What is ITP?

Should I worry? And why does it impact my cookies?

At a glance

Intelligent Tracking Prevention, also known as ITP is Apple’s attempt to protect user privacy by limiting the ability of businesses to track users across domains via the Safari browser using first-party and third-party cookies. It’s latest iteration ITP 2.2 limits the window of first-party cookies set client-side to 24 hours of storage.

Overall, Apple’s anti-tracking prevention measures can affect many times of cookies: from analytics cookies to remarketing cookies, website cookies, and even cookie-disclaimer cookies.

Action is required in order to keep accurate and consistent analytics and marketing data.

ITP Timeline

Intelligent Tracking Prevention was initially rolled out in 2017. Since then, additional updates has been applied up to the current version 2.2.

Intelligent Tracking Prevention (ITP)

The initial release of Apples ITP 1.0 happened in 2017 and primarily targeted third-party cookies and made it quite difficult to do cross-domain advertisement in Safari.
With the following releases up until 2.0, first-party tracking in our web-analytics and marketing tools are still not to be worried about. However, this changed quickly with the introduction of ITP 2.1 and its successor, ITP 2.2.
Both releases target our first-party cookies and action is required as current tracking methods are turned upside down due to substantial restrictions put on first-party cookies.

ITP 2.1 (see more)
In March 2019, Apple releases version 2.1 of ITP as a part of Safari 12.1 and iOS 12.2. Besides an update to the use of Storage Access API, ITP 2.1 lands with a game-changing update in how cookies can be used for our analytics and marketing tools, as this update specifically targets first-party cookies set client-side using JavaScript.

Example:

Day 1: A user visits your website at www.your-company.com resulting in a number of cookies being written on .your-company.com, potentially including:

  • Google Analytics
  • Facebook
  • Cookie Consent
  • Advertisement click cookies (Google Ads, Facebook, Criteo, etc.)
  • And many more

However, due to ITP 2.1 all cookies are set with a 7 days expiry instead of the default 90 days to 2 years as default.

Day 2: The same users visits www.your-company.com again. All cookies from day 1 is found and the user is recognized. Any action that the user does is added to the correct user id, click id, etc. Additionally, the 7 days expiry is reset for selected cookies.

Day 10: The same user visits www.your-company.com again. As we are past the 7 days expiry period, the previous cookies do no longer exist, resulting in:

  • A new Google Analytics client ID is generated, treating the user as a new user.
  • Facebook analytics and click cookie is gone, treating the user as a new user and break attribution for the ad click.
  • User will need to grant consent to cookies again, as the stored consent is missing.
  • Any advertisement platform that user click-ids for attribution will not be able to attribute subsequent conversions.

ITP 2.2 (see more)
In May 2019, Apple launched their successor to ITP 2.1, named 2.2. This update continues down the path of restricting the lifetime of first-party cookies set client-side using JavaScript. In this case, specifically third-party analytics and marketing vendors are targeted, and the result is cookies capped to a 1-day expiration period when the following two conditions are true:

  • The traffic came from a domain that by Safari is classified as having third-party tracking capabilities.
  • The final URL (to your website) includes a query or fragment identified (e.g. a click ID).

Example:
A user clicks one of your ads on Facebook and a sent to:
www.your-company.com/?fbclid= IwAR1wZSGltSgn490ekIw6uaJvjihaTHS3GhTSIaJ9Pq7_q9i4iSqHJA1y1mw

Once the user lands on your website, Facebook will create a cookie that is linked with this click ID so that subsequent conversions can be attributed to the correct ad click. However, with ITP 2.2 this conversion will need to happen during the same day, as the cookie will likely be deleted after 1 day.

Additional resources

Apple release notes for Webkit:
ITP 1.0
ITP 1.1
ITP 2.0
ITP 2.1
ITP 2.2

Smart people and companies talking about ITP:
Simo Ahava: https://www.simoahava.com/analytics/itp-2-1-and-web-analytics/
MetricTheory: https://metrictheory.com/blog/how-apples-intelligent-tracking-prevention-version-2-2-impacts-marketers/