2018
went down as the year privacy changed forever.
The
GDPR left its mark… in memes that made us laugh and sweeping data collection,
processing and transparency requests that left us (a little) overwhelmed.
But no one was expecting 2019 to be a whopper. Yet, it was. Browsers pitched in to make users feel more secure and trust that their personal details and preferences were NOT being used to relentlessly pitch ads around the internet.
Here’s a breakdown of the anti-tracking and tracking prevention changes that happened in 2019, what it means for marketers and testers and how Convert dealt with them.
How did tracking prevention & A/B testing change in 2019?
Introduced by: Mozilla (Firefox)
When: January 2019
Summary: Mozilla Firefox
published an Anti-Tracking policy in January 2019 that defined which tracking
techniques Firefox will block by default in the future. Outlined in the policy
are the following types:
- Cookie-based cross-site tracking —
Cookies and other storage types may be used by third-parties to track users on
the Internet.
- URL parameter-based cross-site
tracking — Another cross-site tracking practice that relies on URLs instead of
cookies to pass on user identifiers.
- Browser fingerprinting — Sites may
use data provided by the browser during connections or by using certain web
techniques to create user fingerprints. - Supercookies — Also known as
Evercookies. Refers to storage used for tracking that is not cleared
automatically when a user clears the browsing history and data. See this list of caches that Firefox uses.
Impact on Convert: After reading it in detail, Convert tracking is not impacted by this Policy as its tracking does not fall under the above categories.
Introduced by: Apple (Safari)
When: February 2019
Summary: Apple announced ITP 2.1
in February 2019; this was the ITP update which mainly went after first-party
cookies that are set using JavaScript.
Apple officially
limited client-side (JavaScript-based) cookies to 7 days. The earliest versions
of ITP (1.x) limited third-party cookie durations.
ITP 2.1 disrupted
marketers’ core efforts to track, analyze, measure, target, and personalize for
Safari users.
Let’s unpack this:
- Web analytics lost accuracy
because a site visitor was forgotten after seven days, thus inflating the
number of unique visitors that a marketer sees on the website. This inflation
could impact how marketers develop content and promotions.
- A/B testing suffered as marketers
had limited opportunity to obtain insights. A/B tests only have a seven-day
window to test content and track results. Customers that visit sites less than
weekly are considered new visitors and could be pooled into a different testing
group, resulting in inaccurate results data.
- Data management platforms (DMPs)
have seen an inflated number of mobile devices because the episodic cookie
purges create new identifiers for mobile devices that aren’t new. This
exaggerates audience sizes and may impact how audiences are created. Marketers
risk building audience segments based on outdated or incomplete data.
- Personalization also suffered.
Non-authenticated sites that leverage personalization tools based on past
behaviors and preferences to create consistent customer experiences do not have
historical data to personalize content. Because of this, customers have
inconsistent web experiences.
- Attribution is harder to execute.
With a shortened lookback window, marketers can’t attribute conversions that
occur more than seven days after the user’s last site visit. Marketers
misattribute credit to campaigns and credit the last marketing touch too
highly, risking overspending on ineffective channels.
Impact on Convert: You can
understand how the above can skew your Convert experiments’ results, especially
if you’ve a large audience share using the Safari browser. Hence, we considered quite a few
ways to resolve ITP 2.1 and finally settled on moving the cookie creation
process away from the browser and into the server.
Since the new
cookie duration restrictions apply only to browser-created cookies, we moved
the cookie issuance part to your web server, which means your server will
create the cookies and not the users’ browsers.
You can find the steps to facilitate such server-side cookie creation here. If you need any help with changing your web server infrastructure, please feel free to contact us.
Using A/B testing tools that are negatively impacting your results because of tracking issues? Try a 15-day free trial of Convert Experiences and check out the features that make us one of the most privacy aware tools on the market.
