What has happened

Apple’s Safari Browser most recent update underpins a major change for analysts using Adobe Experience Cloud and Google Marketing Platform, setting up a totally different playing field.

Safari 12.1 (Released March 25, 2019) includes an updated version of Intelligent Tracking Prevention (ITP 2.1). With the new update, Apple aims to further reduce a company’s ability to track users across website visits.

Apple first introduced Intelligent Tracking Prevention v1.0 in September 2017. ITP is a Safari feature that was originally designed to reduce cross-site tracking by limiting the storage of 3rd-party cookies.

The ability to fetch resources such as images or scripts from different domains is one of the most powerful web features, commonly referred to as cross-origin or cross-site loading. However, the same feature also enables cross-site tracking of users using first or third party cookies, which could be a privacy concern.

With ITP 2.1, all cookies created client-side via JavaScript’s document.cookie method, whether first-party or third-party, are capped to a seven-day expiration. Cookies that are created server-side using the HTTP header are not impacted.

Why it Matters

To see the impact of this, let’s take an example: a user came to your website from a paid social campaign, read your content or interacted with your platform and left, without completing any goal, Before ITP 2.1, if the same user returned 8 days later and completed a goal, the whole journey could be visible and you could attribute the interactions to the paid campaign. Now, you won’t be able to track the user back to the original paid campaign. This will greatly alter campaign results for users who do not interact with your digital property more than once within a 7-days time frame.  

Effects in Adobe Experience Cloud and Google Marketing Platform

Google Analytics(GA) uses JavaScript to set their GAID cookie (which holds a user’s unique ID). So, ITP 2.1 greatly impacts GA user counts.

However, Adobe’s Experience Cloud Visitor ID (MID) cookies are not set via JavaScript, but instead, are sent to the client using an HTTP Header command. When Adobe’s Experience Cloud ID Service contacts Adobe’s server, the server responds with, “I received the call, and I’m responding with this success message as well as the MID in a cookie for the browser to save.” No JavaScript is involved in that server response. So, ITP 2.1 won’t affect Adobe’s Visitor counts. By the way, if you want to find your MID, it’s the AMCV_####@AdobeOrg cookie.

That said, if you manage multiple domains, you should be aware that Adobe’s Experience Cloud ID Service relies on a 3rd-party cookie to copy a visitor’s MID from one domain to the other, and Safari has been blocking 3rd party cookies since ITP 1.0. So, your visitor counts have been inflated in your global report suite since 2017. Instead of tracking one visitor across two domains, they appear as 1 unique visitor per domain, which is 2 visitors in your global report suite.

Also, many Adobe Analytics and GA implementations set cookies via JavaScript to save details to be sent in tracking calls later. For instance, you might save to a cookie the fact that this user has placed an order that is not yet fulfilled by shipping. When they return to start their next order you want to record that they are an “unfulfilled order user”. This might be several weeks later. Safari would have deleted your cookie so you would instead report that this is a “new purchaser”. Adobe has improved data collection capabilities so much over the past few years that reliance on cookies is minimal. These use cases are fairly rare now in Adobe implementations. So, you may have very few of these data points that will be ruined by ITP 2.1. Have your analytics engineer look over the logic of your variables.

If you do have variables that utilize cookies to save values for later tracking calls, the workaround is to have JavaScript save them into the browser’s LocalStorage instead of cookies. This is an easy change for your analytics engineer. The only caveat to this solution is that it does not work across multiple domains. So, if your site in on a single domain, this is indeed a silver bullet.

What is the impact of the change and what data is affected the most

The new changes affect to some extent all Adobe marketing and analytics-related products, but the impact is different for each tool.

One of the most common irregularities is the increased number of unique visitors coming from Safari browsers since the expiration window got reduced to seven days.

For example, for Audience Manager, customers that usually have high volumes of Safari traffic and high authentification rates may experience an increase in KPIs such as Total Devices and Average Number of Devices in the Profile Merge Rule. The impact will also extend to the Profile Link device graph, potentially leading to skewed device clusters. Since anonymous Safari web data will only be available for 7 days from the user’s last visit, the amount of historical data available for a single device at the time of segmentation will also take a hit, Adobe states.

For Adobe Target, visitor profiles may have a decreased lookback period during decisioning. The implementations that leverage Adobe Target’s libraries such as mbox.js, at.js 1.x or at.js 2.x will also be affected.

Advertising campaigns are also likely to take a major hit. If a user does not revisit the site within 7 days since its last visit (in order to refresh the cookie), even if it will come back later, it cannot be attributed to the advertising campaign.

Around 20% of the total web traffic occurs on Safari, according to Adobe’s customer base. For mobile, the numbers are even higher: around 50% of mobile browser data collection is Safari-based.

It is important for analysts to know where their traffic is coming from because until other browsers follow Apple’s footsteps with data privacy, Safari data will be the most affected by these changes.

It is also important to know what kind of traffic you have. This change will not equally affect all types of traffic, even for Safari. Since the cookies are capped to 7 days, if a user comes back to your website within that time frame, the cookie will renew. However, as Adobe pointed out, seasonal traffic, such as tax services or holiday retail, will be more affected by the change since the time period between two sessions for the same user is usually significantly greater than 7 days. For businesses where customers tend to return frequently within a 7-day-range, the impact will be mitigated significantly.

For Adobe Analytics users, it is important to note that the implementations that use a first-party CNAME in the first party context and don’t use visitor ID service will not be affected. If you use a custom visitor ID — This will depend on how your store your visitor ID. If you store your ID in a first party “client-side” cookie then you will be subject to the 7-day expiration. If you use other means to store your custom ID then you will need to evaluate if you are affected.

Adobe Launch users will largely not be affected by the changes, since the tool relies on local storage for persistence, rather than cookies.

When it comes to Google Analytics, the impact is even higher than for Adobe products.

Before ITP 2.1, first-party cookies were not in the crossfire and were generally ignored by browser updates. This meant that Google Analytics, a tool which is largely using first-party cookies, was unaffected. WIth ITP 2.1 targeting client-side JS cookies, Google Analytics will also find its cookies capped to a 7 days expiry, down from a life-span of almost 2 years.

Same as Adobe, only the portion of users coming from Safari browsers will be affected by the change.

Analysts that use Google Analytics will see a spike in new users metrics. Every user that will come back to the website outside a 7-days window will be marked as a new user. This means that any reports that focus on the early stages of the customer’s journey will be affected.

Ways to reduce the impact of ITP 2.1

Remember that only first-party cookies created via document.cookie are affected by the changes. There is still the option to generate cookies via Adobe’s CNAME.

The Adobe Managed Certificate program lets you implement a new first-party certificate for first-party cookies at no additional cost. Today, Adobe has several CNAME services by solution but the company announced that they’ll be looking to leverage the Analytics certification program in short-term.

Any current Analytics customer with a CNAME setup that is also using Experience Cloud ID Services for visitor identification will be able to take advantage of a future ECID library update. This change will allow CNAME certified tracking servers to maintain ECID and be used as reference for visitor identification. Exact details are still being tested and more information to follow in an upcoming version of the ECID library, according to Adobe.

About the author

Sebastian Stan

Sebastian is a journalist and digital strategist with years of experience in the news industry, social media, content creation and management, and digital analytics.

eBook: Understand Your Customers

Cognetik eBook: Guide to User Journey Analysis


Related Articles