How Will Safari’s ITP Cookie Policy Updates Impact Google Analytics Tracking?

August 28th, 2019 by David Fransen

To browse the Internet in 2019 is to learn how to manage that nagging sense that someone is always watching. You casually look up the ingredients for a traditional eggplant curry while considering lunch options, and weeks later every website you visit is still force-feeding you offers on wholesale quantities of turmeric root. And of course, if you play it right, you can visit a few sites for things you already know you’re going to buy, then wait for the discount offer to populate somewhere else a few days later for a quality bargain.

Well, if you use Safari as your web browser of choice, that last little vaguely dystopian life hack may not serve you particularly well anymore. This is because Apple decided a couple years ago that maybe it isn’t actually all that great for online advertisers to be able to follow you everywhere you go on the internet for extended periods of time, building an intricate consumer profile so that they can shoehorn you promotions for things they know you’ll be powerless not to click on and buy. Specifically, Apple decided to crack down on how Safari manages its users’ cookies, which are the little data containers you have to click an annoying popup to “allow” on the vast majority of websites you visit now.

Pacman cookie

In 2017, Safari debuted its Intelligent Tracking Prevention protocol (ITP), which was devised to add more rigid restrictions on the degree to which outside parties could track Safari users across the web without those users’ knowledge or consent. Since then, Safari has steadily ramped up its war on trackers as the less scrupulous among advertisers, using already questionable tracking techniques, began developing increasingly shady and manipulative workarounds to continue soaking up that sweet, sweet consumer data. This has all culminated in the release of ITP 2.2 in May of 2019, which now very aggressively and severely limits the kind of tracking options available not only to the more ignominious and exploitative of advertisers, but now also to the well-intentioned businesses and marketers simply trying to quantify and optimize the user experience on the websites they manage. As you might imagine, this has already led to a good bit of wailing and gnashing of teeth in nobler digital marketing circles, as the bad apples have effectively ruined data access and availability for the entire bunch.

But let’s back up a bit. We need to understand a bit about the technical details here before we can understand the ramifications of what Apple/Safari has unleashed upon the marketing world.

What Are Cookies Exactly?

Cookies are ultimately just little chunks of data. When you visit most websites, the site will stash some set of cookie(s) in your web browser. As you continue to use your browser, the cookie essentially reports back to its source about what you’re doing in your browser.

That already sounds a bit scary, given what we know about privacy issues in 2019, but the general use cases that led to the nearly universal use of cookies by websites weren’t really invasive or villainous in intent. Cookies keep track of whether you are logged into a website or not so that no one but you can order the 20-pound box of gummy bears you added to your Amazon cart in a moment of weakness. Likewise, cookies are the mechanism by which Amazon remembers that you added this—and other unspeakable things to your cart—so that you’re confronted with them in the unforgiving light of day the next time you visit their site.

Now, just as a website can use cookies to remember that you logged in and added items to your cart, it can use them to see what else you’re doing on their site. One of the most widely used tools for webmasters and digital marketers is Google Analytics, which is a cookie-driven platform that offers a wealth of invaluable data about how users interact with a website. Importantly, Google Analytics does not provide specific identifying information about who a user is; it simply records the pathways that anonymous users employ to arrive at a website and how they engage with it once they are there. This information is then reported to the administrators of a site’s Google Analytics account, allowing those involved in maintaining and developing a site to assess what is or is not working in terms of marketing strategy and user experience. And at this point in the evolution of the internet, if you or someone in your employ isn’t using some on-site analytics platform to assess user engagement on your website, you probably don’t care enough about your online presence.

Different Types of Cookies

The cookies described in the previous section are referred to as “first-party cookies.” They are classified as such because they are only added by a site that a user has directly visited, and the information collected by the cookie only reports to that site (or an admin thereof) about users’ activity on that site. So while Google Analytics, for instance, is an external platform not built into a website, the only way for it to collect its data is for a site developer to add tracking code directly onto the site to establish the tracking cookie that users will only receive when visiting the site directly. And data is only collected for the Analytics account-holder when the user is on a site with that account’s tracking code.