Introduced by: Apple (Safari)
When: April 2019
Summary: In April 2019, Apple
continued to close loopholes in Safari’s anti-tracking feature, Intelligent
Tracking Prevention. ITP 2.2’s biggest change from 2.1 and 2.0 limited the
duration of some first-party JavaScript-set cookies to one day—down from the
seven days that ITP 2.1 implemented.
For a cookie to be capped at one day by ITP 2.2, it must fulfill three conditions:
- The cookie is set via JavaScript (or in their words, “set through document.cookie”). This condition was also applied with ITP 2.1.
- The site that sent the user to the landing page has been classified by ITP as “having cross-site tracking capabilities” (major ad networks, Google and Facebook are certainly classified this way)
- The link uses link decoration (it uses query string parameters and/or a fragment identifier)
Impact on Convert: The above
three factors combined mean that cookies set by Convert are affected by ITP
2.2, IF (i) your site where the
Convert tracking code is installed receives traffic from domains that are
considered with cross-site tracking capabilities AND (ii) you use link decoration for attribution purposes.
Fortunately, from the above conditions, only the first had an impact on Convert cookies since these are created via Javascript’s document.cookie. We suggested our customers to move the cookie creation process away from the browser and into the server as we did with ITP 2.1 workaround.
Introduced by: Google (Chrome
version 76)
When: May 2019
Summary: Google leveraged the
HTTP cookie “SameSite” feature to allow developers to communicate if they want
to allow their cookies to be read in a third-party context.
Effectively,
developers can say, “this cookie is private” and make the cookie more secure at
cookie creation time. The update in Chrome 76 set a default SameSite value even
when a web developer didn’t explicitly set one. That means most server-side
cookies out there were automatically more secure by default.
The Stable version of Chrome 80 in February 2020 is targeted for enabling this feature by default as summarized below:
- Cookies without a SameSite
attribute will be treated as SameSite=Lax. - Cookies with SameSite=None must
also specify Secure.
Impact on Convert: So far, the
SameSite feature seems to only affect transmission of the cookie to the backend
which is not important as Convert does not do that.
It only bears impact if customers use backend reading of Convert cookies for different purposes. To just not rely on default, we set our Convert cookies with SameSite=Lax and Secure flags.
Introduced by: Microsoft Windows
(Edge)
When: June 2019
Summary: Microsoft introduced a
new feature in June 2019 to block tracking scripts in its Chromium-based Edge
browser. The company called this feature “Tracking Prevention” and
was initially available only in Edge Insiders Preview Builds (starting with 77.0.203.0). The company said that the feature was under
development and that they released the early version for feedback and
accelerated development.
Basically, what
Microsoft did was enable new tracking protection categories (Basic, Balanced,
Strict) in Edge to block more trackers. To avoid compatibility issues,
Microsoft devised a system that relaxed tracking prevention based on engagement
scores in balanced mode.
This feature is
similar to the Enhanced Tracking Protection in Mozilla Firefox and the Intelligent Tracking Protection in Apple Safari and blocks off any tracking scripts loading from a domain that isn’t
accessed directly by the user.
Impact on Convert: The Convert tracker might be listed in the Trust Protection List, and we say might because it is a hidden component that Edge has not revealed fully. In any case, the Microsoft Edge Tracking Prevention will block the Convert tracker ONLY when a visitor has set Tracking Prevention to the Strict mode (and not to the Balanced mode which is the default one). Hence, in normal browsing Convert’s experiences are NOT affected by the new settings that Edge will impose.
Introduced by: Mozilla (Firefox)
When: June 2019
Summary: New users who installed Firefox for the first time after
5th June 2019 had Enhanced Tracking Protection (ETP) set on by default. ETP is automatically set on by default as part
of the ‘Standard’ setting in the
browser and blocks (i) known “third-party tracking cookies” and (ii) known
trackers in all Private/Incognito browser windows according to the Disconnect list that Mozilla has
partnered with.
