Blast Analytics and Marketing

Analytics Blog

Supporting Leaders to EVOLVE
Category: Digital Analytics

Understanding Apple’s ITP and the Impact on Your Business

April 29, 2020

Across industries, consumer data privacy is becoming more of a primary focus for organizations. We’ve helped multiple clients ensure they’re compliant with the EU behemoth that is GDPR and similar data protection policies, such as the “California Consumer Privacy Act (CCPA) of 2018.” It’s imperative for organizations to understand that privacy protection isn’t going away, and we expect to see more policies like these rolled out in future. In fact, while this post focuses on Apple’s Intelligent Tracking Prevention (ITP) 2.1, 2.2 and 2.3 updates to its Safari browser, we also want to highlight that other browsers recently have unveiled their own privacy updates.

It’s imperative for organizations to understand that privacy protection isn’t going away…

Specifically, after Mozilla Firefox introduced the Enhanced Tracking Protection (ETP) last year to prevent cross-site tracking, Mozilla has recently announced it’s expanding its protection by taking aim at a specific type of cross-site tracking, known as fingerprinting. In short, “Firefox 72 protects users against fingerprinting by blocking all third-party requests to companies that are known to participate in fingerprinting.” 

simo ahavaGoogle Chrome is also starting to get involved in increased privacy protection. In January 2020, it announced plans to phase out third-party cookies within the next two years. Google Chrome also launched the Same-Site cookie update with its recent v80 release on February 4. There’s even an open-source website (created by the talented Simo Ahava) now dedicated to capturing the current status of browsers as it relates to cookies. The key takeaway here is that, sooner or later, your organization will need to understand how these various privacy restrictions impact your business operations. And it’ll be a moving target where you must keep up to date with the browser changes that are working to improve user privacy.

Since Safari is leading the way with ever-changing updates to its privacy protection, we want to provide your organization with an overview of what ITP does, how it may impact your business and, most importantly, what actions you can take to mitigate these impacts. In essence, these ITP updates limit user tracking capabilities for Safari users.

For many businesses, it may seem easiest to ignore these changes in the short-term. After all, it’s only impacting Safari, right? However, what if your site receives a lot of mobile traffic? Chances are the majority of your mobile traffic is coming from Safari. Whether or not your team decides to take action, it’s crucial to understand how the Intelligent Tracking Prevention updates will affect different aspects of the business, including:

  • Marketing Attribution
  • Optimizing the Customer Experience
  • Digital (Web) Analytics

ITP 2.1 and Limitations on First-Party Cookies

Intelligent Tracking Prevention 2.1 was announced on February 21, 2019, though it later became apparent WebKit had been releasing aspects of ITP 2.1 since the beginning of 2019. Previous iterations of ITP focused on limiting the tracking capabilities of AdTech companies, but ITP 2.1 was the first to cause a rippling effect in other areas, such as the customer experience and analytics.

Specifically, ITP 2.1 limits the lifespan of first-party cookies set via client-side JavaScript (or set through document.cookie). The significance here is that digital analytics tools set their cookies via client-side JavaScript and, as a result, Safari will only store these cookies for seven days. Up until this point, first-party cookies were generally viewed as “safe.”

In reality, what does that mean for your team? If your organization utilizes an analytics platform, such Google Analytics, to track user interactions with your website, data regarding Safari users (e.g. new vs. returning users counts) will likely be skewed.

itp 2.1 limitations on first party cookies

Tip: If a Safari user visits your site on a Tuesday (Day 1) and then does not return to your site until the following Tuesday (Day 8), that second visit is going to get tracked as a new user in your analytics platform.

It should be noted that, if the Safari user revisits your site prior to the seven-day limit, then their cookie is reset with a new seven-day lifespan.

While the example above highlights the impact of cookies set for an analytics platform, ITP 2.1 extends further to other technologies that work primarily with first-party cookies, including popular experimentation and personalization platforms. As a result, the seven-day cap will also come into play for those platforms.

