Apple’s ITP 2.2: 1-Day Expiration of Tracking Cookies Set Via Link Decoration

Apple’s ITP 2.2: 1-Day Expiration of Tracking Cookies Set Via Link Decoration

Apple created ITP in the name of privacy.

Essentially, the original ITP made it harder to use third-party cookies to track Safari users on iOS and MacOS and it’s in line with Firefox ETP efforts in privacy. It added a 24-hour window to cookies in the domains it flagged so they could be tracked cross-domain, after which access to third-party cookies was blocked. This posed problems for many tracking providers since a good deal of tracking is done with third-party cookies.

A common workaround for marketers was to switch to first-party cookies. However, in later ITP versions (2.0, 2.1, and 2.2), Apple began limiting the use of first-party cookies as well. Earlier this year, in ITP 2.1 Apple updated ITP to account for a workaround that companies came up with in which they would have a site drop a first-party cookie mimicking the functionality of the third-party cookie. With ITP 2.1, Safari deletes these first-party cookies seven days after they were installed on a browser.

ITP 2.2’s biggest change from 2.1 and 2.0 limits the duration of some first-party JavaScript-set cookies to one day—down from the seven days that ITP 2.1 implemented.

For a cookie to be capped at one day by ITP 2.2, three conditions must be fulfilled:

  1. The cookie is set via JavaScript (or in their words, “set through document.cookie”). This condition was applied also with ITP 2.1 (see also our blog on ITP 2.1 for A/B testing).
  2. The site that sent the user to the landing page has been classified by ITP as “having cross-site tracking capabilities” (major ad networks, Google and Facebook are certainly classified this way)
  3. The link uses link decoration (it uses query string parameters and/or a fragment identifier)

Let’s take a closer look at the above three conditions and understand how Convert is affected and what you can do.

Condition 1: Persistent Cookies Created via document.cookie

Moving forward, all persistent cookies created via JavaScript’s document.cookie (as opposed to cookies set by HTTP) will be set to expire in 24 hours if the referring domain has been identified as having cross-site tracking capabilities and the URL contains a query string or fragment identifier. All first-party cookies created by document.cookie that haven’t been created via a query string or fragment identifier will expire in 7 days (as mentioned in the ITP 2.1).

Convert cookies are created via Javascript’s document.cookie so first condition under ITP2.2 applies. (as it was also applied under ITP 2.1).

Condition 2: Referring Domain with Cross Site Tracking Capabilities

Domains are dynamically classified under ITP by a machine learning algorithm:

  1. First Party Bounce Tracker Detection. Detects when a domain is used for redirect tracking only. This will be applied recursively for all domains in the redirect chain.
  2. Sub Resource under number of unique domains. Related to the number of paths available under a domain. Tracking platforms currently have a very small number of these.
  3. Sub Frames under number of unique domains. Related to the number of page frames available under the domains.
  4. Number of unique domains redirected to.
  5. The system does not have a whitelist or blacklist. Rather each device will build its own tracking prevention list based on web usage.

If a domain is classified as a cross-site tracking domain via the ITP machine learning-based classification engine described above, and link decoration exists, Safari will prevent the storing of persistent first party cookies.

Given there’s no central list of domains classified for cross-site tracking capabilities, site owners will need to assess their links and evaluate any third-party JavaScript libraries that may use link decoration. This includes ad tech vendors, measurement firms, affiliate marketers and certain types of influencers. Facebook and Google are certainly affected by ITP 2.2.

Let’s make it clear with an example: Imagine you have a site www.example.com, where the Convert tracking code is installed. If your site receives traffic from Google, Facebook (which are the referring domains in this case e.g. a visitor lands with this URL on your site: https://www.example.com?utm_source=google), all first party cookies set on www.example.com will be restricted to 24 hour duration, since this traffic is coming from a referring domain that is considered possessing cross-site tracking capabilities and link decoration exists (see below). Thus Convert cookies will have a duration of 24 hours. What does that mean? If you run a 7-day experiment, and a user visits your site on day 1 and then on day 3 (after a gap of 2 days), then Convert won’t be able to recognize this person as a returning visitor (because Convert’s browser-created cookie would be deleted following the new restrictions!). And this visitor will be treated as a new one.

Hence this second condition does not have to do with Convert itself, rather with the referring domains.

Condition 3: Link Decoration

Link decoration is a technique used by Advertising and Marketing technology platforms to attribute clicks, visits, and conversions (purchases, downloads, etc.) across different domains using first-party cookies.

There are two main ways to decorate a link.

The basic way is to statically attach the extra information to the URL when a link is created. Here’s an example of a decorated link:

https://www.example.com?utm_source=google&utm_medium=cpc&utm_campaign=2019_promotion

The information after ? is known as a string query, which is made up of parameters (e.g. medium=). Another form of link decoration uses fragment identifiers, which are introduced by a hash (#).

The other, more complex way to decorate a link is to run some Javascript code that is triggered when a person clicks on a link and dynamically adds information to a link. Companies will do this when they want to pass information specific to the individual click that led someone to the destination site. For example, an advertiser might do this to track a display ad campaign that is running across multiple publishers’ sites and links to the advertiser’s site. Instead of manually customizing the link for each publisher carrying its ad, the advertiser can have the code add “?publisher=[name of publisher]” to the URL at the time when a person clicks on the ad. This way the advertiser can determine which publisher was responsible for sending the site visitor.

Thus, this third condition does not have to do with Convert itself, rather with referring domains that have cross-site tracking capabilities AND use link decoration as explained above in the example.

Here’s Convert’s Workaround

The above three factors combined mean that cookies set by Convert will be affected by ITP 2.2, if your site where the Convert tracking code is installed receives traffic from domains that are considered with cross-site tracking capabilities and you use link decoration for attribution purposes.

The same workaround applies as with ITP 2.1 that was described here a few weeks ago. We suggest customers move the cookie creation process away from the browser and into the server.

You can find the steps to facilitate such server-side cookie creation here. If you need any help with making the needed changes to your web server infrastructure, please feel free to contact us.

Worried about ITP 2.2? We Keep your Tracking on Track

As technology providers try to find work-arounds for Apple’s restrictions, Apple will continue to stifle tracking they find objectionable, even if that makes a mess of how websites and website tracking currently operate.

Many of the solutions around today may not remain viable for the long term if they do not change with changing privacy requirements and tracking updates.

At Convert, we will continue to keep a close eye on this as it develops and the implications it has for our customers. You will find us speaking up about matters that concern the viability of tracking and also innovating as we go to offer the best possible alternative.

For updates on future ITP news and implications for marketers, subscribe to our blog.

Originally published June 11, 2019 - Updated August 12, 2019
Dionysia Kontotasiou
Dionysia is Convert's Head of Integration and Privacy. Fresh off the GDPR compliance stretch you can find Dionysia helping customers with their technical queries and making homemade pizza in her spare time.
Guest Post Form

We have brought thought leaders, influencers, visionaries and veterans to our tribe. Now it’s your turn. If you have something worthwhile to share with a large community of savvy testers, go ahead and pitch your post idea. We’re listening.

Fill out our guest post form

CATEGORIES Privacy

[hclightbox id='5' text='Anchor text']