The impact of ITP on analytics and the user experience​

Intelligent Tracking Prevention: what to keep in mind?

  • Article
  • Technical Web Analytics
  • Data Analytics
Pamela-technical-web-analyst
Pamela Greveling
Technical Web Analyst
10 min
29 Mar 2024

Intelligent Tracking Prevention (ITP) was launched by Apple in 2017 in an effort to restore "the balance the balance between privacy and the need for on-device data storage". With Intelligent Tracking Prevention, Apple aims to reduce cross-site tracking (following users across websites) by limiting the use of cookies. Find out what this means for you.

This article was written by Pamela in 2018 and updated by Anton Bies (Technical Web Analyst) in 2024.

In this article we refer to different types of cookies. Find out what cookies are and what different types of cookies exist in the article 'What are cookies?'

Intelligent Tracking Prevention (ITP) has been further developed in recent years and the impact of ITP is beyond reducing cross-site tracking. It imposes restrictions in the browser, which do not take into account obtained approval for placing cookies. It can therefore create serious challenges for online marketing and data analysis. 

In this article, we explain the implications of ITP and other privacy mechanisms added to Apple's browser engine Webkit. Here, we focus on the implications for online analytics and the user experience on your website. We do this based on frequently used use cases of cookies.

What is Intelligent Tracking Prevention (ITP)? 

Apple wants to prevent tracking domains from doing what they want. The word "intelligent" in the name comes from this: an algorithm on the device compiles its own list of domains that are classified as potential cross-site tracking domains. This means that, depending on how the user browses, any domain could potentially be classified as a tracking domain on their specific device.

ITP has undergone several developments in recent yearsand most of the restrictions now always apply, but some are still specific to tracking domains.

What is the impact of ITP? 

When a user visits a website, that website itself can place a cookie. We call this first party cookies. However, cookies can also be placed on another domain, the so-called third party cookies. 

ITP distinguishes between these types of cookies and has a different impact on 1st party cookies than on 3rd party cookies. The impact of ITP therefore depends on the combination of HTTP versus Javascript cookies and 3rd party versus 1st party cookies:

ITP impact tabel

What are the current limitations of ITP? 

Since iOS14 came out, these restrictions apply not only in Safari, but also on all other browsers that run on Webkit, Apple’s browser engine. This includes any browser downloaded on iOS devices (on an iPad or iPhone).

Here is an overview of the current restrictions by ITP:

  • Third-party cookies are completely blocked (unless the user has specifically given permission via the Storage Access API. This is only available for embedded cross-site resources that the user actually interacts with).
  • 1st-party cookies (JavaScript) without cross-domain tracking capabilities are limited to a maximum lifetime of 7 days of browser usage. This applies only to days when the browser is actually used, the remaining days do not count.
  • 1st party cookies with cross-domain tracking capabilities are limited to a maximum lifetime of 1 day. If the referring domain is a tracking domain and the landing URL has query parameters, this limitation applies. For example: if you go to your website via a link from facebook.com, this link contains an fbclid query parameter.
  • Subdomain cloaking: cookies set via the Set-Cookie HTTP response header of a subdomain with a different first half IP address than the main website have a maximum lifetime of 7 days. This also applies to a Google Tag Manager server container hosted on a third-party cloud service.
  • All script writable storage is deleted after 7 days of browser usage since the last interaction with the website. Not only first-party cookies as explained above, but also IndexedDB, LocalStorage, SessionStorage, Media Keys and Service Worker records and cache.
  • LocalStorage and sessionStorage are split in the thirddomain context. This means that when thirddomain.com has a different localStorage and sessionStorage, it is accessed on domaina.com versus domainb.com. This partitioned storage is also cleared when the browser launches.
  • Cross-site referrals (document.referrer) are stripped to the main origin: no page paths or query parameters are available from referring websites.
  • ITP detects when domains are used for bounce tracking and tracker collusion. This involves redirecting a user through domains other than the target domain to set cookies, exchange information and build a user profile. Website data is deleted on those domains.

Beyond ITP:

Safari has introduced other privacy-related features in recent years that are not necessarily covered by ITP.

  • Users' IP addresses are obscured for requests going to known trackers from Duckduckgo's Tracker Radar list. In this case, Webkit uses a list rather than an algorithmic determination of trackers on the device. Users with a paid iCloud subscription can extend the functionality to hide their IP address from all websites they visit.
  • In addition, on macOS Safari, the version number in the User Agent string is frozen at 10_15_7. While this was implemented for a different reason, one privacy-related implication is that the platform version cannot be used for fingerprinting purposes.
  • In 2023, Apple added Advanced Privacy Protection (APP), enabled by default in private browsing mode. It includes some even more aggressive anti-tracking measures than ITP, but it is currently less talked about. Probably because not only is it much newer, but also because its default setting is disabled in non-private browsing.

What are the other browsers doing? 

ITP and APP apply to Safari and other browsers running on iOS. You may also encounter some form of Tracking Prevention, as almost all browsers have now developed their own privacy technologies. Apple's measures are the most restrictive browsers with more than 1% global market share so far.