The stated intention of Intelligent Tracking Prevention has always been to protect consumer data, specifically from AdTech companies that make use of third-party cookies and cross-site tracking to gather data about users’ behavior across multiple websites. We believe this is still the focus of ITP, though it appears that in their efforts to limit AdTech companies, there’s collateral damage in other areas that your organization needs to evaluate.

ITP 2.2 Imposing a One-Day Cap on Cookies

While ITP 2.1 caused cookies set via document.cookie (JavaScript) to have a lifespan of seven days, ITP 2.2 took those restrictions even further. Announced in April 2019, ITP 2.2 looked to close certain loopholes that companies such as Facebook and Google had taken advantage of since ITP’s inception to continue to track user journeys all over the web. This latest ITP iteration reduces the lifespan of certain first-party cookies from seven days (per ITP 2.1) to 24 hours.

ITP 2.2 does not target all first-party cookies. Specifically, only cookies that meet the following three conditions will have a lifespan of 24 hours on Safari:

  1. Per ITP 2.1, the cookie must be set via client-side JavaScript (document.cookie).
  2. The user must have reached your site from a website classified as having “cross-site tracking capabilities.” This classification encompasses all major ad networks, Facebook and Google.
  3. The link the user clicked on to reach your site contains link decoration (e.g. query parameters or fragment identifiers)

By including link decoration as a requirement for the one-day cap, this is taking direct aim at your organization’s marketing efforts, especially the paid digital and social channels. Also, it’s important to note that first-party cookies set client-side that do not meet the above requirements are still subject to the seven-day cap.

itp 2.2 imposing a one-day cap on cookies

ITP 2.3 Takes Direct Aim at Workarounds

Trying to find a workable solution in the age of increased privacy regulations is a bit like playing a game of “whack-a-mole.”

Major AdTech companies eventually find a workaround for the most recent ITP privacy changes, and then Apple releases another update to prevent that solution from working.

For example, with ITP 2.2, one of the proposed workarounds for organizations was to leverage localStorage. The localStorage method allows sites to store data directly in the browser with no expiration date. In response, Apple released its newest update ITP 2.3. With ITP 2.3, your website will be marked for non-cookie website data deletion if:

  1. The Safari user navigates to your site from a domain deemed to have cross-tracking capabilities (e.g. Google, Facebook, etc);
  2. And the user reaches a final URL that contains link decoration.

If the Safari user returns to your site after seven days, all of your site’s data is deleted from their browser.

What’s interesting here is that the previous ITP 2.2 update imposed a strict cap for first-party cookies that utilized link decoration, severely impact advertising efforts by shortening the conversion window to one day. The recent ITP 2.3 update provides advertisers with a way to extend the window from one to seven days, if they utilize the localStorage method. This can potentially help advertisers improve their measurement and attribution. However, based on Apple’s quick response to close other workarounds, we wouldn’t be surprised if Apple soon rectifies this loophole.

ITP 2.1, 2.2, 2.3 and Impact on Marketing Attribution

The limits on the duration of first-party cookies that Intelligent Tracking Prevention introduced can and will have an impact on your business in several areas. One area that should attract your marketing departments’ attention is the impact ITP will have on attribution and reporting on the effectiveness of different marketing channels.

If your organization makes heavy use of any of the Google Marketing Suite, Facebook Ads or other major ad networks, it’s likely that Safari traffic you’re driving to your site qualifies for the one-day cookie lifespan denoted by ITP 2.2. The extent of this impact will be influenced by certain factors. For example, if your users generally have a very short purchase cycle and buy from your site on their first visit, this likely isn’t as much of an issue. However, if your consumers usually have a longer purchase cycle, then ITP 2.2. will become more of a problem. That’s because attribution models start to fall apart if your team cannot effectively track users across visits to your site.

Imagine that a Google Ad brings a Safari user to your site for the first time. The user doesn’t purchase from you on this visit. They receive a marketing email from you two weeks later, come back to your site and then make their purchase. In this situation, your team would want to attribute the first-touch conversion in this scenario to your Google Ad, with the last-touch being attributed to your email channel. However, with the recent ITP updates, the cookie set by your tracking tools will have been set with a 24-hour lifespan, meaning that when users revisit your site two weeks later, they’re considered new users. Your email channel will receive full credit for the conversion while Google Ads will receive no credit, and as far as you’re aware, Google Ads didn’t contribute to the purchase.

