Advanced Tracking and Fingerprint Protection in iOS17: What It Means For Marketers and Advertisers

Estimated Reading Time: 10 minutes
June 28, 2023
Advanced Tracking and Fingerprint Protection in iOS17: What It Means For Marketers and Advertisers

While many marketers are focused on Chrome’s planned sunset of support for third-party cookies scheduled for the second half of 2024, several other technology changes related to privacy are having an impact on marketers’ and advertisers’ ability to measure the effectiveness of campaigns. At the forefront of these protections is Apple. 

Apple’s Safari browser first began blocking third-party cookies in 2019 with their ITP 2.1 update. Further ITP updates limited session durations for first-party cookies when traffic comes from known tracking domains and striped link decoration, such as tracking parameters, under similar scenarios. In addition, App Tracking Transparency updates in iOS14 forced explicit consent for cross-app tracking. All of these updates are meant to limit advertising technology’s ability to track individual users across multiple websites and applications. Apple will be taking these protections one step further in fall 2023 with Advanced Tracking and Fingerprint Protection in iOS17. 

Advanced Tracking and Fingerprint Protection for iOS17 and macOS Sonoma, expected to be released fully in September 2023, detects user-identifiable tracking parameters in link URLs and removes them. The feature is automatically applied for any links opened with Safari in Private Browsing Mode, as well as links clicked from the Mail and Messages apps. The feature can be turned on for all links in Safari (even without Private Browsing Mode) via a user toggle option in Settings. In testing, tracking parameters for many common tracking technologies, including automatic tracking parameters (gclid and dclid) in Google Ads and click IDs for Facebook/Meta, are removed. 

The impetus for the removal of tracking parameters is to protect the actions of individual users from being associated across websites. As many technologies will include a user ID in tracking parameters, this makes sense. The challenge for marketers and advertisers is that tracking parameters are also used to associate conversions with the campaigns responsible for bringing a particular consumer to a website. With the removal of all common tracking parameters, this measurement ability is removed. 

What is the magnitude of potential impact for measurement use cases? 

As of May 2023, global adoption of Safari is estimated to be approximate 21 percent of all web users (27.67 percent of mobile traffic and 12.85 percent of desktop traffic). This is significantly higher in the United States with Safari representing around 34 percent of all web users (56.88 percent of mobile traffic and 24.59 percent of desktop traffic). According to a study conducted by DuckDuckGo in 2017, 46 percent of Americans had used Private Browsing at least once, with 32 percent of those users using it daily. Younger users (Zoomers and Millennials) were found to be much more likely to use the feature. It is reasonable to assume that these usage figures have increased since then. Considering this, it can be estimated that as much as 5-15 percent of site traffic will be impacted by the iOS17 updates, representing a fairly significant risk to campaign tracking. 

Beyond general web usage figures, the updates to remove link tracking parameters for links clicked from the Mail app represent a significant risk to one of the marketing channels not significantly impacted to date (at least for campaign attribution), email marketing. 

In September 2021, Apple introduced Mail Privacy Protection which blocked tracking within the Mail email client for things like open rates, open times, geolocation, and device usage. The iOS17 updates will remove user tracking parameters for links clicked from the Mail application as well, presenting a risk to campaign attribution within popular email marketing platforms such as Mailchimp. Current market share for the Apple Mail email client with MPP applied is estimated at more than 56 percent..  

So what can marketers and advertisers do? Is this the beginning of the end for campaign tracking? 

Not at all! This update is just a further push to the direction of aggregate and true privacy preserving measurement. Let’s examine some of the tactics still available for marketers to effectively measure campaign performance and approach attribution. 

Aggregate campaign-level attribution 

It’s first important for marketers to accept that the granular user-level tracking and attribution of the past is coming to an end. The deprecation of third-party cookie support has begun this shift but common work-arounds such as user identifiers in link decoration are actively being combated as well. It will become critical for analysis to focus on campaign-level and aggregate attribution to make optimization decisions.

While this shift will result in more complexity to get to deeper insights such as which audiences are performing best, or which creative is optimal for a particular user segment, these insights are not impossible. New measurement solutions being introduced in Safari and Chrome allow for campaigns to be defined, passed in URL links, and associated with conversions. Custom campaign tracking leveraging these campaign IDs and using them as a key value to integrate data across platforms can help create the dataset necessary for critical insights used for optimization. Putting this into practice is no small task, organizations will need to standardize campaign taxonomies and aggregating data from activation platforms (information such as audiences applied to a campaign, creative performance within a campaign), as well as from first-party analytics (information such as which campaigns are converting and driving behaviors on the site). 

Safari Private Click Measurement API 

In 2021, Safari introduced a feature called Private Click Measurement (PCM) which supports aggregate level campaign attribution. While it is still being discussed and worked through as a broader web standard, it is available for adtech and martech platforms to utilize and with the iOS17 updates likely to be leveraged much more widely.

PCM allows for an 8-bit identifier on the click source side along with a 4-bit identifier on the conversion side to be captured in the browser to associate a campaign click on one website (where the user clicks on an ad) with a conversion event on the advertiser’s website (where a product is purchased, form submitted, etc). With this, up to 256 parallel ad campaigns can be measured and up to 16 different conversion events can be distinguished per website or app. 

It works by capturing the click source identifier, along with the source website, and associating that with the conversion event identifier on the website where the attribution event occurs. Aggregate attribution reports are then available to access to understand campaign effectiveness and optimize accordingly. There are some limitations, with stored clicks valid for just seven days so attribution is limited to a seven-day lookback window for attribution but with first-party cookie duration restriction on Safari this is the defacto standard already. 

