WTF is Apple’s ITP 2.3 update?
Apple is continuing its whack-a-mole war against online tracking. Since introducing the Intelligent Tracking Prevention feature within its Safari browser in 2017 to limit companies’ abilities to track people around the web, Apple has had to semi-regularly update the feature to close loopholes that companies have been able to exploit to continue tracking people.
Apple’s latest ITP update — announced on Sept. 23 and included in the latest versions of Apple’s operating systems for its computers, iPhones and iPads — seals up the limits that it had introduced in two previous updates made this year. However, ITP 2.3 could have a broader impact on websites that use certain non-cookie-based web storage tools to maintain visitors’ preferences.
“The consequences of the cross-site tracking restrictions to date have been around persistent attribution with maybe limited impact on user experience. But this now heightens that impact and is probably more noticeable as a consequence,” said Sara Stevens, vp of identity, audience and measurement at digital marketing firm Conversant.
WTF is ITP 2.3?
The latest update to Safari’s Intelligent Tracking Prevention feature, ITP 2.3 aims to eliminate a workaround that enabled companies track people on other companies’ sites without relying on cookies.
Wait. I thought the last two updates to ITP were supposed to eliminate cookie-related workarounds?
They were, and they did. Earlier this year, Apple announced ITP 2.1 to curtail companies’ abilities to use first-party cookies to track people on third-party sites. Prior to that update, when someone clicked a link from one website to another, the first website could include an identifier in the destination URL that the second website would store within a first-party cookie and pass back to the first website in order for the first website to record what the person did on the second website; this practice is called cross-site tracking via link decoration and provided a way for companies to sidestep ITP’s previous crackdown on companies using third-party cookies for cross-site tracking. With ITP 2.1, Apple would delete these first-party cookies seven days after they were installed on a browser so that they could not be used to persistently track people around the web. In April, Apple announced ITP 2.2, which cut the first-party cookies’ lifespan to one day.
Got it. So then companies found a way to track people without using cookies?
Yes. Companies have been able to use the same link decoration practice to pass identifiers from one website to another, but instead of storing the IDs within a first-party cookie, they stored it within non-cookie-based web storage mechanisms, such as local storage.
WTF is local storage?
Local storage is similar to a cookie in that websites can use local storage to record information about a person visiting their site, such as an ID, and store that information on that person’s browser in order to quickly refer to it the next time that browser visits their site. The main difference between local storage and a cookie is that local storage can be used to stash more information than a cookie, which is why some websites use local storage to preserve people’s preferences when visiting a website.
How does ITP prevent companies from using non-cookie-based web storage for cross-site tracking?
If Safari sees that a company that it classifies as a cross-site tracker has decorated the link that a person clicks to visit another website, then it will delete all the non-cookie-based website data for that website from the person’s browser after seven days in which the person has continued to use Safari but not visited the site since clicking that link.
Safari will delete all non-cookie-based website data on the second site? Is that a problem?
It could be. There’s the evergreen caveat that, as of August 2019, Safari accounted for 15% of the global browser market compared to Google’s Chrome browser’s 64% market share, according to online traffic monitor StatCounter. Furthermore, if people typically visit a site at least once a week, then it’s probably not a problem because of the seven-day stipulation. That said, for sites that are visited somewhat regularly but less frequently than weekly, ITP 2.3 could be a problem. However, that also depends on whether a website uses these web storage tools and what information the site stores within them. According to Conversant vp of platform architecture Danny Avni, it’s “fairly common” for websites to use non-cookie-based web storage to save information that sites use to maintain the user experience, such as whether a person has already filled out a survey solicited by the site or at what volume a person prefers videos to play.
So the consequences of ITP 2.3 could extend beyond how ads are targeted and measured online?
Yes. Advertising-wise, ITP 2.3 is considered by programmatic advertising experts to be a fairly minor update. “I believe it pales in comparison to the cookie-related rules rolled out previously with ITP. These changes impact publishers/sites more so than advertising efforts from my vantage point,” said Amanda Martin, vp of enterprise partnerships at Goodway Group, in an email.
If anything, ITP 2.3 could be a positive for advertisers, particularly with regard to measurement and attribution. By deleting first-party cookies after 24 hours, ITP 2.2 effectively cut the measurement and attribution window from seven days to one day. ITP 2.3 re-extends the window to seven days so long as companies use non-cookie-based web storage to stash the identifier used for measurement and attribution, said Ameet Shah, vp of publisher and technology strategy at Prohaska Consulting.
What can sites that rely on these web storage tools do about this?
They can save information on their own servers instead of within these web storage tools. However, that would require time for these sites to switch to server-side storage, including rewriting their sites’ code, and would increase sites’ back-end costs because they would be storing more data on the server, said Avni.
Are there ways other than link decoration for companies to pass data from one site to another while staying under the radar?
Yes, but it’s no longer under the radar. Instead of decorating the link by attaching the ID data to the destination site’s URL, some companies were decorating their own URLs that get passed to the destination site as a referrer. Apple has picked up on this and will only let the destination site access the top-level domain information when checking for the referrer data. That is, instead of the destination site being able to read the full URL “http://example.com?id=1234,” the site will only receive “http://example.com.”
Will companies find other workarounds that Apple will have to cordon off?
‘More dollars to experiential’: Why Walmart is still using experiential marketing to pitch Walmart+ — even during coronavirus crisis
The company is working with influencers and media partners to bring some of the missed “special moments” that had been canceled throughout 2020 to life.
Member Exclusive‘Don’t have the luxury of doing good’: The age of dissonance continues at this year’s ANAs — and beyond
When there’s an on-going global pandemic that’s crippling whole brand categories, it was hard to hear the CMOs speaking at the ANAs.
Twitch emerges as rising platform for beauty brands
Twitch’s over 17.5 million daily active users are gaining growing attention from companies well beyond the traditional gaming world.
SponsoredPublishers must strengthen their relationships with brands and customers
Zara Erismann, MD Publisher EU, LiveRamp In today’s market of tightening data regulations — and with the end of third-party cookies now around the corner — it is critical that publishers focus on optimizing their data strategies to ensure and strengthen close relationships with their audience. In a recent report, The State of Publishing: Monetizing […]
‘Show we’re listening’: Why agencies are lending office furniture, offering WiFi stipends to employees as new pandemic-era perks
With a hybrid reality in the offing, rethinking perks to include ways to make working from home better for employees has become a focus for leaders.
‘Shopping patterns will feel longer and flatter’: Gap’s CMO on preparing for holiday campaigns
Mary Alderete on the upended marketing calendar and Gap’s plans to lean into the extended holiday season this year.