know that it is the same returning user because there is a cookie identified the user. This time, the user purchases something and converts. In your Google Analytics you can see the user´s conversion path. You attribute the first-touch to the ad and the last-touch conversion to the email.

Day 8 (with ITP): The user receives an email from you, clicks and visits your website again. This time, the user purchases something and converts. However, the cookie that identified the user was deleted, so the ´returning user´ is considered as a ´new user´. In Google Analytics you see a first-touch conversion, fully attributed to the email. The ad that contributed to the purchase does not get any credit.

The window for attribution with ITP is 7 days. However, if you make use of UTM parameters, cookies may be deleted after only 24 hours.

In specific cases (referrer decoration), ITP can also remove all extra information from the URLs.

There are two types of URL decoration: link decoration and referrer decoration. The difference lies in which whether the link to the destination webpage or from the originating page is decorated.

Referrer decoration = a type of URL decoration, where the URL from the originating website is decorated. This is done through bounce tracking.

If the information about the campaign, medium and source are removed, you will not be able to attribute a conversion to any channel. Your reporting is now biased.

Referrer decoration - Example

This is a URL decorated with UTM parameters:

example.com?utm_campaign=awareness-ad&utm_medium=social&utm_source=facebook.

If it is the link to the destination page that is decorated, then it is a link decoration. ITP sets an expiration of 24 hours to the Facebook cookie.

However, trackers found ways to decorate the link from an originating page. If that is the case, ITP removes all extra parameters from the URL.  Resulting in:

example.com?utm_campaign=awareness-ad&utm_medium=social&utm_source=facebook.

Your attribution model is broken, and it might be impossible to accurately report on performance and conversion.

Safari´s ITP impact on advertising

AdTech is the industry most reliant on cross-tracking as it gathers data from different websites for data joins and audience-targeting purposes. And as such, it is the one ITP is after.

If you are an advertiser who relies on robust data for advertising and retargeting purposes, you will have to move to first-party strategies as more and more browsers are following Safari´s steps – Google to phase-out 3rd party cookies too.

All third-party cookies are blocked by default. This means that all areas that require storage access in a third-party context are affected. Examples of these areas are retargeting, view-through attribution modeling, cookie matching, ad-frequency management, and user profiling.

You may argue that advertising platforms like Facebook moved to first-party cookies. However, such first-party cookies are set through JavaScript (see the previous section on analytics), which are capped to a 7-day expiration. This means that your audience resets every 7 days, negatively affecting your retargeting. First, the size of your retargeting audience decreases drastically and secondly, your ads start to be shown to the same people even with a frequency cap. With a much smaller seed audience, your lookalike audiences also suffer from poor quality.

Walled Gardens

Tech giants like Facebook and Google are affected too. Services that have cross-site embedded content are allowed to drop third-party cookies only after obtaining access to Safari´s Storage Access API. Social logins and embedded video are examples of cross-site embedded content.

Access to the Storage Access API is granted (1) if the user consent to it, and (2) the user interacted with the third-party website in a first-party context within 30 days (of Safari usage).

Storage Access API - Example

Day 1: A user logins on YouTube. Safari will register an interaction.

Day 20: The user visits your website, which has an embedded video from your YouTube channel.

If this is the first time the user sees the embedded video in your site, Safari will show a prompt (example below) asking the user to allow YouTube to use cookies and other browser data.

If the user consents, YouTube is granted access as there was interaction in the past 30 days.

Now, YouTube can use cookies as long as the user interacts with YouTube in a first-party context (with YouTube´s URL in the address bar) frequently. If the user does not interact with YouTube for 30 days, the YouTube´s cookies, website data and storage access on your website are deleted.

AdTech giants like Facebook and Google can drop third-party cookies only after obtaining access through the Storage Access API.

Safari´s ITP impact on personalization

For some of you, it is very important to deliver a relevant and personalized user experience. To do so, it is necessary to run tests to understand customers´ preferences and keep optimizing your website.

The most common way to do so is through A/B testing with a duration ranging from a minimum of one to two weeks. The issue here is that your cookies, which allows you to collect data about the test, last for a maximum of 1 week. After the expiration of your cookies, your audiences reset, and returning visitors are considered new visitors – this distorts the validity of your testing efforts. At the same time, you also cannot deliver personalized content with consistency. Tailored content is based on observing how your visitors engage with your website/product, gradually learn about their preferences, and deliver ad-hoc content whenever they enter your website. However, this is no longer possible without being able to identify each visitor.

A/B testing - Example

Da1: A user visits your website for the first time and enters the test variation B. A cookie is created, and data is stored about it.

Day 10: The user visits the second time. With ITP, the user is considered as a new user and may not be shown the test variation B again. The user may be shown the test variation A this time, which makes your test results invalid.

Inconsistent personalization - Example

Day 1: A user visits your website for the first time and looks at your section of teas. A cookie is created, and data is stored about the visitor behavior.

Day 3: The user visits the second time. Thanks to a cookie, you know that the visitor viewed teas, so you deliver content related to it. Your visitor checks your teas again, adds a product to the cart but leaves without completing the purchase.

Day 5: The user comes back a third time. The visitor is reminded of the abandoned cart and gets offered a discount on it. The visitor completes the purchase and converts.

However, if the visitor would have come back on day 8 instead of day 5, the cookie identifying the user would have been deleted. The visitor is now not recognized but is considered as a new visitor. This means no reminder of the abandoned cart and no personalized discount.

Your A/B testing results are invalid, and your personalization efforts may be inconsistent.

The cases in which ITP does not affect you are: when you run A/B testing for a period shorter than 1 week or if the tests are session- and visit-based.

Other areas of Safari´s ITP impact

Web functionality

ITP may also affect the proper functioning of your website if you use any script-writable cookie or any other script-writable storage to save data about your visitors. Then your website may keep asking to consent to cookies non-stop, reset language and currency preferences to default ones, etc.

Affiliate marketing

Because cookies used for commission-based affiliate marketing are also set through JavaScript, users will have a max of 7 days post-click to convert. Otherwise, the conversion is not attributed to the specific reseller.

It is your call

The bottom line? you are missing a lot of data. Based on browser usage, businesses in the USA are missing up to 36% of data on average.

How much data you are missing depends on two main factors:

  • Share of your Safari users in your audience. If you want to know the share of your Safari visitors, check your Google Analytics.
  • The length of your customers buying cycle.

This said, Safari is leading the privacy crusade with ITP´s restrictions on cookies and other storage data so far. In this sense, it is the most restrictive browser in terms of tracking prevention. However, other browsers have also started implementing anti-tracking mechanisms, and more restrictions may be introduced at any moment at your expense.

If you do not wish to keep losing data, action is required to mitigate the unintended impact of ITP, now. Cookie Saver offers a solution based on turning first-party cookies that are set with JavaScript into first-party cookies that are set as part of the HTTP response.

This is also your chance to get ahead of the curve by gaining a competitive advantage in first-party tracking.

If you are not sure if Cookie Saver makes sense for your business on not, you can test the solution for 14 days for free and assess the changes by yourself. We also would be very glad to clarify your doubts if you have any.

Official ITP documentation:

Try Cookie Saver, free for 14 days

Continue tracking your customers & their conversion paths without losing insights

Five ways your marketing is losing to Safari´s ITP