Webkit

Safari 12.1 will include an updated version of Intelligent Tracking Prevention (ITP), dubbed “ITP 2.1“. In August 2018 we wrote about how to “Defeat ITP 2.0 with GTM and conversion linker sitewide tagging“. ITP 2.1 complicates this matter. Here are some important takeaways.

Only cookies created through document.cookie are impacted

Cookies can be set in server HTTP responses (“server-side” cookies) or through JavaScript in the browser using the document.cookie API (“client-side” cookies). With ITP 2.1, for users with Safari browsers, all persistent client-side cookies are capped to a seven (7) day expiration.

Server-side login authentication cookies, which are Secure and HttpOnly, will not be impacted.

First-party cookies restricted too

This covers all first-party cookies set by in-line (or tag management solution injected) vendor JavaScript libraries like Google Analytics’ analytics.js, which means the Google Analytics _ga cookie will expire in 7 days (absent a return visit resetting the 7-day count down). That’s a big hit on Google Analytics data quality (compared to the default 2 year expiration for the _ga cookie), and disrupts the Google Signals’ effort to report “user” behavior across sessions & devices for users browsing with Safari.

It may make sense to use the Storage Access API (don’t forget GDPR compliance considerations) with Safari browsers to store the Google Analytics Client ID for a new user, and alter the pageview & event hitType payloads to send the stored Client ID going forward – else after the 7 day expiration a new analytics.js created Client ID will be sent (i.e., Google Analytics will no longer see the activity as associated with the same user).

Note about localStorage: it is tied to unique subdomains unlike cookies where you can set them to the root domain. So the local storage on a.domain.com is NOT accessible on b.domain.com.

What does this mean for my GDPR notices?

Oddly, ITP 2.1 collides a bit with GDPR. Clicking notices to accept a digital property’s GDPR posture will have to happen more often. Users with Safari browsers will see those notices at least once every 7 days (again, absent a return visit resetting the 7-day count down).

The end of Safari Do Not Track (DNT)

ITP 2.1 intersects with Safari sunsetting support for the Do Not Track (DNT) signal. Why? This project did not offer enforcement of this setting (i.e., websites could ignore it), and tracking techniques have become even more insidious in spite of it.

Also, per “How the tragic death of Do Not Track ruined the web for everyone“, some ad networks examine all of a browser’s characteristics, including how it executes JavaScript, to create a unique “fingerprint” that can be used to identify a user. See for yourself using the research tool at Am I Unique?. DNT doesn’t prevent this – so Apple didn’t want users thinking otherwise by continuing to support DNT.


Related reading:

March 7, 2019, Mozilla Firefox developer group thread titled “Intent to implement: Limit the maximum life-time of cookies set through document.cookie to seven days“.

PageFair’s 2017 Ad Block report noted that 11% of all internet users use an ad blocker, up 30% year over year.

Guide to browser fingerprinting.

ITP 2.1 introduces new tracking challenges