Meanwhile, out in the spooky online wilderness, there are more exploitative advertisers and marketers who employ what are known as “third-party cookies.” Third-party cookies are still set by a site but are not directly tied to that site. For example, a website serving ads from nefariousadvulture.spam will essentially allow nefariousadvulture.spam to set its own cookie. Since the cookie is tied to nefariousadvulture.spam and not the site the user actually visited, that cookie continues to collect data from the cookied user as he or she moves across any other website serving ads from nefariousadvulture.spam. That allows nefariousadvulture.spam to form fuller profiles of users based on their activity across multiple websites, any of which may be able to transmit actual identifying information to the vulture kings, depending on the nature of the sites being tracked.

Ugh, that was all SO boring. Why did you make me read all that?

I know, and I’m sorry. But a general understanding of cookies and their different types is essential to grasping the significance of what Safari and other browsers are starting to do in the name of user privacy. Here’s a cool dunk to break up the dull tech speak a bit. You deserve it.

Giannis Antetokounmpo dunking gif off a great assist

So What Does All That Have To Do With Safari’s ITP Protocol?

Initially, with ITP version 1.0, Safari set out to limit the use of third-party cookies. ITP set a 24-hour window for third-party cookies to actively collect data if the user didn’t directly interact with the third-party website that set the cookie. So drawing from the previous third-party cookie example above, if a user directly visited nefariousadvulture.spam within 24 hours of receiving the third-party cookie, it could stay active and continue tracking. If not, the cookie effectively expired after 24 hours. Since the whole premise of this kind of advertising and tracking meant that users were pretty much never going to directly visit the sites serving the ads, this marked a doom and gloom moment for the nefarious ad vulture world. Meanwhile, users of first-party cookies remained generally unaffected. To this point, the general standard was that first-party cookies could remain in place for 30 days before being purged unless a user actively removed them before that point.

But of course, the nefarious ad vultures weren’t just going to give up on a hitherto successful approach to marketing just because one browser got cranky about it. Many advertisers just rolled up their sleeves and figured out how to have partners or clients set their third-party cookies as if they were first-party cookies, which then proceeded to do exactly what they had done all along in terms of tracking users across numerous websites to build consumer profiles. This, as it turns out, was the tipping point where Safari started moving more in the direction of burning the entire house down to kill a spider on the window sill. The updates and increased aggression toward cookies have been steadily and quickly ramping up ever since.

With ITP version 2.0 in 2018, Safari essentially blocked the use of third-party cookies altogether. Shortly thereafter in early 2019, to counteract and preempt the inevitably increased abuse of first-party cookies by nefarious vulture types, ITP version 2.1 reduced the 30-day gestation period for first-party cookies to 7 days. While webmasters and marketers were still reeling and trying to piece together the impact this dramatic change had on their analytics, Safari rolled out ITP version 2.2 in May of 2019 reducing the 7-day first-party cookie expiration to 24 hours. Basically, rather than play whack-a-mole with devious and irresponsible cookie manipulators, Safari just poisoned all the moles along with the grass, dirt, and any other less whack-worthy beings that happened to share their habitat.

What Does This Mean For Webmasters and Marketers?

It means that everyone has to recalibrate a bit with regard to web analytics. As mentioned earlier, Google Analytics is one of the most widely used platforms available to study website user statistics and behavior. And first-party cookies drive it. Until this year, Google Analytics would be able to track user activity on a particular site over 30 days. Now, for Safari users only, it only gets 24 hours.

