The impact of ITP on analytics and the user experience
Intelligent Tracking Prevention: what to keep in mind?
- Article
- Technical Web Analytics
- Data Analytics
Intelligent Tracking Prevention (ITP) was launched by Apple in 2017 in an effort to restore "the balance the balance between privacy and the need for on-device data storage". With Intelligent Tracking Prevention, Apple aims to reduce cross-site tracking (following users across websites) by limiting the use of cookies. Find out what this means for you.
This article was written by Pamela in 2018 and updated by Anton Bies (Technical Web Analyst) in 2024.
In this article we refer to different types of cookies. Find out what cookies are and what different types of cookies exist in the article 'What are cookies?'
Intelligent Tracking Prevention (ITP) has been further developed in recent years and the impact of ITP is beyond reducing cross-site tracking. It imposes restrictions in the browser, which do not take into account obtained approval for placing cookies. It can therefore create serious challenges for online marketing and data analysis.
In this article, we explain the implications of ITP and other privacy mechanisms added to Apple's browser engine Webkit. Here, we focus on the implications for online analytics and the user experience on your website. We do this based on frequently used use cases of cookies.
What is Intelligent Tracking Prevention (ITP)?
Apple wants to prevent tracking domains from doing what they want. The word "intelligent" in the name comes from this: an algorithm on the device compiles its own list of domains that are classified as potential cross-site tracking domains. This means that, depending on how the user browses, any domain could potentially be classified as a tracking domain on their specific device.
ITP has undergone several developments in recent yearsand most of the restrictions now always apply, but some are still specific to tracking domains.
What is the impact of ITP?
When a user visits a website, that website itself can place a cookie. We call this first party cookies. However, cookies can also be placed on another domain, the so-called third party cookies.
ITP distinguishes between these types of cookies and has a different impact on 1st party cookies than on 3rd party cookies. The impact of ITP therefore depends on the combination of HTTP versus Javascript cookies and 3rd party versus 1st party cookies:
What are the current limitations of ITP?
Since iOS14 came out, these restrictions apply not only in Safari, but also on all other browsers that run on Webkit, Apple’s browser engine. This includes any browser downloaded on iOS devices (on an iPad or iPhone).
Here is an overview of the current restrictions by ITP:
- Third-party cookies are completely blocked (unless the user has specifically given permission via the Storage Access API. This is only available for embedded cross-site resources that the user actually interacts with).
- 1st-party cookies (JavaScript) without cross-domain tracking capabilities are limited to a maximum lifetime of 7 days of browser usage. This applies only to days when the browser is actually used, the remaining days do not count.
- 1st party cookies with cross-domain tracking capabilities are limited to a maximum lifetime of 1 day. If the referring domain is a tracking domain and the landing URL has query parameters, this limitation applies. For example: if you go to your website via a link from facebook.com, this link contains an fbclid query parameter.
- Subdomain cloaking: cookies set via the Set-Cookie HTTP response header of a subdomain with a different first half IP address than the main website have a maximum lifetime of 7 days. This also applies to a Google Tag Manager server container hosted on a third-party cloud service.
- All script writable storage is deleted after 7 days of browser usage since the last interaction with the website. Not only first-party cookies as explained above, but also IndexedDB, LocalStorage, SessionStorage, Media Keys and Service Worker records and cache.
- LocalStorage and sessionStorage are split in the thirddomain context. This means that when thirddomain.com has a different localStorage and sessionStorage, it is accessed on domaina.com versus domainb.com. This partitioned storage is also cleared when the browser launches.
- Cross-site referrals (document.referrer) are stripped to the main origin: no page paths or query parameters are available from referring websites.
- ITP detects when domains are used for bounce tracking and tracker collusion. This involves redirecting a user through domains other than the target domain to set cookies, exchange information and build a user profile. Website data is deleted on those domains.
Beyond ITP:
Safari has introduced other privacy-related features in recent years that are not necessarily covered by ITP.
- Users' IP addresses are obscured for requests going to known trackers from Duckduckgo's Tracker Radar list. In this case, Webkit uses a list rather than an algorithmic determination of trackers on the device. Users with a paid iCloud subscription can extend the functionality to hide their IP address from all websites they visit.
- In addition, on macOS Safari, the version number in the User Agent string is frozen at 10_15_7. While this was implemented for a different reason, one privacy-related implication is that the platform version cannot be used for fingerprinting purposes.
- In 2023, Apple added Advanced Privacy Protection (APP), enabled by default in private browsing mode. It includes some even more aggressive anti-tracking measures than ITP, but it is currently less talked about. Probably because not only is it much newer, but also because its default setting is disabled in non-private browsing.
What are the other browsers doing?
ITP and APP apply to Safari and other browsers running on iOS. You may also encounter some form of Tracking Prevention, as almost all browsers have now developed their own privacy technologies. Apple's measures are the most restrictive browsers with more than 1% global market share so far.
- WebKit (Safari/ iOS): ITP and advanced privacy protection
- Firefox: Enhanced Tracking Prevention (ETP)
- Edge: Tracking prevention
- Chrome: Tracking protection, which essentially means phasing out third-party cookies by 2024
What are the implications of ITP and APP on analytics and user experience?
APP:
The impact of APP is relatively straightforward, but severe. Since Tag Managers are blocked when loaded from their own domain, chances are high that users browsing with APP are not tracked at all. This data cannot be used to optimise the customer journey, as it is never collected. Companies that want to limit their exposure to APP may want to load certain client-side scripts from a server they own, instead of from the standard third-party domain.
