In a recent blog post, Safari announced it is blocking all third-party cookies by default. That means users won’t have to specify they don’t want to be tracked by advertisers. Safari will conceal their identity regardless.
It also means that advertisers will have to find other ways to measure user behavior and deliver personalized ads. For that, Apple has proposed a few solutions, but it’s clear from the announcement: The move to block third-party cookies is for users.
What are tracking cookies?
Cookies are files that store information about a website visitor in the browser they’re using. When collected and distributed across sites and tools, cookies can enable all kinds of marketing activities, like ad delivery, analytics, login functions, and more. The two most common types of cookies are first- and third-party cookies:
- First-party cookies refer to information stored by the domain the user is visiting. First-party cookies can include information about the user’s language settings, on-site behavior, shopping preferences, login information, and more.
- Third-party tracking cookies are similar to first-party cookies, but they’re created by a different domain than the one the user is visiting. They enable user information to be passed between software, as seen in the use of retargeting, for example.
- Second-party cookies, less common than first- and third-party, are a bit like a hybrid of the two. They’re generated like first-party cookies, but the owner doesn’t keep them for first-person use. Instead, they’re shared among partners in some form of regulated data exchange. In this way, they’re not quite as secure as first-party, but also not quite as unregulated as third-party.
Why has Safari blocked all third-party cookies?
While Microsoft’s Edge browser has already begun blocking third-party cookies, and Google Chrome has committed to blocking them fully by 2022, Safari is the first mainstream browser to block all third-party cookies by default. The move is an update to Safari’s “Intelligent Tracking Prevention” (ITP) which began in 2017.
Though the announcement sounds major, it’s the result of many gradual steps over the last few years, says John Wilander, the Apple Webkit engineer behind ITP:
It might seem like a bigger change than it is. But we’ve added so many restrictions to ITP since its initial release in 2017 that we are now at a place where most third-party cookies are already blocked in Safari.
So why the gradual steps to such a drastic result? Third-party cookies have been crucial to the formation of the digital advertising ecosystem. Advertisers, publishers, and technology companies rely on them to monetize users.
Well, more so than the digital ad industry, Apple is concerned about the privacy of its users. Since third-party cookies are notoriously difficult to secure, the ITP has moved to block them all by default. Wilander calls this “a significant improvement for privacy” because it removes all cross-site tracking across the board. No exceptions.
According to Wilander, the three major benefits of this move are:
1. Blazes a trail for other browsers
A few other browsers, like Tor and Brave, have made third-party cookie blocking a priority. But neither have the user base Safari does. With 12.3% of the web’s traffic, Safari will have a good portion of data to contribute on the effect of third-party blocking to others looking to follow suit:
And they intend to share it, says Wilander in the announcement: “We will report on our experiences of full third-party cookie blocking to the privacy groups in W3C to help other browsers take the leap.”
2. Disables login fingerprinting
Login fingerprinting is the process through which a website can detect accounts that you are logged into, without your knowledge. When third-party cookies are enabled, this can happen in any browser. Some browsers do not take necessary precautions (partitioning, blocking) to ensure this data is safe, allowing “cross-site leakage of user information,” says Wilander. And even in a secure browser, no data is ever 100% safe.
3. Removes statefulness from cookie blocking
Full third-party cookie blocking removes statefulness in cookie blocking. As discussed in our December 2019 blog post, the internal state of tracking prevention could be turned into a tracking vector. Full third-party cookie blocking makes sure no ITP state can be detected through cookie blocking behavior. We’d like to again thank Google for initiating this analysis through their report.
Some additional benefits to third-party cookie blocking
Outside of those three major benefits, Wilander notes a few others that come as a result of blocking third-party cookies by default.
- Disables cross-site request forgery attacks against websites through third-party requests. Note that you still need to protect against forged requests that come in through top frame navigations (see SameSite cookies for guidance).
- Removes the ability to use an auxiliary third-party domain to identify users. Such a setup could otherwise persist IDs even when users delete website data for the first party.
- Simplifies things for developers. Now it’s as easy as possible: If you need cookie access as third-party, use the Storage Access API.
Compromising with advertisers
Though Apple has prioritized user privacy, they’ve also been trying not to completely shut advertisers out. In 2019, Wilander specifically opposed the idea of an “ad-free” web, and instead suggested that there was a way to appease both advertisers and users:
The combination of third-party web tracking and ad campaign measurement has led many to conflate web privacy with a web free of advertisements. We think that’s a misunderstanding. Online ads and measurement of their effectiveness do not require Site A, where you clicked an ad, to learn that you purchased something on Site B. The only data needed for measurement is that someone who clicked an ad on Site A made a purchase on Site B.
With this idea, the company created a technology called Privacy Preserving Ad Click Attribution (PPACA). Where current attribution platforms require communication via third-party cookies, Apple’s version does not. Instead, its attribution is measured in the browser. This way, information is not spread out among multiple domains. PPACA has three steps:
- Store ad clicks. This is done by the page hosting the ad at the time of an ad click:
- Match conversions against stored ad clicks. This is done on the website the ad navigated to as a result of the click. Conversions do not have to happen right after a click and do not have to happen on the specific landing page, just the same website:
- Send out ad click attribution data. This is done by the browser after a conversion matches an ad click:
Though Privacy Preserving Ad Click Attribution is a step in the right direction, it’s easy to see why advertisers would find this solution to be insufficient. Matching conversions to ad clicks with the above restrictions would mean sacrificing valuable campaign information.
For example, advertisers need to know when a conversion happens after the click because this will affect retargeting campaigns. Since Apple’s attribution reports are purposely delayed between 24 and 48 hours, it will be impossible to know when the purchase was made. On top of that, clicks are only stored for 7 days. So it seems that if your audience clicks an ad but does not convert in that 7-day window, their attribution data is lost.
Additionally, if you measure conversions, it’s highly important to know which post-click landing page they’re happening on. This is the basis for conversion optimization. To know how to improve your post-click landing page, you need to know where the conversion happened. Each landing page should be personalized to a specific audience, just like the ad. But if your attribution reports are randomized, it makes the process of personalization impossible.
Of course, when you prioritize user privacy, a degree of personalization is certain to take a hit. Whether advertisers are willing to compromise remains to be seen.
Personalize your campaigns with UTM parameters
You don’t have to rely solely on data from third parties to personalize your advertising. With Instapage, create a unique post-click landing page for each audience with the help of UTM parameters. Enter unique targeting details, attach them to unique pages and ads, and discover how different segments react to each experience.
See UTM parameters and more in action by scheduling an Enterprise demo.
See the Instapage Enterprise Plan in Action.
Demo includes AdMap™, Personalization, AMP,
Global Blocks, heatmaps & more.