Impact on Convert: The Convert tracker is listed in the Disconnect list. However, the Firefox Enhanced Tracking Protection will block the Convert tracker ONLY when a visitor is using a Private/Incognito window. In addition, in Convert, in our efforts to be GDPR compliant, third party cookies were disabled on February 21st, 2018. Hence, in normal browsing Convert’s experiences are NOT affected by the new settings that Firefox has imposed.
Introduced by: Apple (Safari)
When: August 2019
Summary: Apple’s WebKit team
released its full “Tracking Prevention Policy” in August 2019.
This policy
outlined WebKit’s tracking efforts and details what types of tracking WebKit
prevents, countermeasures, and more. It prevents several tracking techniques
including cross-site tracking, stateful tracking, covert stateful tracking,
navigational tracking, fingerprinting, covert tracking, and other unknown
techniques that do not fall under these categories.
Impact on Convert: Convert tracking is not impacted by this Policy as its tracking does not fall under the above categories.
Introduced by: Apple (Safari)
When: September 2019
Summary: Previously, ITP 2.2 cut the lifespan of
persistent client-side cookies from seven days to 24 hours (if the three
conditions listed below were met), and restricted cross-site tracking via link
decoration:
- The cookie is set via JavaScript (or in their words, “set through document.cookie”). This condition was also applied with ITP 2.1.
- The site that sent the user to the landing page has been classified by ITP as “having cross-site tracking capabilities” (major ad networks, Google and Facebook are certainly classified this way)
- The link uses link decoration (it uses query string parameters and/or a fragment identifier)
But WebKit
engineers noticed that some trackers had responded by moving their first-party
cookies to other forms of first-party website data storage to track users. They
have added code to their own referrer URL to read the tracking ID on the
destination page.
Under ITP 2.3, sites that do this will see all of their
non-cookie website data deleted after seven days. Combined with the capped
expiration of client-side cookies, this means trackers won’t be able to use
link decoration combined with long-term first-party website data storage to
track users.
ITP 2.3 therefore
relates to link decoration.
Impact on Convert: As explained here, it is clear that Convert tracking and cookies are NOT affected by the new two steps under ITP 2.3 that the WebKit team has taken to combat the above trackers.
Introduced by: Apple (Safari)
When: September 2019
Summary: In the W3C Technical
Plenary and Advisory Committee Meeting (TPAC) 2019, WebKit announced that it’s
in the very early stages of testing an API that would give browser operators
the ability to see whether or not users are logged in to a website.
This has remained
just a topic of discussion in the TPAC agenda and no further implementation has
been carried out.
Impact on Convert: It appears that the cookies that allow cross tracking, like cookies set when being redirected from a URL classified as tracker based on some query string params are the ones being affected. Convert does not do such tracking and thus there is no impact from it.
Introduced by: Apple (Safari)
When: December 2019
Summary: This update to Safari
arrived with iOS 13.3, iPadOS 13.3, and Safari 13.0.3 on macOS Catalina,
Mojave, and High Sierra.
Features like
tracking prevention and content blocking can themselves be abused for tracking
purposes. But three new enhancements make it hard or impossible to detect which
web content and website data it can track.
- Origin-Only Referrer For All Third-Party Requests: As an example, a request to https://images.example that would previously contain the referrer header https://store.example/baby/strollers/deluxe-stroller-navy-blue.html will now be reduced to just https://store.example/.
- All third-party cookies blocked without prior user interaction
- The storage access API takes the underlying cookie policy into consideration
Impact on Convert: Convert is not impacted by these enhancements that level up tracking prevention in Safari WebKit.
SUMMARY
That’s a lot of technical details to take
in. You don’t need to be an expert on all the ITP updates. But given the state
of flux, we feel one thing is clear.
Browsers will continue to tweak things and
until an alignment occurs, testing tool set-up and installation time will
increase, given the complexity of the use cases you are addressing.
If we had one piece of advice to give it’d be to partner with privacy-oriented vendors like Convert and not collect any data your lawyer is unwilling to argue on your behalf in a court of law!