As an example, imagine that you have an eCommerce business selling novelty hot dog cannons for use at sporting events and other projectile-garbage-food-friendly occasions. Anonymous internet user we’ll call Yuzer reaches that familiar point in life where he or she definitely needs a novelty hot dog cannon (it happens to the best of us). So Yuzer opens up Safari and searches google for “novelty hot dog cannon.” Because your website is well optimized with clearly targeted content, Yuzer quickly finds and clicks on your website from atop the search results. With such well-organized content and such user-friendly layout, Yuzer pretty quickly settles on the fact that this is the place to buy the hot dog cannon of his or her dreams. But this is obviously a big decision, and Yuzer wants to talk over all the cannon options available with his or her significant other before just diving into the hot dog water. So Yuzer bookmarks the page, then leaves to scroll weepily through Craigslist Missed Connections, look up relish recipes, and ultimately binge-watch old Columbo episodes until falling asleep.

To this point, Google Analytics would have reported to you that some anonymous user arrived at your novelty hot dog cannon website via organic search, clicked around a bit to check the specs on various cannon models, then left. You don’t know who the user is, what they like in their relish or how many seasons deep they’ve gotten in Columbo or any other series.

3 days later, Yuzer and his or her partner excitedly plop down together in front of Yuzer’s laptop and return to your website and finally buy the hot dog cannon they know will be the first page in an important new chapter in their lives. They pull up the page Yuzer had bookmarked, complete a purchase, high five, and go out to dinner to celebrate. Everything is great for Yuzer and the enthused dog-loving revelers on the receiving end of Yuzer’s new cannon. But things are now a bit more complicated for you.

Until May of 2019, regardless of browser, you would have seen an accurate representation of a path to purchase. This anonymous user reached your site via Google search, clicked around, left, then came back 3 days later and bought a mid-tier hot dog cannon (a solid starter cannon to be sure, but not exactly all-star material). But since Yuzer uses Safari, now you see that one anonymous user reached your site via Google search, clicked around a bit, and left. Then 3 days later another new and different anonymous user visited your site directly by typing the URL into his or her browser window and immediately bought a product. This isn’t what actually happened, but that’s how it is going to show up in Google Analytics reports.Crumbled up fortune cookie

Tying This All Up, Finally

To this point, Safari is the only major browser enacting these kinds of draconian restrictions on first-party cookies. According to StatCounter, Google Chrome is still the most widely used browser across all devices and platforms by a landslide. But Safari is a very comfortable, if somewhat distant second. And on tablets, Safari is the clear king of the realm, due to the dominance of the iPad within that device market and Apple’s propensity to bully users into Safari at any available opportunity. And while Safari’s move with ITP has already pressured Chrome, Firefox and (to some minor extent) Edge to roll out some of their own privacy and cookie-centered enhancements, they are all far less aggressive toward first-party cookies and ultimately optional, not integrally built into the software.

So the impact of ITP 2.2 may not be immediately earth-shattering in terms of more generalized website statistics, but it’s going to matter on levels no one can fully understand just yet. The problem with data analysis of this sort is that—even if only a relatively small percentage of it is skewed—if it’s skewed in significant ways, you can very easily learn the wrong things from it. If Safari’s cookie restrictions start making it look like you’re suddenly awash in new unique tablet users, when you’re in fact just getting tons of return visits from loyal fans with iPads, you can very easily shift your focus in site enhancements or marketing strategy in the wrong direction. And of course, the whole goal of analytics-based tracking is trying to ensure that you’re focused on the right things for the right reasons.

If there is any consolation in all this, however, it’s that everyone is dealing with the same issue together. Google Analytics and other cookie-driven web platforms will adjust, and many bright minds are already devising alternate methods for preserving more informative portions of responsibly collected user data. And on one hand, the cynic in me personally thinks that a lot of this may come down to sheer corporate sabotage on Apple’s part, since the fact that ITP 2.1 and 2.2 cut directly at the effectiveness of key Google and Facebook tracking platforms in major ways probably isn’t accidental. But if it forces major platforms into finding new ways to track users and websites that are less easily exploited by the nefarious vultures of the world, then maybe we all end up winning in the end.

If you’re concerned about the changes to digital advertising, the experts at Search Influence are here to help. We create regulation-compliant online ads and track their performance as well. Start a conversation today to learn more about how we can help your business grow.


Fortune Cookie

Giannis Dunking

Pacman Cookie