Chrome Attribution Reporting API

Chrome’s Privacy Sandbox initiative is introducing a similar measurement method with their Attribution Reporting API. While the Attribution Reporting API provides protections against cross-site identification of a particular user, it allows for more campaigns (and thus campaign information), more conversion events, as well as both summary and event-level reporting. 

Similar to Safari’s PCM, Chrome’s Attribution API captures a 64-bit source event ID on the ad side (allowing for detailed ad and campaign information for a click or a view) along with limited conversion data on the destination site side to associate the two together for attribution reporting. On the conversion side, it is limited to three bits for clicks (eight conversion events) and one bit for views (two conversion events). 

Reporting is then available in summary reports and event-level reports. Summary reports provide detailed campaign information along with aggregate conversion counts associated with the campaign, as well as more detailed conversion information associated with the conversion event. These reports can be used for ads measurement (campaign ROI), as well as to gain insight into aggregate user demographics and unique reaches for content. Event-level reporting provides detailed campaign information for specific click events along with coarse conversion data. These can help use cases such as optimization (improving ROI), coarse conversion reporting, and fraud detection. 

Custom campaign tracking parameters

Traditionally, organizations have relied upon out-of-the-box campaign parameter standards from the analytics and media platforms in use.Things like dclid for Google Display Network, gclid for Google Ads, fbclid for Meta, etc. These common tracking approaches are identified and removed in the protection conditions for iOS17, making them ineffective for campaign measurement. Instead, marketers will need to define and utilize their own custom tracking parameters to pass campaign-level identifiers. Make sure to not try and “beat the system” with user IDs included as these will be identified and removed as well! 

With custom tracking parameters specific to your organization, these campaign IDs can then be mapped to the data model on your site and then passed to analytics platforms as required. An effective method to manage the mapping would be through a collection method such as Server-Side Tag Management. These first-party defined and owned data models will become very important in a privacy-centric marketing environment.

Aggregate first-party owned measurement and attribution

Taking many of these approaches one step further, a first-party owned and controlled measurement architecture is the only true way to maintain comprehensive reporting for measurement and optimization. With the fragmentation of reporting approaches across browsers and varying support from different adtech platforms, organizations need to take control of their data—both data collected from their own websites as well as data generated from their activities in activation platforms (they are your campaigns using your budget after all!).

To accomplish this, it begins with standardization of campaign taxonomies across all platforms in use. From there, create your own custom tracking parameters to pass campaign IDs in clicks on destination URLs. On your own website, create a first-party data model with all necessary content and interaction data to be collected via server-side tag management to a first-party-owned collection endpoint. With this approach you can then distribute necessary data to third-party platforms in use for defined use cases, as well as maintain a first-party-owned marketing data warehouse. 

Within the first-party-owned marketing data warehouse, an organization is able to maintain both the behavioral data from their website and also ingest campaign information from advertising platforms in use for campaign execution. Using the standardized campaign IDs as a key value for integration, custom campaign reporting and attribution can then be accomplished. 

With the shifting technology landscape, this is the only architecture that can allow for reliable control and agility to accomplish analytics use cases moving forward. 

While it is becoming increasingly challenging to maintain reporting necessary to make advertising optimization decisions, it is not impossible. Apple’s Advanced Tracking and Fingerprint Protection in iOS17 and macOS Sonoma is just another step in the direction of a new era of the web with privacy being a central focus for consumers. Starting today, take the necessary steps to modify both measurement strategies and architectures and put your organization in a privileged position to capture a competitive advantage.

Ready to get started with a privacy-centric first-party-owned data architecture?

Contact us today to begin the journey.

Authors

  • Lucas Long

    Lucas Long is co-author of the Amazon best-selling book, Crawl, Walk, Run: Becoming a Privacy-Centric Marketing Organization. He is also the Director of Privacy Strategy at InfoTrust, working with global organizations at the intersection of digital strategy, privacy regulations, and technical data collection architecture. Through these efforts, Lucas helps companies understand their limitations for data enablement due to privacy challenges and design optimal ways to accomplish core use cases in a compliant manner.

    When not discussing the intricacies of GDPR and cookie laws with clients, Lucas enjoys traveling and exploring new cultures, one bite at a time. Based in Barcelona, he is also a presenter, featured at industry events organized by Google, the Digital Analytics Association, the American Marketing Association, and the Journal of Applied Marketing Analytics.

    View all posts
  • Tom Lundin

    Tom Lundin is a product manager at InfoTrust. In his daily work, he seeks to leverage more than 15 years of experience in digital analytics and strategy to guide the development of innovative and valuable products which address the adtech challenges faced by some of the largest companies in the world. In his free time, you'll likely find him on a gravel bike, getting up to hijinks with his family, or both.

    View all posts
Last Updated: August 23, 2023

Get Your Assessment

Thank you! We will be in touch with your results soon.
{{ field.placeholder }}
{{ option.name }}

Talk To Us

Talk To Us

Receive Book Updates

Fill out this form to receive email announcements about Crawl, Walk, Run: Advancing Analytics Maturity with Google Marketing Platform. This includes pre-sale dates, official publishing dates, and more.

Search InfoTrust

Leave Us A Review

Leave a review and let us know how we’re doing. Only actual clients, please.

  • This field is for validation purposes and should be left unchanged.