Impacts of Apple’s latest privacy update thwarting ‘link decoration’

With Safari’s anti-tracking feature, Intelligent Tracking Prevention 2.3, Apple fired a warning shot at companies using “link decoration” — a method of passing information through code added to a URL — as an alternative to third-party cookies, closing yet another loophole in its quest of killing off cross-domain tracking through third-party cookies.

For years, link decoration has been used to track referrals. Apple’s concern: Companies have been using link decoration to sidestep Apple’s privacy-focused plans to rid the web of persistent tracking.

Apple’s recent update pointed to the “continued abuse” of companies using link decoration as a workaround to track people in response to earlier ITP updates. As part of the update, Apple thwarted link decoration use by putting a seven-day limit on all non-cookie storage data, like local storage — a type of web storage that allows sites to store data directly in the browser typically with no expiration date.

“The more Safari traffic you have coming to your website, the more you would be impacted by the changes,” said Adriana Tailor, head of data and insight at TI Media. “Beyond CPMs, which everyone agrees has a lower value for Safari inventory when compared with Chrome [around 30% lower], the biggest impact will be for agencies and advertisers to report performance.”

Each release of Apple’s ITP update has led to some drop in publisher CPMs as more identifying data on Safari audiences is stripped out. With Apple’s crackdown on link decoration specifically, publishers have noted that their analytics tools aren’t working as they would expect, said Joe Root, co-founder of data platform Permutive, which offers alternatives to third-party cookies. The company has previously said that the platform is unaffected by the ITP updates.

“Facebook IDs could be getting recycled faster,” said Root. “After seven days, they could count as a new user when they aren’t.” For publishers, for now, this is more annoying than really damaging. But the direction of travel toward a data-privacy first advertising ecosystem is clear. 

In the long term, for publishers making use of their first-party data, it’s an opportunity for them to take back more control of CPM prices and encourage advertisers to buy against that data, added Root.

“ITP is the environment publishers will flourish the most in. It puts them back in control,” he said. “In this update, Apple is making a request for publishers to help them clean up the web.” Publishers and marketers can strip out link decoration so they don’t fall foul of Apple’s increasingly restrictive privacy terms. For publishers, this is a fairly low lift.

Subscription publishers and those with scaled authenticated-logins are in the lead with how they are flexing their first-party data strategies. The issue with the latter is getting login alliances to scale when they’re met with headwinds like working with competitors, configuring technical issues and generating enough interest from buyers.

Vendors who aren’t able to pivot quickly enough to respond to Apple’s changes will struggle. The number of companies offering alternatives to third-party cookies continues to grow, ratcheting up the game of cat and mouse. But ITP 2.3 also appears to put Facebook, which uses link decoration and is likely classified as a tracking domain, in the firing line.

“This version looks like going after Facebook,” said Root, adding that in recent earnings calls Facebook referenced that it is finding it increasingly difficult to target Apple audiences. “There could be some downstream impact on the platform.”

For context, the Safari audience impacted by ITP 2.3 is still going to be a slice of publishers’ Safari traffic, which in turn can be between 30% and 40% of traffic. But Apple isn’t done killing off cross-domain tracking, and, increasingly, industry onlookers fear Google’s Chrome browser, which has been flirting with third-party cookie crackdown, is ramping up its efforts.

For now, this sting from ITP 2.3 isn’t as bad as earlier updates. “A seven-day expiry on this type of data [using local storage] is much better than the one-day expiry that first-party cookies get from the same process,” said Tailor. “However, it’s impossible to rule out changes to this expiry date. Future ITP updates may put a one-day expiry date on non-cookie storage.”

More in Media

Can AI analyses about AI content reveal anything about AI and copyright?

Three AI companies share analyses about copyright concerns, websites blocking web crawlers and how much AI text includes protected content.

Research Briefing: Publishers bank on their own first-party data amid Privacy Sandbox concerns

In this week’s Digiday+ Research Briefing, we examine publishers’ reservations about Google’s Privacy Sandbox, how subscriptions aren’t the revenue driver they once were for publishers and how X is once again telling advertisers it’s serious about brand safety, as seen in recent data from Digiday+ Research.

How a revamped Green Media Product hopes to solve ‘problematic placements’

Scope3 unveils GMP+ with Sharethrough as debut partners to extend ‘Green PMPs.’