Apple’s ITP 2.2: 1-Day Expiration of Tracking Cookies Set Via Link Decoration
June 11, 2019 –
Essentially, the original ITP made it harder to use third-party cookies to track Safari users on iOS and MacOS and it’s in line with Firefox ETP efforts in privacy. It added a 24-hour window to cookies in the domains it flagged so they could be tracked cross-domain, after which access to third-party cookies was blocked. This posed problems for many tracking providers since a good deal of tracking is done with third-party cookies.
A common workaround for marketers was to switch to first-party cookies. However, in later ITP versions (2.0, 2.1, and 2.2), Apple began limiting the use of first-party cookies as well. Earlier this year, in ITP 2.1 Apple updated ITP to account for a workaround that companies came up with in which they would have a site drop a first-party cookie mimicking the functionality of the third-party cookie. With ITP 2.1, Safari deletes these first-party cookies seven days after they were installed on a browser.
For a cookie to be capped at one day by ITP 2.2, three conditions must be fulfilled:
- The site that sent the user to the landing page has been classified by ITP as “having cross-site tracking capabilities” (major ad networks, Google and Facebook are certainly classified this way)
- The link uses link decoration (it uses query string parameters and/or a fragment identifier)
Let’s take a closer look at the above three conditions and understand how Convert is affected and what you can do.
Condition 1: Persistent Cookies Created via document.cookie
Condition 2: Referring Domain with Cross Site Tracking Capabilities
Domains are dynamically classified under ITP by a machine learning algorithm:
- First Party Bounce Tracker Detection. Detects when a domain is used for redirect tracking only. This will be applied recursively for all domains in the redirect chain.
- Sub Resource under number of unique domains. Related to the number of paths available under a domain. Tracking platforms currently have a very small number of these.
- Sub Frames under number of unique domains. Related to the number of page frames available under the domains.
- Number of unique domains redirected to.
- The system does not have a whitelist or blacklist. Rather each device will build its own tracking prevention list based on web usage.
If a domain is classified as a cross-site tracking domain via the ITP machine learning-based classification engine described above, and link decoration exists, Safari will prevent the storing of persistent first party cookies.
Let’s make it clear with an example: Imagine you have a site www.example.com, where the Convert tracking code is installed. If your site receives traffic from Google, Facebook (which are the referring domains in this case e.g. a visitor lands with this URL on your site: https://www.example.com?utm_source=google), all first party cookies set on www.example.com will be restricted to 24 hour duration, since this traffic is coming from a referring domain that is considered possessing cross-site tracking capabilities and link decoration exists (see below). Thus Convert cookies will have a duration of 24 hours. What does that mean? If you run a 7-day experiment, and a user visits your site on day 1 and then on day 3 (after a gap of 2 days), then Convert won’t be able to recognize this person as a returning visitor (because Convert’s browser-created cookie would be deleted following the new restrictions!). And this visitor will be treated as a new one.
Hence this second condition does not have to do with Convert itself, rather with the referring domains.
Condition 3: Link Decoration
Link decoration is a technique used by Advertising and Marketing technology platforms to attribute clicks, visits, and conversions (purchases, downloads, etc.) across different domains using first-party cookies.
There are two main ways to decorate a link.
The basic way is to statically attach the extra information to the URL when a link is created. Here’s an example of a decorated link:
The information after ? is known as a string query, which is made up of parameters (e.g. medium=). Another form of link decoration uses fragment identifiers, which are introduced by a hash (#).
Thus, this third condition does not have to do with Convert itself, rather with referring domains that have cross-site tracking capabilities AND use link decoration as explained above in the example.
Here’s Convert’s Workaround
The above three factors combined mean that cookies set by Convert will be affected by ITP 2.2, if your site where the Convert tracking code is installed receives traffic from domains that are considered with cross-site tracking capabilities and you use link decoration for attribution purposes.
The same workaround applies as with ITP 2.1 that was described here a few weeks ago. We suggest customers move the cookie creation process away from the browser and into the server.
Worried about ITP 2.2? We Keep your Tracking on Track
As technology providers try to find work-arounds for Apple’s restrictions, Apple will continue to stifle tracking they find objectionable, even if that makes a mess of how websites and website tracking currently operate.
Many of the solutions around today may not remain viable for the long term if they do not change with changing privacy requirements and tracking updates.
At Convert, we will continue to keep a close eye on this as it develops and the implications it has for our customers. You will find us speaking up about matters that concern the viability of tracking and also innovating as we go to offer the best possible alternative.