Apple’s Intelligent Tracking Prevention 2.1 (ITP2.1) limits the length of client side cookies to seven days. In short this means a Safari user that visits your site today will be viewed as a new/separate user if they don’t directly interact with your site within the next seven days.
On February 21, 2019 WebKit (the web browser engine that powers Safari, Mail, App Store and more) announced the next iteration of Intelligent Tracking Prevention with iteration 2.1 or ITP2.1. The largest and most impactful change in IPT2.1 is to client side cookies, which will now be capped to seven days. From WebKit’s announcement:
With ITP 2.1, all persistent client-side cookies, i.e. persistent cookies created through document.cookie, are capped to a seven day expiry.
In layman’s terms, this means a user visiting your site with Safari today will be viewed as a new/separate user eight days from now if they don’t directly interact with your site during that time seven day window.
We’re sure Google is considering a response to ITP2.1, but we haven’t seen anything yet. Having said that, Safari’s global usage share is around 15% and around 31% in the United States, add in rumblings of FireFox taking the same route, and this is nothing to be scoffed at. So, let’s explore what this means for some popular digital marketing tools.
More about ITP2.0. ITP1.1, and the initial iteration of ITP here.
This is the million dollar question, and the short answer is that both of the industry leaders in web measurement will be similarly impacted with this change.
Currently the default expiration length for the Adobe Analytics and Google Analytics cookies are 2 years. This means that you could visit a site on 3/1/2019, and a cookie will be set with an expiration of 3/1/2021. You could have zero interactions with the site for one year and 364 days, but when you return on 2/28/2021, Adobe Analytics and Google Analytics would recognize you as the same user that was on the site on 3/1/2019.
So how does this change with ITP2.1? After ITP2.1 is rolled out (it appears that it’s already out, by the way!) if you were to use Safari to visit the same site on 3/1/2019, if there aren’t any interactions with the site for seven days, the cookie will be destroyed. This means on 3/8/2019 you’ll be identified as a completely new user who’s never been to the site before.
Specifically, these cookies are how Adobe and Google identify user abc123 who visited your site last month via Google, as the same user abc123 this month via from Facebook, as the same user abc123 six months ago via Bing.
While both Adobe Analytics and Google Analytics offer other ways to identify users, generally speaking, they most heavily rely on these client side cookies to identify individual users and the other methods require updates to be made (both in the tools directly as well as the backend usually involving development, which I’ll get into towards the end of this post).
Metrics and calculations that will be impacted by this change:
- User Type – New Vs. Returning User
- User scoped Custom Dimensions
- User based calculated metrics
- Any User Scoped Segment or Audience
- Conversions/Attribution – we could go into a rabbit hole on this one so I’m just going to suggest that these will be impacted by these changes in various ways.
- Visitor Type – New Vs. Return
- Visitor scoped eVars
- Any Visitor Scoped Segment
More about Adobe’s cookie usage can be found here.
Just like Google Analytics, Google Ads will be impacted by this change in a similar way: tracking Safari users will be more limited.
Ads uses a variety of cookies, and while I’m not going to dive into them specifically some of their purposes are for remarketing, conversion tracking, and preference tracking – note the remarketing cookie enables remarketing to a specific user via Ads and the Google Display Network after they’ve been previously exposed to your website or ad. The conversion cookie sends information back to Ads about specific conversions a user might have taken after seeing an ad. Lastly the preference cookies are used to customize your experience while in Google’s search engine directly. The fallout from this change, directly in Ads will impact metrics and calculations such as:
- Conversions – the effective conversion window will be capped at 7 days without interaction, so your campaign may not get any credit if a user converts, say, 14 days after seeing your ad
- Conversion rate
- View-through conv.
- Cost / conv.
- Remarketing Audiences – users will fall out of your audience very quickly after this change if they aren’t exposed to another ad or site content to renew the cookie’s expiration date
We’ll keep this short since you’ve probably guessed it at this point, yes, Display Video 360, Search Ads 360, and Campaign Manager all rely on cookies to serve ads and content to users just like Google Ads! ITP2.1 will impact things like conversions/attribution of conversions, frequency caps, and audience building.
