Intelligent Tracking Prevention (ITP): The Impact on Cookies, AdTech, and MarTech

the main blog post image for the post about how Safari's ITP handles cookies

Contents

Our Newsletter

Get AdTech & MarTech resources sent straight to your inbox

We respect your privacy. Learn more here.

Third-party cookies have long been the backbone of online advertising, allowing advertisers to measure the success of their campaigns and improve targeting, as well helping publishers monetize their websites.

But over the past few years, the reliance of third-party cookies has decreased due to changes in user behavior (e.g. installing ad-blocking software) and new privacy features in browsers. 

One such browser that has taken a strong stance against online tracking is Safari, which is powered by the open-source web browser engine, Webkit

In September 2017, Webkit released the first version of Intelligent Tracking Prevention (ITP).

With every new release (currently ITP 2.3), Webkit have strengthened their privacy and tracking prevention features. As a result, ITP not only impacts third-party cookies (it blocks them by default), but also puts restrictions on first-party cookies and other browser storage options like LocalStorage.  

All of these release has impacted the online advertising and marketing industries to varying degrees.

To learn about ITP and the different versions, from the first version (1.0) to the latest (2.3), read our blog post:  What Is Intelligent Tracking Prevention (ITP) and How Does it Work.

How Safari's Intelligent Tracking Prevention (ITP) handles cookies and non-cookie data

How Does ITP Impact AdTech Companies?

The Intelligent Tracking Prevention feature is just another example of a privacy update that threatens the very thing upon which online advertising depends – cookies. 

AdTech companies won’t be able to run targeted and retargeted ad campaigns on Safari browsers due to the cookie restrictions caused by ITP.

Here’s an overview of how ITP impacts AdTech companies:

  • AdTech vendors (e.g. DSPs, SSPs, and DMPs) can’t create third-party cookies in the Safari browser as ITP blocks them by default.
  • If an AdTech vendor’s domain is classified as being a cross-site tracker, then ITP puts restrictions on any first-party cookies it creates on websites.
  • If a web visitor clicks on a link containing a query string or fragment identifier, then any first-party cookie created on the destination site via JavaScript’s document.cookie will be set to expire in 24 hours, provided the referring domain has been classified as being a tracking domain.
  • Similarly to the point above, if a web visitor clicks on a link containing a query string or fragment identifier, then any data stored in LocalStorage in the web visitor’s browser will be set to expire in 7 days, provided the referring domain has been classified as being a tracking domain. This expiry date can be reset for another 7 days if the web visitors accesses the same website within 7 days of their first visit.

Possible ITP Workarounds and Solutions for AdTech Companies

Although most online ad campaigns will be restricted, click-through attribution for some types of campaigns should still be possible. 

This can be achieved by passing a unique click ID (or visitor ID) in the URL to the destination website. From there, the destination site can use a JavaScript tag to capture and store the ID, notifying the ad server about the click from the given click ID. 

It may also be possible to measure conversions (attribution), depending on whether the referring domain has been classed as a cross-site tracking domain (via ITP’s Machine Learning Classifier), which is likely to be the case with a majority of AdTech platforms. If this is the case, the attribution window will be limited to 24 hours as per ITP 2.2. 

Second-party data (or data co-operative) partnerships could also implement a workaround to ITP by syncing identifiers between sites. Exchanging identifiers between sites – for example, between partner sites or domains owned by the same company – is made possible by passing the IDs via URLs and then storing the IDs in a first-party cookie on the server (i.e. server-side). 

This workaround can provide limited remarketing between partners and even promote further expansion of data co-operatives. 

Many AdTech companies also created a workaround that allowed them to store IDs in LocalStorage. However, ITP 2.3 now deletes all non-cookie data from a web visitor’s Safari browser after 7 days if the referring domain has been classed as tracking domain and the referring URL contains link decorations.

How Does ITP Impact Publishers?

For many publishers, selling their inventory (ad space) via programmatic media buying has been the main way to monetize their websites. 

Research from emarketer states that programmatic media buying accounts for 84.9% of the US digital display advertising market, meaning that a large part of a publisher’s ad revenue is coming from AdTech platforms that are no longer able to display ads, identify audiences, or measure campaign success.