With this example, it’s apparent how this can become a nightmare for your marketing teams. It’ll be difficult to accurately report on which marketing channels are performing effectively and assisting in conversions. This, in turn, can compromise your organization’s ability to determine how much to invest within each channel.

For marketing channels that don’t utilize link decoration (such as the majority of referrals), the Safari users from these channels will still be subject to the seven-day cookie lifespan that ITP 2.1 implemented. If the average purchase cycle of your visitors is long (e.g. longer than seven days), it’s likely attribution across these channels will be negatively impacted also, thus hindering your ability to optimize marketing spend and effort across all channels.

Beyond reporting, ITP will also affect your marketing team’s ability to create successful remarketing and retargeting lists. The limited lifespan of cookies and the corresponding loss of the ability to identify users across multiple sessions on your site means audience lists that your team creates won’t successfully retain as many users as they would in pre-ITP 2.1 days. Simply put, this will likely result in a smaller than expected remarketing audience.

itp 2.2 affect on marketing channels

If your remarketing efforts are essential to converting users or assisting them along the customer journey, then your team needs to understand how these ITP updates will have a direct impact on your business. This is even more important if your remarketing efforts target mobile users, or users that are more likely to use Safari.

ITP 2.1, 2.2, 2.3 and Impact on the Customer Experience

Most organizations today understand the importance of providing a highly relevant customer experience. As a result, more businesses are prioritizing experimentation and personalization efforts. Yet they have to walk a fine line between personalizing the experience for customers while holding their privacy in high regards. The ITP updates, although not intending to target the customer experience, has ultimately had a negative impact here as well.

To truly deliver a first-class customer experience, you must consistently optimize your website to meet the needs of customers, and one of the best ways to do this is through experimentation. It’s common for many testing programs to run tests, with a minimum two-week duration, often considered a best practice. With the ITP updates however, programs will be penalized for trying to execute an experiment in line with best practices. Specifically, Adobe Target, Optimizely and other popular experimentation platforms are subject to the seven-day cap on first-party cookies if Safari users enter a test.

The two main consequences of the cookie cap include:

  1.     Inflated unique visitor count in the test
  2.     Risk of showing returning visitors an inconsistent experience

If you’re running a test for longer than seven days (which is recommended), there is a risk that returning Safari users will be counted as unique visitors in the experiment results. This, in turn, can contaminate results analysis, especially if your team measures test performance based on unique visitors (as opposed to session-based or visit-based). Moreover, while your team seeks to improve the customer experience, Safari users are at a risk of having an inconsistent experience. Specifically, if a Safari user is initially bucketed in one of the test treatments, then returns to your site after seven days while the test is still running, there’s no guarantee the user will see that same treatment, since the user is not identified as a returning visitor.

itp test variation

In this case, your test results may be less trustworthy, as the same user potentially saw different variations of the test. Moreover, your team may lack clarity on which treatment ultimately led the visitor to convert, making it more difficult to make a solid business decision regarding next steps.

The issues outlined above will also impact your team’s personalization efforts. Specifically, personalization campaigns rely on being able to identify users over multiple visits and associating them with data points that inform the custom-tailored experience you deliver to them when on your site. This can have a direct impact if your team is currently serving different personalized experiences for returning users and new visitors. There’s potential for returning Safari users to get bucketed into the “new” visitor experience, creating a sub-optimal experience for them considering their past engagement with your brand.

In short, the Intelligent Tracking Prevention (ITP) updates make it difficult for personalization platforms to associate and store data points with Safari users. As a result, your team’s effort to delight customers with a highly relevant customer experience is at risk of being compromised and potentially create friction with your customers who may see an inconsistent experience. Understandably so, this can be extremely frustrating if your team has invested the time and resources to set up detailed personalization campaigns with a well thought out strategy.