  • WebKit (Safari/ iOS): ITP and advanced privacy protection
  • Firefox: Enhanced Tracking Prevention (ETP)
  • Edge: Tracking prevention
  • Chrome: Tracking protection, which essentially means phasing out third-party cookies by 2024

What are the implications of ITP and APP on analytics and user experience? 

APP:

The impact of APP is relatively straightforward, but severe. Since Tag Managers are blocked when loaded from their own domain, chances are high that users browsing with APP are not tracked at all. This data cannot be used to optimise the customer journey, as it is never collected. Companies that want to limit their exposure to APP may want to load certain client-side scripts from a server they own, instead of from the standard third-party domain.

ITP:

ITP requires more explanation. Because cookies in the Safari browser have a maximum lifespan of 7 days of browser use (and sometimes only 24 hours), not only the cross-site tracking possibilities are limited. This also impacts other uses of cookies, such as analysis for optimisation of your website.

The impact of ITP on analytics and the user experience: 5 examples 

A few examples of the consequences of ITP on analytics and the user experience we encounter in daily practice :ITP 

1. Misalignments between new and returning users 

Without ITP

In the situation without ITP, you see that users who return to the website after x number of days are recognised as the same returning user.

ITP 1-2

With ITP

This is not the case in the situation with ITP. Because the cookies are deleted after 7 days, the user is no longer recognised and will therefore be mistaken for a new user.

ITP 1-1

Returning users are more likely to go unrecognised and appear as new users in your reports, making these reports inconsistent with reality. So it becomes more difficult to determine whether users come back to your website more often.

2. Accuracy of marketing attribution decreases 

This same problem occurs in marketing attribution. Take, for instance, the example in which a user comes to your website through an advertisement. This user is viewing a few products, but is not buying anything yet. The user has spent several days thinking about the product he has seen before and decides to buy the product 8 days later. The user is now familiar with the website and will visit it directly.

Without ITP

Without ITP, you know that this user originally came to your website through an advertisement. The purchase can therefore be assigned to this advertisement, so you know that it has been successful.

ITP 2-1

With ITP

With ITP, the cookies in this user's browser are deleted after 7 days (assuming they do use the browser on every one of those days). So when the user returns on day 8, you don't remember that this user originally came to the website through an advertisement. The conversion is therefore assigned to 'Direct traffic' and now you don't know your ad led to a purchase.

ITP 2-2

The accuracy of marketing attribution thus decreases with ITP. This situation can especially cause problems when a website sells products that have a longer cooling-off period (such as subscriptions, training, holidays, airline tickets, etc.). 

3. Accuracy of A/B testing decreases 

ITP also has an impact on the accuracy of A/B testing, especially when these have a duration beyond 7 days. With A/B testing users are often randomly shown a certain variant. Which variant this is, is then stored in a cookie in the browser so that the user will see the same variant again on a subsequent visit to the website. 

Without ITP

Without ITP, this user is for example assigned variant A on the first visit. The user does not buy anything yet, but returns on day 8. The user is recognised by the previously set cookie and is shown variant A again. Then, when the user makes a purchase, you know that Variant A contributed to this purchase.

ITP 3-1

With ITP

With ITP, the cookies in this user's browser are deleted after 7 days. Thus, when the user returns on day 8, a random variant is assigned to the user again. This can again be variant A, but it can also be variant B. If the user then converts, this conversion is assigned to the last variant shown (eg. variant B). Since you don't know that the user originally has seen variant A, the conversion is assigned to variant B.

ITP 3-2

With ITP, the results of an A/B test are therefore less accurate. As a result, they are also more difficult to interpret and you run the risk of making wrong decisions based on this data.

It is therefore also wise to take ITP into account when setting up an A/B test. You can do this, for example, by considering a shorter duration of the A/B test.

In addition, you can choose to only include results from non-ITP-affected browsers (this also potentially impacts the accuracy of the results).

Finally, you can have the variant determine server-side and put the variant in an HTTP cookie. When the server is on the same (first half of the) IP address as the website, these cookies are not bound to a maximum lifespan of 7 days.

4. Limited customisation options 

Even if you want to apply personalisation to your website, this is something of challenge because of ITP. For example, in the example below, you want to personalise by showing the user the product he or she looked at on a previous visit when arriving at your website.

Without ITP

Without ITP, after 8 days the user will see a personalised landing page with an offer for product A.

ITP 4-1

With ITP

With ITP, the cookies in this user's browser are deleted after 7 days. When the user returns on day 8, you won't remember which products this user has previously viewed. So you cannot serve a personalised landing page or offer.

ITP 4-2

For such use cases, a DMP (Data Management Platform) or a CDP (Customer Data Platform) is used often to create user profiles. Based on these user profiles, a personalised page or offer is then served to the user.

These user profiles have a shorter lifespan with ITP when they are not logged in or otherwise recognised users. When a user is logged in, or can somehow be recognied, these user profiles can exist longer.

