Apple is continuing its whack-a-mole war against online tracking. Since introducing the Intelligent Tracking Prevention feature within its Safari browser in 2017 to limit companies’ abilities to track people around the web, Apple has had to semi-regularly update the feature to close loopholes that companies have been able to exploit to continue tracking people.
Apple’s latest ITP update — announced on Sept. 23 and included in the latest versions of Apple’s operating systems for its computers, iPhones and iPads — seals up the limits that it had introduced in two previous updates made this year. However, ITP 2.3 could have a broader impact on websites that use certain non-cookie-based web storage tools to maintain visitors’ preferences.
“The consequences of the cross-site tracking restrictions to date have been around persistent attribution with maybe limited impact on user experience. But this now heightens that impact and is probably more noticeable as a consequence,” said Sara Stevens, vp of identity, audience and measurement at digital marketing firm Conversant.
WTF is ITP 2.3?
The latest update to Safari’s Intelligent Tracking Prevention feature, ITP 2.3 aims to eliminate a workaround that enabled companies track people on other companies’ sites without relying on cookies.
Wait. I thought the last two updates to ITP were supposed to eliminate cookie-related workarounds?
They were, and they did. Earlier this year, Apple announced ITP 2.1 to curtail companies’ abilities to use first-party cookies to track people on third-party sites. Prior to that update, when someone clicked a link from one website to another, the first website could include an identifier in the destination URL that the second website would store within a first-party cookie and pass back to the first website in order for the first website to record what the person did on the second website; this practice is called cross-site tracking via link decoration and provided a way for companies to sidestep ITP’s previous crackdown on companies using third-party cookies for cross-site tracking. With ITP 2.1, Apple would delete these first-party cookies seven days after they were installed on a browser so that they could not be used to persistently track people around the web. In April, Apple announced ITP 2.2, which cut the first-party cookies’ lifespan to one day.
Got it. So then companies found a way to track people without using cookies?
Yes. Companies have been able to use the same link decoration practice to pass identifiers from one website to another, but instead of storing the IDs within a first-party cookie, they stored it within non-cookie-based web storage mechanisms, such as local storage.
WTF is local storage?
Local storage is similar to a cookie in that websites can use local storage to record information about a person visiting their site, such as an ID, and store that information on that person’s browser in order to quickly refer to it the next time that browser visits their site. The main difference between local storage and a cookie is that local storage can be used to stash more information than a cookie, which is why some websites use local storage to preserve people’s preferences when visiting a website.
How does ITP prevent companies from using non-cookie-based web storage for cross-site tracking?
If Safari sees that a company that it classifies as a cross-site tracker has decorated the link that a person clicks to visit another website, then it will delete all the non-cookie-based website data for that website from the person’s browser after seven days in which the person has continued to use Safari but not visited the site since clicking that link.
Safari will delete all non-cookie-based website data on the second site? Is that a problem?
It could be. There’s the evergreen caveat that, as of August 2019, Safari accounted for 15% of the global browser market compared to Google’s Chrome browser’s 64% market share, according to online traffic monitor StatCounter. Furthermore, if people typically visit a site at least once a week, then it’s probably not a problem because of the seven-day stipulation. That said, for sites that are visited somewhat regularly but less frequently than weekly, ITP 2.3 could be a problem. However, that also depends on whether a website uses these web storage tools and what information the site stores within them. According to Conversant vp of platform architecture Danny Avni, it’s “fairly common” for websites to use non-cookie-based web storage to save information that sites use to maintain the user experience, such as whether a person has already filled out a survey solicited by the site or at what volume a person prefers videos to play.
So the consequences of ITP 2.3 could extend beyond how ads are targeted and measured online?
Yes. Advertising-wise, ITP 2.3 is considered by programmatic advertising experts to be a fairly minor update. “I believe it pales in comparison to the cookie-related rules rolled out previously with ITP. These changes impact publishers/sites more so than advertising efforts from my vantage point,” said Amanda Martin, vp of enterprise partnerships at Goodway Group, in an email.
If anything, ITP 2.3 could be a positive for advertisers, particularly with regard to measurement and attribution. By deleting first-party cookies after 24 hours, ITP 2.2 effectively cut the measurement and attribution window from seven days to one day. ITP 2.3 re-extends the window to seven days so long as companies use non-cookie-based web storage to stash the identifier used for measurement and attribution, said Ameet Shah, vp of publisher and technology strategy at Prohaska Consulting.
What can sites that rely on these web storage tools do about this?
They can save information on their own servers instead of within these web storage tools. However, that would require time for these sites to switch to server-side storage, including rewriting their sites’ code, and would increase sites’ back-end costs because they would be storing more data on the server, said Avni.
Are there ways other than link decoration for companies to pass data from one site to another while staying under the radar?
Yes, but it’s no longer under the radar. Instead of decorating the link by attaching the ID data to the destination site’s URL, some companies were decorating their own URLs that get passed to the destination site as a referrer. Apple has picked up on this and will only let the destination site access the top-level domain information when checking for the referrer data. That is, instead of the destination site being able to read the full URL “http://example.com?id=1234,” the site will only receive “http://example.com.”
Will companies find other workarounds that Apple will have to cordon off?
Member ExclusiveDigiday+ Research: Instagram wins over Facebook for role in brands’ holiday marketing
Brands differ on how they use each marketing channel during the holidays -- even when it comes to sibling social media platforms Facebook and Instagram, Digiday+ Research found.
How — and why — Candy Crush is in the midst of a 10th anniversary brand refresh
In the years since Activision Blizzard acquired the Swedish game studio King in 2016, employees at the gaming giant have started to internally refer to their company as “ABK” — that is, Activision Blizzard King. But the corporation’s recent financial reports indicate that “KAB” might be a more accurate abbreviation.
Independent agency Goat invests in influencer strategy for clients as it expands in the U.S.
Everyone is after influencers to up their marketing game. But the secret to success, Goat contends, is in viewing influencers as performance media and using data to deliver clients guaranteed outcomes.
SponsoredHow brands are measuring incremental performance on CTV
Connected TV is unique among other advertising channels because it combines linear television’s storytelling capabilities with digital marketing’s targeting and measurement. As more marketers leverage CTV advertisements to reach relevant and engaged audiences, they also want to understand the real value they are generating with their investment. Incrementality reporting and measurement allow advertisers to measure […]
Marketers bring Web3 to the FIFA World Cup with augmented reality, NFTs and virtual worlds
The month-long tournament, which begins this weekend, will be the first World Cup since it took place in Russia in 2018 long before “Web3” entered the global lexicon. Now, official and non-official sponsors are hoping to harness the hype with a range of NFTs, virtual worlds, augmented reality tools and other trendy tech.
U-Haul diversifies its social strategy to tell people it’s more than moving trucks
In recent years, U-Haul's in-house agency has been working to "better leverage social media for brand loyalty."