Apple created ITP in the name of privacy.
Essentially, the original ITP made it
harder to use third-party cookies to
track Safari users on iOS and MacOS and it’s in line with Firefox ETP efforts in privacy. It
added a 24-hour window to cookies in the domains it flagged so they could be
tracked cross-domain, after which access to third-party cookies was blocked.
This posed problems for many tracking providers since a good deal of tracking
is done with third-party cookies.
A common workaround for marketers was to
switch to first-party cookies. However, in later ITP versions (2.0, 2.1, and
2.2), Apple began limiting the use of first-party cookies as well. Earlier this
year, in ITP 2.1 Apple updated ITP to
account for a workaround that companies came up with in which they would have a
site drop a first-party cookie mimicking the functionality of the third-party
cookie. With ITP 2.1, Safari deletes these first-party cookies seven
days after they were installed on a browser.
ITP 2.2’s biggest change from 2.1 and 2.0 limits the duration of some first-party JavaScript-set cookies to one day—down from the seven days that ITP 2.1 implemented.
For a cookie to be capped at one day by ITP 2.2, three conditions must be fulfilled:
- The cookie is set via JavaScript (or in their words, “set through document.cookie”). This condition was applied also with ITP 2.1 (see also our blog on ITP 2.1 for A/B testing).
- The site that sent the user to the landing page has been classified by ITP as “having cross-site tracking capabilities” (major ad networks, Google and Facebook are certainly classified this way)
- The link uses link decoration (it uses query string parameters and/or a fragment identifier)
Let’s take a closer look at the above three conditions and understand how Convert is affected and what you can do.
Condition 1: Persistent Cookies Created via document.cookie
Moving forward,
all persistent cookies created via JavaScript’s document.cookie (as opposed to
cookies set by HTTP) will be set to expire in 24 hours if the referring domain
has been identified as having cross-site tracking capabilities and the URL
contains a query string or fragment identifier. All first-party cookies created
by document.cookie that haven’t been created via a query string or fragment
identifier will expire in 7 days (as mentioned in the ITP 2.1).
Convert cookies are created via Javascript’s document.cookie so first condition under ITP2.2 applies. (as it was also applied under ITP 2.1).
Condition 2: Referring Domain with Cross Site Tracking Capabilities
Domains are dynamically classified under ITP by a machine learning algorithm:
- First Party Bounce Tracker Detection. Detects when a domain is used for redirect tracking only. This will be applied recursively for all domains in the redirect chain.
- Sub Resource under number of unique domains. Related to the number of paths available under a domain. Tracking platforms currently have a very small number of these.
- Sub Frames under number of unique domains. Related to the number of page frames available under the domains.
- Number of unique domains redirected to.
- The system does not have a whitelist or blacklist. Rather each device will build its own tracking prevention list based on web usage.
If a domain is
classified as a cross-site tracking domain via the ITP machine learning-based
classification engine described above, and link decoration exists, Safari will
prevent the storing of persistent first party cookies.
Given there’s no central list of domains
classified for cross-site tracking capabilities, site owners will need to
assess their links and evaluate any third-party JavaScript libraries that may
use link decoration. This includes ad tech vendors, measurement firms,
affiliate marketers and certain types of influencers. Facebook and Google are
certainly affected by ITP 2.2.
Let’s make it clear with an example: Imagine you have a site www.example.com, where the Convert tracking code is installed. If your site receives traffic from Google, Facebook (which are the referring domains in this case e.g. a visitor lands with this URL on your site: https://www.example.com?utm_source=google), all first party cookies set on www.example.com will be restricted to 24 hour duration, since this traffic is coming from a referring domain that is considered possessing cross-site tracking capabilities and link decoration exists (see below). Thus Convert cookies will have a duration of 24 hours. What does that mean? If you run a 7-day experiment, and a user visits your site on day 1 and then on day 3 (after a gap of 2 days), then Convert won’t be able to recognize this person as a returning visitor (because Convert’s browser-created cookie would be deleted following the new restrictions!). And this visitor will be treated as a new one.
Hence this second condition does not have to do with
Convert itself, rather with the referring domains.
Condition 3: Link Decoration
Link decoration is a technique used by Advertising
and Marketing technology platforms to attribute clicks, visits, and conversions
(purchases, downloads, etc.) across different domains using first-party
cookies.
There are two main ways to decorate a
link.
The basic way is to statically attach the extra information to the URL when a link is created. Here’s an example of a decorated link:
https://www.example.com?utm_source=google&utm_medium=cpc&utm_campaign=2019_promotion
The information after ? is known as a
string query, which is made up of parameters (e.g. medium=). Another form of
link decoration uses fragment identifiers, which are introduced by a hash (#).
The other, more complex way to decorate a
link is to run some Javascript code that is triggered when a person clicks on a
link and dynamically adds information to a link. Companies will do this when
they want to pass information specific to the individual click that led someone
to the destination site. For example, an advertiser might do this to track a
display ad campaign that is running across multiple publishers’ sites and links
to the advertiser’s site. Instead of manually customizing the link for each
publisher carrying its ad, the advertiser can have the code add
“?publisher=[name of publisher]” to the URL at the time when a person clicks on
the ad. This way the advertiser can determine which publisher was responsible
for sending the site visitor.
Thus, this third condition does not have to do with Convert itself, rather with referring domains that have cross-site tracking capabilities AND use link decoration as explained above in the example.
Here’s Convert’s Workaround
The above three
factors combined mean that cookies set by Convert will be affected by ITP 2.2,
if your site where the Convert tracking code is installed receives traffic from
domains that are considered with cross-site tracking capabilities and you use link
decoration for attribution purposes.
The same
workaround applies as with ITP 2.1 that was described here a few weeks ago. We suggest
customers move the cookie creation process away from the browser and into the
server.
You can find the steps to facilitate such server-side cookie creation here. If you need any help with making the needed changes to your web server infrastructure, please feel free to contact us.
Worried about ITP 2.2? We Keep your Tracking on Track
As technology providers try to
find work-arounds for Apple’s restrictions, Apple will continue to stifle
tracking they find objectionable, even if that makes a mess of how websites and
website tracking currently operate.
Many of the solutions around today
may not remain viable for the long term if they do not change with changing
privacy requirements and tracking updates.
At Convert, we will continue to keep a close eye on this as it develops and the implications it has for our customers. You will find us speaking up about matters that concern the viability of tracking and also innovating as we go to offer the best possible alternative.
Originally published June 11, 2019 – Updated December 15, 2021
Mobile reading?
Authors
Dionysia Kontotasiou
Convert’s Head of Integration and Privacy, helping customers with technical queries.