WTF is Apple’s ITP 2.2 update?
Apple continues to close up loopholes in Safari’s anti-tracking feature, Intelligent Tracking Prevention.
In the latest update to ITP that was announced on April 24 and is currently being tested, Apple appears to be taking aim at the workaround that companies including Facebook and Google have rolled out since ITP’s introduction in 2017 that are meant to enable them to continue measuring traffic and attributing ads to site visits and online purchases on third-party sites.
ITP 2.2 does not disarm those workarounds entirely. Instead the update is largely intended to ensure that the companies are not using the workarounds to side-step Safari’s anti-tracking feature and persistently track people around the web.
ITP 2.2 significantly narrows the workarounds’ tracking window to 24 hours, restricting the ability of companies like Facebook and Google to measure traffic and attribute ads. “I expect that this has a big impact on attribution,” said Ameet Shah, vp of data and technology strategy at Prohaska Consulting. We break down what’s going on.
WTF is ITP again?
ITP is a feature that Apple added to Safari in 2017 to curtail companies’ abilities to monitor people’s browsing behavior when they visit other companies’ sites. Initially, Apple took aim at the third-party cookies that platforms like Facebook and Google, as well as a bevy of ad tech vendors, place on sites they don’t own that allow them to track people across the various sites that carry their third-party cookies. Then earlier this year, Apple updated ITP to account for a workaround that companies came up with in which they have a site drop a first-party cookie that mimics the functionality of the third-party cookie. With ITP 2.1, Safari deletes these first-party cookies seven days after they were installed on a browser.
If ITP 2.1 already affected these first-party cookie workarounds, what’s different about ITP 2.2?
ITP 2.2 cuts the first-party cookie’s lifespan from seven days to one day. As a result, the first-party cookies that Facebook and Google have introduced in order to continue measuring site traffic and attributing ads will be deleted after 24 hours. As a result, if a person clicks on an ad for a product on Friday and decides to take the weekend to think about buying, then the cookie wouldn’t be around on Monday to register when the person returns directly to the site to buy the product.
“Many actions advertisers are interested in attributing back to digital marketing efforts happen outside the newly implemented 24-hour window, creating a blind spot for advertisers and brands,” said Amanda Martin, vp of enterprise partnerships at Goodway Group.
I thought Apple was fine with companies using first-party cookies to attribute ads?
It was and still is. But it’s wary of companies taking advantage of that functionality to do more than attribute ads or analyze traffic, which is why ITP 2.2 only applies to a certain kind of first-party cookie.
What kind of first-party cookie does ITP 2.2 apply to?
It applies to the persistent first-party cookie that a site drops on a person’s browser on behalf of another company that Apple has determined is able to track people across multiple sites that it does not own. Specifically, the update is concerned with companies that use a method called link decoration to drop the first-party cookie and track people on the site. As it happens, Facebook’s and Google’s ITP workarounds employ link decoration to continue tracking Safari users on third-party sites.
WTF is link decoration?
Link decoration provides a way to attach information to a URL that a person clicks on in order to pass that information to the destination site. For example, let’s say you click a link in FakePublisher’s email newsletter to an article on its site. The newsletter can attach information to that URL — ex. http://fakepublisher.com?referrer=ouremailnewsletter — so that it knows a person navigated to its site by clicking a link in its email newsletter.
That sounds pretty common. What’s the problem?
The problem is that companies can use link decoration to pass information to other sites that enables them to persistently track a person on those sites. This practice is called cross-site tracking via link decoration, and it’s what Apple is addressing with ITP 2.2.
How does cross-site tracking via link decoration work?
It’s a three-step process that involves attaching a tracking monitor to a link, having the destination site store that tracking monitor and notifying the company that set the tracking monitor when the person who clicked on the link has visited the site, even if it has been days since the person clicked that initial link. Essentially, the link gets a unique identifier, which is then stored by the destination site in a first-party cookie. Then, when a page loads on a site with Facebook’s pixel or Google’s tag, those tracking mechanisms look for the first-party cookie, pull the click ID and send it to Facebook or Google, along with whatever other information that may be designed to attached, such as the page URL which enables them measure product purchases if it’s a transaction confirmation page. This enables Facebook and Google to track a person’s visits to the site long after they had clicked on the initial link, so long as the first-party cookie has not expired.
OK, but is this a big deal?
In some ways, yes. But it’s limited to Apple’s Safari browser, which limits the scope of its impact. On desktop, Safari accounted for only 4% of browser sessions worldwide in April 2019, according to NetMarketShare. However, for mobile, Safari accounted for 26% of browser sessions that month.
What are Facebook and Google doing about this?
“We have solutions in place to help our clients continue to measure their advertising in accordance with Apple’s policies,” said a Google spokesperson in an emailed statement.
“We are working with our partners to better understand these latest updates and how they affect Facebook. We plan to share more guidance for businesses in the future,” said Facebook spokesperson Joe Osborne in an emailed statement.
Facebook and Google could follow Microsoft’s example. In January 2018, the company’s advertising division introduced its own ITP workaround that is similar to Facebook’s and Google’s examples except that it uses a session cookie that expires once a person closes their Safari browser. ITP 2.2 only applies to persistent cookies that remain on the browser after it has been closed.
Are Facebook and Google the only companies affected by ITP 2.2?
No, though they are probably the biggest ones. ITP 2.2 would affect any company that uses link decoration to track people around the web. That includes ad tech vendors, measurement firms, affiliate marketers and certain types of influencers.
How would affiliate marketers and influencers be affected?
Publishers and individual bloggers use link decoration to get credit when people click on a product link featured on their sites and purchase the product on the merchant’s site. These publishers and bloggers would not be credited with a purchase made more than a day after a person clicked on that product link from their sites. Without that credit, the publisher or blogger may not be compensated for contributing to the purchase.
“That’s one key area that we’re going to start seeing companies or this market of small businesses start going out of business if they’re not going to get compensated properly. These are downstream impacts from those bad actors [that take advantage of link decoration to follow people around the web],” said Desiree Toto, vp of product development at affiliate marketing network CJ Affiliate.
‘I’m worried about my job’: Confessions of a stressed out ACD on homeschooling his son and working from home
An associate creative director is stressed about overseeing his son's remote learning this fall while successfully meeting client needs.
‘No one is rushing to commit Q4 budgets’: With its future in the U.S. increasingly uncertain, media buyers are holding back spending on TikTok
The executive order signed late last week has now spurred advertisers who were considering testing the nascent platform to steer clear for the time being, especially since TikTok now has until September 20th to sell its U.S. operations or face the consequences of President Trump’s order.
Member Exclusive‘Like being conned’: Agency employees say that fake job listings are making the already difficult job market even harder
If you ask agency talent about the job search you’ll hear them bemoan alleged fake job postings as an industry scourge.
SponsoredSeeking revenue stability, publishers are assessing buy-side credit risks
As the industry navigates the continued impacts of COVID-19, here’s the questions publishers should ask their programmatic partners or ad management providers to protect themselves from clawbacks and lost revenue.
‘Let’s put it out in the world’: Why Code and Theory is creating its own thought leadership publication, Decode
The publication gives the agency a home for opinion and thought leadership pieces from its staffers, many of whom have been writing pieces for industry publications in recent years.
Member Exclusive‘You can’t just cut a little bit’: Why this moment could force agencies to accelerate necessary changes to their business models
To survive, agencies have to change how they do business instead of making cuts here or there to manage for the next quarter.