ITP 2.1, 2.2, 2.3 and Impact on Digital Analytics

It’s likely apparent based on the examples already discussed that, yes, ITP 2.1 and 2.2 will impact analytics tools as well. Those such as Google Analytics rely on setting client-side, first-party cookies to identify users. The lifespans of these cookies for Safari users will now be limited by the ITP rules, meaning Google Analytics is going to have a much harder time identifying users as returning users. If you were to look at your recent Google Analytics traffic from Safari browsers, it’s more than likely that you’ll see an uptick in new user counts.

We’ve already looked at how this can affect marketing attribution in digital analytics tools, but the impacts are broader than just attribution. Given the struggles these tools will have in identifying users across sessions, any user-based segments or audiences your team builds when doing analysis aren’t going to be accurate, as they’ll be missing users whose tracking cookies expired leading to their historic activity on the site not being associated with them any longer. Digging into digital analytics data via segmentation is a key method to use when trying to uncover insights into how your digital properties are performing. Intelligent Tracking Prevention can and will impact the effectiveness of this approach.

Moving beyond the standard analytics platforms, the ITP impact will extend to other advanced technologies. As more organizations look to centralize all of their data sources using a Customer Data Platform (CDP), such as Tealium AudienceStream, it’s important to highlight that even these platforms will be affected.

Potential Long-Term Solutions for Businesses

Organizations are continuing to look for other “longer-term” workarounds. One popular approach is relocating first-party cookies to server-side via the HTTP headers (the Set-Cookie method). Optimizely also suggests configuring cookie creation via a Content Delivery Network (CDN). Note that these methods will require development work. Our team has deployed these types of solutions for several platforms, such as Google Analytics and Optimizely, by leveraging CDN providers like Cloudflare and Akamai.

For Adobe clients, utilizing the Experience Cloud ID and CNAME redirect is the recommended approach. In order to setup a CNAME, your team will need to work with your Adobe representative. Also, although these are the current recommended “long-term” approaches, no one can guarantee that Safari or other browsers won’t introduce stricter privacy regulations that ultimately reduce the effectiveness of these solutions.

Ever-Changing Privacy Restrictions – What Needs to Be Done

Given the ever-changing privacy rules, how are organizations supposed to navigate this landscape while still optimizing marketing efforts, maintaining a competitive advantage and meeting strong demand for personalized customer experiences? Unfortunately, there isn’t a straightforward solution.

The main takeaway here is that your organization needs to be aware and ready to take action. If your teams haven’t already raised awareness about the privacy issues and potential impacts to their data collection, data quality, results analysis and optimization efforts, then it’s imperative that this is brought to their attention. To turn a blind eye or dismiss the potential impacts just because it’s Safari would be a crucial mistake. As previously mentioned, while Safari has been at the forefront of increasing consumer protection, Firefox and Chrome are also stepping up their protection. As a result, more of your site users may be impacted by these restrictions.

To turn a blind eye or dismiss the potential impacts just because it’s Safari would be a crucial mistake.

It can be challenging for internal teams to stay on top of all the new privacy updates and understand how it will truly impact the business. That’s why Blast’s three core strategic solutions focus on evolving key areas of the business that may be impacted by the changing privacy restrictions, including:

Currently, we’re working with our clients to navigate the Intelligent Tracking Prevention (ITP) updates and ensure necessary workarounds are in place across their different technologies. If your organization needs help in better understanding the privacy impacts to various aspects of your business and identifying the best workarounds, Blast is here to help.

Alex Molineux
About the Author

Alex is Associate Manager of Optimization at Blast Analytics. He leverages his expertise in analytics strategy, implementation and optimization to help clients translate data into actionable insights, and is an expert in a wide variety of analytics and testing tools with a focus on Google Analytics, Google Tag Manager, Tealium IQ & AudienceStream, Optimizely and Google Optimize. Whether you’re looking to build out an analytics strategy to gather insights into your core business questions or you are looking to run an effective A/B testing or personalization campaign, he is able to use his expertise to guide and support you.

Connect with Alex on LinkedIn. Alex Molineux has written on the Blast Digital Customer Experience and Analytics Blog.