Apple didn’t just take away a few cookies; they changed how measurement works across the web. With iOS 17 and Safari 17, tracking gaps began appearing in places teams had relied on for years. As more clients ask us about attribution issues and unexpected analytics drops, we’ve been digging deeply into what’s happening under the hood and how to build more resilient data setups moving forward.
This guide walks through what changed, why traditional tracking breaks under ITP, and the practical steps organizations can take to modernize their analytics approach.
These shifts affect nearly every brand, but they hit ecommerce, subscription models, and long-cycle B2B funnels the hardest.
What Apple’s Intelligent Tracking Prevention Actually Does
ITP launched in 2017 to reduce cross-site tracking. Early versions mainly targeted third-party cookies. Newer versions go further in inspecting how scripts set identifiers, how domains interact, and how long browsers should keep data.
In effect:
Third-party cookies are severely limited.
JavaScript-set first-party cookies often expire after 7 days.
If Safari sees ad click IDs (gclid, fbclid), the cookie's lifespan may shrink to ~24 hours.
Scripts from known tracking domains can be throttled or blocked entirely.
For teams relying on remarketing, personalization, or multi-step funnels, sessions can “break apart” in ways that feel random. Users aren’t leaving—you’re just losing the ability to recognize them.
First-Party vs Third-Party Cookies (Plain Explanation)
First-party cookies
Set on the site a user is visiting (e.g., yourstore.com)
Used for logins, carts, preferences, and session continuity
Third-party cookies
Set by another domain’s script (e.g., Facebook Pixel setting facebook.com cookies)
Historically used for cross-site targeting.
ITP initially targeted third-party cookies, but now limits many first-party cookies as well, especially those set via document.cookie.
iOS 17 / Safari 17: The Update That Changed the Rules Again
Safari 17 introduced several updates that made ITP far more impactful.
1. CNAME Cloaking Detection
Some marketing tools previously masked third-party scripts behind first-party subdomains, like: tracker.vendor.com → analytics.yoursite.com
Safari now identifies these and treats them like third-party trackers. Cookie life returns to 7 days—or 24 hours if a click ID is present.
2. Stripping Ad Click Identifiers
Safari removes parameters such as:
gclid (Google Ads)
fbclid (Meta)
This breaks the link between ads and on-site sessions.
3. Query Parameters Trigger Cookie Decay
When Safari sees a click ID in the URL, all JavaScript-set cookies may expire within 24 hours:
Anonymous IDs (e.g., Segment’s ajs_anonymous_id)
JS-based login/session cookies
Analytics identifiers
This can make returning users appear brand-new.
4. Advanced Tracking Protection
Safari’s new setting, “Use Advanced tracking and fingerprinting protection,” is:
Automatically enabled in Private Browsing
Optional (but increasingly adopted) in all browsing modes
When this setting is enabled, Safari may block scripts from domains like:
googletagmanager.com
google-analytics.com
cdn.segment.com
cdn.amplitude.com
This clarification keeps things accurate without overstating the impact.
How These Changes Affect Tracking and Attribution
Teams encountering ITP shifts often notice:
Returning users appearing as new
Long sales cycles losing visibility
Remarketing lists shrinking
Attribution skewing toward last-click
Sessions losing continuity
Some traffic showing up with no tracking at all
A quick real-world example: A retailer running Meta ads may see a 20–30% jump in “new users” on Safari, even though returning visits haven’t changed. It’s simply the browser wiping identifiers before the shopper returns.
This isn’t a minor analytics nuisance — it forces a rethink of the underlying data architecture.
What Works Now: Practical Fixes We’re Implementing for Clients
Below are approaches organizations can adopt to improve stability under ITP. These are emerging best practices the industry is moving toward, not legacy solutions.
1. Strengthen First-Party Identity
Move beyond cookies when possible.
Useful identifiers include:
Email at signup
Account login
Loyalty IDs
Checkout or app accounts
These help analytics and CDPs recognize users over longer periods.
2. Adopt Server-Side Tagging
Instead of relying solely on browser scripts, route tracking through your own server or a first-party proxy.
Benefits:
Stabilized conversion tracking
Better attribution
More resilient ad signals
Less reliance on client-side scripts
GTM server-side is the most common entry point.
3. Use Server-Set Cookies
Server-written cookies aren’t subject to the same JavaScript-based expiration rules.
They still expire eventually, but Safari treats them far more leniently than anything set through document.cookie.
4. Use Reverse ETL to Strengthen Ad Platforms
If Safari won’t reliably pass tracking forward, send clean first-party data backward into platforms like:
Meta
Google Ads
Braze
HubSpot
Klaviyo
This improves match rates, audience stability, and conversion attribution.
5. Reduce Dependence on Client-Side Tag Managers
Continue using GTM, but avoid putting all tracking logic there.
For critical events:
Trigger server-side events
Send direct API calls
Provide a backend fallback path
This ensures continuity when client-side scripts fail to load.
6. Build Stronger Owned Channels
Email, SMS, and push notifications bypass browser limitations entirely.
Owned channels:
Maintain persistent identifiers
Drive higher engagement
Strengthen audience relationships
Reduce reliance on trackers that may break
Key Takeaways
Apple’s privacy updates aren’t going away. From shorter cookie lifetimes to blocked scripts, traditional tracking methods are becoming less reliable each year.
The upside: Modern architectures built on first-party identity, server-side tagging, resilient data pipelines, and owned channels are stronger long-term solutions anyway.
If your team is trying to understand how ITP affects your setup, or what a future-proof measurement plan should look like, we’re here to help map out the next steps.
Bring us the challenge. We’ll help you solve it together.