Personalising the landing page is therefore more difficult, because the user often has to log in first before recognition takes place. In that case, there are still options for personalisation, but they have been delayed due to the late recognition.

5. The cookie banner is displayed again and again 

Some functionalities on the website also use Javascript cookies. This is often the case, for example, with the cookie consent banner. This is usually shown on the first landing on a website and requires permission to place certain cookies.

This is mandatory according to European legislation, but is experienced as annoying by many visitors. For the user experience it is therefore important not to show these to the user more often than necessary.

Without ITP

Without ITP, the user will see the cookie consent banner once upon arrival on the website. The user makes a choice, which is stored in the user's browser by placing a cookie. Revisiting the website, this choice is retrieved from the cookie and the banner does not have to be displayed again.

ITP 5-1

With ITP

With ITP, the cookie in which the cookie preferences are stored is deleted after 7 days. When the user returns after 7 days, the previously made choice is no longer known and the cookie preference must be requested again. The user will therefore see the cookie consent banner again upon arrival on the website.

ITP 5-2

ITP and APP: keep it in mind! 

Intelligent Tracking Prevention and Advanced Privacy Protection impacts web analytics, online marketing and the user experience on websites in several ways. In recent years, Apple’s privacy measures have been further developed and have become increasingly impactful. This makes it difficult to develop a sustainable and future-proof strategy for dealing with ITP.

When making analyses and reports, it is therefore important to take into account the effects of ITP and APP and the distortion it can cause in your data.

Put your ITP or APP issue to an expert? 

We are happy to find solutions together to handle your challenges in the field of Intelligent Tracking Prevention and Advanced Privacy Protection. Contact us directly. 

This is an article by Pamela Greveling, Data Engineer at Straffe Wind

Pamela is our former colleague. During her time at Digital Power, she worked as a Technical Web Analyst. She is currently working at Straffe Wind as a Data Engineer.

Pamela Greveling

Technical Web Analyst

Receive data insights, use cases and behind-the-scenes peeks once a month?


Sign up for our email list and stay 'up to data':

You might also like:

Measure ecommerce events in GA4 and Universal Analytics with only the updated datalayer pushes

With our variable in the Google Tag Manager Community Template Gallery it is easy to start using all the new ecommerce analytics capabilities that Google Analytics 4 offers while fully supporting the 'old' enhanced ecommerce of Universal Analytics. Find out how the variable works.

Read more
unive blog

Integration web and app data contributes to a 360-degree customer view

Univé is a Dutch insurance company that offers insurance, financial products, and services to both consumers and businesses. The company is focused on providing high-quality service and helping customers make responsible financial decisions. Since 2014, we have been working closely with Univé.

Read more

Switching from Universal Analytics to Google Analytics 4 (GA4)

On 14 October 2020, Google launched the new version of Analytics: Google Analytics 4 (GA4). Soon after the launch, it became clear that a number of important functionalities from Universal Analytics (GA3) were missing, and therefore the time to switch seemed far away. Fortunately, we see that the development team on the side of Google has not been idle. Some nice features have since been introduced within GA4 that have narrowed the gap between GA3 and GA4. This article answers the questions that are increasingly being asked about GA4.

Read more

How do I set up Google Tag Manager?

A tag management system such as Google Tag Manager (GTM) enables you to measure visitor behaviour on your website. You can also implement marketing pixels (such as Google Ads and Facebook) and cookie banners via this platform. This article gives you tips to keep in mind when setting up GTM. This allows you to collect reliable and usable data, and you will be less dependent on your web developers.

Read more

The quality of web analytics implementations

How good is your web analytics implementation? How much confidence is there within the company regarding those figures? In this article we first explain why a web analytics tool will never have 100% accurate data and why that is not a bad thing. Then we look at the practice: how good are most implementations really?

Read more

What is Tagbird, what do you use it for, and what can you do with it?

Tagbird is a Chrome extension developed by Digital Power. You can download it from the Chrome Web Store and add it to your browser. It is a debug/visualisation tool that provides a simple and clear insight into, among other things, the data layer, tag management events and analytics requests of a website. So you can quickly and easily test your entire analytics implementation with Tagbird.

Read more
people outside

Which data traineeship is right for you?

You are almost done with your studies and looking for an employer that offers you the opportunity to learn everything about the field of data. Or you are no longer challenged in your current position and would like to become more technical. In both cases, you do not want to follow unpaid courses, but you would like to get started as soon as possible for real customers, with a serious salary. Does this sound familiar? Then these data traineeships are really something for you.

Read more

What are cookies?

Cookies. This word comes up a lot in the world of marketing and online analytics. But what exactly are those cookies? And are there different types of cookies?

Read more

How can you tell if your GTM tagging server works?

There are reasons abound for deploying a tagging server on your website. This blog will not be about why it makes sense (or why perhaps in your case it doesn’t) to use server-side tagging. Instead we will jump forward in time and ask ourselves another pertinent question: ‘how can you tell if your tagging server is doing what it is supposed to?’

Read more