ITP:
ITP requires more explanation. Because cookies in the Safari browser have a maximum lifespan of 7 days of browser use (and sometimes only 24 hours), not only the cross-site tracking possibilities are limited. This also impacts other uses of cookies, such as analysis for optimisation of your website.
The impact of ITP on analytics and the user experience: 5 examples
A few examples of the consequences of ITP on analytics and the user experience we encounter in daily practice :ITP
1. Misalignments between new and returning users
Without ITP
In the situation without ITP, you see that users who return to the website after x number of days are recognised as the same returning user.
With ITP
This is not the case in the situation with ITP. Because the cookies are deleted after 7 days, the user is no longer recognised and will therefore be mistaken for a new user.
Returning users are more likely to go unrecognised and appear as new users in your reports, making these reports inconsistent with reality. So it becomes more difficult to determine whether users come back to your website more often.
2. Accuracy of marketing attribution decreases
This same problem occurs in marketing attribution. Take, for instance, the example in which a user comes to your website through an advertisement. This user is viewing a few products, but is not buying anything yet. The user has spent several days thinking about the product he has seen before and decides to buy the product 8 days later. The user is now familiar with the website and will visit it directly.
Without ITP
Without ITP, you know that this user originally came to your website through an advertisement. The purchase can therefore be assigned to this advertisement, so you know that it has been successful.
With ITP
With ITP, the cookies in this user's browser are deleted after 7 days (assuming they do use the browser on every one of those days). So when the user returns on day 8, you don't remember that this user originally came to the website through an advertisement. The conversion is therefore assigned to 'Direct traffic' and now you don't know your ad led to a purchase.
The accuracy of marketing attribution thus decreases with ITP. This situation can especially cause problems when a website sells products that have a longer cooling-off period (such as subscriptions, training, holidays, airline tickets, etc.).
3. Accuracy of A/B testing decreases
ITP also has an impact on the accuracy of A/B testing, especially when these have a duration beyond 7 days. With A/B testing users are often randomly shown a certain variant. Which variant this is, is then stored in a cookie in the browser so that the user will see the same variant again on a subsequent visit to the website.
Without ITP
Without ITP, this user is for example assigned variant A on the first visit. The user does not buy anything yet, but returns on day 8. The user is recognised by the previously set cookie and is shown variant A again. Then, when the user makes a purchase, you know that Variant A contributed to this purchase.
With ITP
With ITP, the cookies in this user's browser are deleted after 7 days. Thus, when the user returns on day 8, a random variant is assigned to the user again. This can again be variant A, but it can also be variant B. If the user then converts, this conversion is assigned to the last variant shown (eg. variant B). Since you don't know that the user originally has seen variant A, the conversion is assigned to variant B.
With ITP, the results of an A/B test are therefore less accurate. As a result, they are also more difficult to interpret and you run the risk of making wrong decisions based on this data.
It is therefore also wise to take ITP into account when setting up an A/B test. You can do this, for example, by considering a shorter duration of the A/B test.
In addition, you can choose to only include results from non-ITP-affected browsers (this also potentially impacts the accuracy of the results).
Finally, you can have the variant determine server-side and put the variant in an HTTP cookie. When the server is on the same (first half of the) IP address as the website, these cookies are not bound to a maximum lifespan of 7 days.
4. Limited customisation options
Even if you want to apply personalisation to your website, this is something of challenge because of ITP. For example, in the example below, you want to personalise by showing the user the product he or she looked at on a previous visit when arriving at your website.
Without ITP
Without ITP, after 8 days the user will see a personalised landing page with an offer for product A.
With ITP
With ITP, the cookies in this user's browser are deleted after 7 days. When the user returns on day 8, you won't remember which products this user has previously viewed. So you cannot serve a personalised landing page or offer.
For such use cases, a DMP (Data Management Platform) or a CDP (Customer Data Platform) is used often to create user profiles. Based on these user profiles, a personalised page or offer is then served to the user.
These user profiles have a shorter lifespan with ITP when they are not logged in or otherwise recognised users. When a user is logged in, or can somehow be recognied, these user profiles can exist longer.
Personalising the landing page is therefore more difficult, because the user often has to log in first before recognition takes place. In that case, there are still options for personalisation, but they have been delayed due to the late recognition.
5. The cookie banner is displayed again and again
Some functionalities on the website also use Javascript cookies. This is often the case, for example, with the cookie consent banner. This is usually shown on the first landing on a website and requires permission to place certain cookies.
This is mandatory according to European legislation, but is experienced as annoying by many visitors. For the user experience it is therefore important not to show these to the user more often than necessary.
Without ITP
Without ITP, the user will see the cookie consent banner once upon arrival on the website. The user makes a choice, which is stored in the user's browser by placing a cookie. Revisiting the website, this choice is retrieved from the cookie and the banner does not have to be displayed again.
With ITP
With ITP, the cookie in which the cookie preferences are stored is deleted after 7 days. When the user returns after 7 days, the previously made choice is no longer known and the cookie preference must be requested again. The user will therefore see the cookie consent banner again upon arrival on the website.
ITP and APP: keep it in mind!
Intelligent Tracking Prevention and Advanced Privacy Protection impacts web analytics, online marketing and the user experience on websites in several ways. In recent years, Apple’s privacy measures have been further developed and have become increasingly impactful. This makes it difficult to develop a sustainable and future-proof strategy for dealing with ITP.
When making analyses and reports, it is therefore important to take into account the effects of ITP and APP and the distortion it can cause in your data.
Put your ITP or APP issue to an expert?
We are happy to find solutions together to handle your challenges in the field of Intelligent Tracking Prevention and Advanced Privacy Protection. Contact us directly.
Receive data insights, use cases and behind-the-scenes peeks once a month?
Sign up for our email list and stay 'up to data':