This has meant that publishers CPMs have dropped, mainly because advertisers aren’t able to identify the person on the publisher’s website, meaning they’ll bid less to serve an impression — this is often referred to addressable advertising, i.e. identifying audiences and showing ads to them.

But how much of a publisher’s revenue is lost because of ITP?

It depends on how many of their visitors use Safari, which will vary among publishers and countries. 

An article by Digiday states that publishers saw a 40% drop in CPMs via real-time bidding (RTB) with the initial release of ITP. This figure has no doubt increased with every new release.

How Does ITP Impact Analytics and MarTech Companies?

ITP versions 1.0–2.0 had little or no impact on most analytics or MarTech platforms as long as the first-party cookie was used only in a first-party context, as is the case with tools like Google Analytics and Piwik PRO Analytics Suite.  

The reason for this was because these platforms set a cookie (via JavaScript) under the domain of the website the user is currently visiting, and typically don’t track users across the internet.

For example, if the Piwik PRO tag were installed on the www.example.com website, then it would set the cookie under the www.example.com domain. This cookie isn’t used in a third-party context because the software is used only within the www.example.com domain. 

Now if Piwik PRO were used to analyze a different site – e.g. www.usedcarsite.com – it would have a separate cookie set in the www.usedcarsite.com domain along with a separate site ID in the database.

However, ITP 2.1 will now delete first-party cookies set by web analytics and other MarTech tools after seven days, and in 24 hours if they meet the conditions of ITP 2.2, unless they implement a workaround.

Possible Workarounds for Analytics and MarTech Companies

As ITP 2.1 now includes a seven-day expiry for first-party cookies created via JavaScript’s Document.cookie, which is created in the browser (i.e. client-side), web analytics and MarTech vendors wanting to maintain accurate data will need to implement a workaround. 

Simon Ahava lists a number of ITP 2.1 workarounds for analytics tools in his blog post, including setting first-party cookies server-side via the HTTP response, storing the first-party cookies in LocalStorage and creating a reverse proxy server.

If web analytics and MarTech tools don’t implement a workaround, then metrics and reports from users on Safari browsers will be inaccurate if their last visit was more than seven days ago.

How Does ITP Impact Walled-Garden Advertising Ecosystems?

While companies like Facebook, Google, and Amazon weren’t affected too much by ITP 1.0 and 1.1, the introduction of ITP 2.0, 2.1, 2.2, and 2.3 has changed this.

As mentioned above with the Facebook-widget example, Google, Facebook and Amazon will now have to get approval from users to drop cookies and access website data via the Storage Access prompt. 

Also, all conversion attribution carried out via link decoration and first-party cookies will be limited to 24 hours as part of ITP 2.2’s release, or 7 days as per ITP 2.3.

Final Thoughts

Major advertising groups have criticized Apple for releasing Intelligent Tracking Prevention, as they feel it will threaten the economic model of the Internet. 

However, the introduction of ITP is just one of the many changes the online advertising industry will have to adjust to. 

In addition to ITP, the GDPR’s rules regarding obtaining consent from users to drop a cookie on their browser, and the steady adoption of ad-blocking software, Firefox has followed in Apple’s footsteps and implemented something similar to ITP with Enhanced Tracking Prevention.

Google has also announced changes to its Chrome browser that will give users more transparency and control over which third-party cookies are created and stored on their device, as well as block device-fingerprinting techniques, which have also been used by AdTech and MarTech vendors to identify and track users.

However, one thing is clear: the use of cookies as a way to identify and track users on web browsers is becoming less reliable with every passing year. It’s time to develop an alternative.

Reading recommendation

Read our online book

The AdTech Book by Clearcode

Learn about the platforms, processes, and players that make up the digital advertising industry.

Mike Sweeney

Head of Marketing

“The AdTech Book is the result
of our many years of experience in designing and developing advertising and marketing technologies for clients.”

Find out how we can help you with your project

Schedule a call with us today and find out how we can help you with your AdTech or MarTech development project.