Common testing and personalization tools like Google’s Optimize, Visual Website Optimizer (VWO), Optimizely, and Adobe’s Target will be impacted by ITP2.1 similarly to the way web analytics tracking will be impacted, which means there could be serious implications for testing and personalization efforts.
- More specifically from the lense of testing this could mean that user abc123 visits your site today via Chrome and ends up seeing test: Shiver Me Timbers, and variation: Show me the booty!. If the user were to visit your site again in thirty days, on Chrome, they would still be in that treatment group and see the same Test and Variation.
- If they visited on 3/1/19 in Safari, and then didn’t return to the site until 3/30/19, they’d be viewed as a new user which means they could end up seeing the control or another variation like: YARGHH!. Impact on personalization in these tools will be similar.
It is worth noting, though, that both VWO and Optimizely state that they use both cookies and local storage to track users and experiments. While local storage doesn’t have the exact same capabilities that cookies do (ie: can’t be read between subdomains) they are similar in a lot of ways which may give VWO and Optimizely a leg up in the short term here.
More about Google Optimize cookies can be found here.
More about Visual Website Optimizer (VWO)’s cookies and local storage can be found here.
More about Optimizely’s cookies and local storage can be found here.
More about Adobe’s cookie usage can be found here.
Google Data Studio will not be directly impacted. Having said that, the underlying data used within it are impacted (see above sections for specific platforms/metrics impacted). It’s important to understand impact of this update on your data sources (ie: Google Analytics and Ads) to make better use of your data within Google Data Studio.
Due to Google Search Console’s focus on individual queries, browsers, domains and specific URLs vs. users, it will largely escape unscathed from ITP2.1.
Generally speaking you can expect a decline in conversions from Safari if a user doesn’t convert in that first session. This will be one particular area to pay attention to in the coming months because there are so many vendors and industry players within this space. There have already been discussions and ideas on how to circumvent this update via building extensions that make server side calls.
While we’ve listed a few “solutions” to ITP2.1 below, we want to first call out a few things; namely that deliberately circumventing ITP2.1 could be perceived as going against user’s wishes. Additional to this moral question, it’s very probable WebKit will respond to some of these workarounds and they won’t work forever (specifically local storage). Having said this, here are few solutions to ITP2.1…for the time being:
- Limit: doesn’t work between subdomains. IE: Local storage values set on blog.mysite.com won’t be able to be read on store.mysite.com and vice versa.
- For Google Analytics and Adobe Analytics this is by far the best way to track users as it relies on information stored on the server to identify users.
- Adobe documentation on the various methods that you can use to track users
- Google documentation on how to track users without first party cookies (ie: User ID)
Various technical solutions a la Simo Ahava:
- Set the cookie headers in a server-side script
- Set cookie headers in an edge cache
- Shared web service referenced with a CNAME record
- Reverse proxy to third party service
- It may be tough but wait and see how the big players – Google, Adobe and others – respond to this before doing anything drastic. This directly impacts their bottomline and they’re directly incentivized to consider and respond to this change.
It’s pretty clear that WebKit and Apple feel that advertisers are abusing cookies and feel as though users aren’t capable to fend for themselves.
Another way of looking at this, though, is that Apple has completely taken control out of their user’s hands — what if I don’t mind being served better experiences and more relevant ads across the web? A part of me also can’t not ask the tongue in cheek question – is Apple doing this under the guise of privacy to stick it to Google and privacy upgrades just happen to be a byproduct of these changes?
Another interesting thought is what does this mean for the internet? The current internet model revolves largely around ad revenue and being able to convince businesses to purchase ads in the hopes of selling more widgets but if we decrease the effectiveness of ads, do we start to erode that model?
I’m not sure of these answers but I would argue that cookies were never quite intended to do what they are being used to do today. Some of this is quite legitimate with Google Analytics and Adobe Analytics, while other cross-website tracking can be much more disturbing and annoying.
So while I can’t help but think that the measurement world is collateral damage in a bigger fight for privacy, I also think that this will eventually lead to a better model for the internet. I’m personally excited to see how we get there and what that looks like with users privacy in mind.
What do you think? Please feel free to leave any unanswered questions about ITP2.1 and what it means for digital marketing in the comments below. Don’t forget to read our other privacy and security posts: GDPR, preventing customer data leaks, and checking Chrome security too!