Apple’s WebKit team is out with another Intelligent Tracking Prevention (ITP) update for Safari 14, with several new surprise features that target potential tracking workarounds.
Since Apple’s major ITP update back in March 2020, Safari has blocked third-party cookies by default, preventing marketers and third-party companies from tracking users across a wide range of sites. In response to this, marketers used techniques such as ‘CNAME cloaking’ and ‘bounce tracking’ to circumvent the regulation, but it was announced that the latest update of Safari 14 will eliminate these loopholes.
If you thought the previous iterations of Apple’s ITP updates for Safari had pretty much demolished third-party cookies, you’d be right, but there are more holes to plug. The updates below apply broadly. They’re not just limited to Safari 14 users, but also to all other browsers (including Chrome, Edge, et al.) for users running the latest version of iPadOS or iOS.
WATCH NOW
CNAME Cloaking & ITP’s Defense Against It
Due to the increasing use of extensions used to block third-party tracking, tracking providers introduced a new technique called Canonical Name (CNAME) cloaking. It misleads web browsers into believing that a request for a subdomain of the visited website originates from this particular website, while this subdomain uses a CNAME to resolve to a tracking-related third-party domain. This technique thus thwarts third-party targeting privacy protections.
CNAME Cloaking Defense will now cap the expiry of cookies set by a CNAME cloaked subresource to seven days, aligning with the expiry that ITP has already placed on script-writeable cookies.
What’s the potential impact to marketers?
At the most basic level, the impact will be cookies set via CNAME cloaking will now have a lifespan (seven days) that is significantly shorter than before (30 days, two years, etc.). This will lead to an increase of new users being reported in various analytics platforms, a decrease of attributed conversions reported (for instances where the conversion is more than seven days from the date of the cookie creation), and it will limit the efficacy of retargeting efforts. It is important to note that many of the major AdTech & Measurement cookie vendors are still using script-writeable cookies, meaning that there will be no expected changes in their performance due to this update. It is equally important to note that there are some major vendors, including Adobe and Criteo, in which CNAME cloaking has been implemented at least a number of times.
What should marketers expect next?
The consensus is that AdTech & Measurement vendors will push to migrate from CNAME records to A/AAAA records. It is also widely believed that A/AAAA records will be a far reach for ITP to try and mitigate their use for third-party data collection, meaning this move could be a durable long-term solution. One of the biggest challenges of using A/AAAA records is that they require an IP address, which means that vendors would essentially need an endpoint with a static IP address and very high uptime. Any time the collection server’s IP address changes, the website operator would need to update the A/AAA record (which can be problematic).
SameSite=Strict Cookie Jail for Bounce Trackers
Bounce tracking occurs when the user clicks on something (usually an ad), and is directed to [n] number of domains before landing on the destination website. For example: you click on a Facebook ad, you get directed to googleadservices.com, and then you immediately get redirected to the intended website. The purpose of bounce tracking is for the AdTech domain to store cookies in the user’s browser.
What’s the potential impact to marketers?
It’s important to note that bounce tracking mitigation has been a part of ITP since version 2.0 was released in June 2018, and that this update is an escalation of the bounce tracking classification to account for instances where the bounce domain is also likely to receive frequent user interaction. On a technical level, the cookie jail for bounce trackers rewrites the cookies from a bounce domain to SameSite=Strict, which means that they will not be sent in cross-site, first-party navigations or be used for simple redirect bounce tracking. The current implementation does not rewrite the cookies until the threshold of 10 unique bounce domains is detected (e.g. the user is directed through 10 unique domains before landing on the intended site). In most actual cases, however, tracking rarely ever reaches this threshold. While bounce tracking mitigation will most likely not have a significant impact on AdTech performance, it’s still important to be aware of.
What should marketers expect next?
It is reasonable to suspect that the threshold may be adjusted at some point in the future, depending on what Apple observes in the wild, but there is no indication currently on the roadmap of any upcoming planned changes.
Partitioned Ephemeral IndexedDB
IndexedDB is a form of browser storage, similar to cookies and local/sessionStorage. This update now allows partitioned (unique IndexedDB instance per first-party site) and ephemeral (in-memory-only) third-party IndexedDB in an effort to align with other browsers now that they are interested in storage partitioning as well.
What’s the potential impact to marketers?
There are very few, if any, AdTech or Measurement vendors that leverage IndexedDB for browser storage, thus marketers do not need to anticipate any meaningful impact or changes as a result of this update.
What should marketers expect next?
This update is to bring Safari into alignment with the other browser vendors and their views on partitioned browser storage. This is an evolving issue that can be monitored on the Privacy Community Group GitHub for storage partitioning.
Third-Party Cookie Blocking and Storage Access API In Private Browsing
This change implements full third-party cookie blocking in Safari Private Browsing. This is an escalation in the blocking of third-party cookies for users using private mode versus the third-party cookie blocking based on ITP classification.
What’s the potential impact to marketers?
It’s reasonable to expect decreased availability of AdTech & Measurement data (that depends on third-party cookies) in proportion to Safari’s private mode utilization. It is sufficient to say that some negative impact to AdTech & Measurement can be expected due to this change.
What should marketers expect next?
There is currently no indication as to what the future updates related to private browsing in Safari will be as of yet.
Home Screen Web Application Domain Exempt From ITP
This update explicitly excludes domains from applications added to the user’s home screen from ITP classification.
What’s the potential impact to marketers?
Prior to this update, the ITP classification mechanisms already effectively exempted applications on the user’s home screen from ITP’s 7-day cap on all script-writeable storage. This update implements an explicit exception for the first-party domain of home screen web applications to make sure ITP always skips that domain in its website data removal algorithm. That said, no real impact to AdTech or Measurement is expected.
What should marketers expect next?
There is no indication of future planned ITP changes related to home screen applications, but this is subject to change depending on what Apple observes in the months ahead.
If you want to learn more about how to survive (and thrive) in a post-data world, be sure to check out our latest Challenger Series event, Rise to the Challenge of… The Data: Building for the Privacy-First Marketing of Tomorrow