This is the HTML version of the PDF Whitepaper written by Tune.
It’s time to face the facts: Client-side tracking is dead, and the third-party cookie died with it.
The September 2018 launch of the Intelligent Tracking Prevention 2.0 (ITP) update for Safari was the latest in a series of updates by Apple, Google, and Mozilla that are killing traditional web-based tracking. But here’s the kicker:
ITP 2.0 is only the tip of the iceberg. In August, Mozilla announced plans to release ITP-like features for Firefox in the coming months; the first were launched less than 30 days later. Meanwhile Google, the search giant with a
parent company reliant on advertising for 88% of its sales, began to block its own ads in Chrome to demonstrate a commitment to user experiences that users want to experience. Then there’s the General Data Protection
Regulation, which has yet to hit the one-year mark but is already hitting sites where it hurts — in the cookies.
What all of that tells us is this: user privacy and security is more top-of-mind than ever before. As a result, a seismic shift is coming in the way internet browsers approach cross-site tracking and data collection. And it’s shaking the foundations on which digital advertising stands.
But don’t panic yet.
At TUNE, our history of mobile and web tracking innovation has equipped us with tools to solve the challenges presented above. This guide is designed to equip digital advertisers with the knowledge to do the same. In the
following pages, we’ll break down the implications of ITP 2.0 for online marketers. We’ll walk through the immediate steps you can take to mitigate any negative impacts on your business. And finally, we’ll reveal how advertisers and their partners can future-proof their tracking today to prepare for the digital advertising of tomorrow.
ANTI-TRACKING: COMING TO A BROWSER NEAR YOU
It’s that simple. Safari, Firefox, and Chrome are all embracing anti-tracking when it comes to user privacy and data security on the internet. For full details on recent announcements and updates, see the following posts:
- Firefox: January 2018 – Mozilla releases broader tracker blocking
- Chrome: February 2018 – Google blocks disruptive ad repeat offenders
- Safari: June 2018 – Apple unveils ITP 2.0
- Chrome: July 2018 – Google increases focus on securing domains
- Firefox: August 2018 – Mozilla rethinks tracker blocking
- Firefox: October 2018 – Mozilla releases Enhanced Tracking Protection
(To be clear, these changes relate to web-to-web advertising and cookie-based tracking. Traffic that goes web-to-app or app-to-app is not affected due to differences in tracking methodologies. More on that later.)
Apple’s ITP 2.0 began to roll out to users on iOS 12 and MacOS Mojave in late September, and builds on the anti-tracking features of the previous version. Many of these features appear designed to target social sharing widgets, such as the “like” and “+1” buttons that can furtively track users across the internet. But that hasn’t stopped performance marketing from getting caught in the crossfire.
In October 2018, Safari represented 18% of all web traffic worldwide; but in the U.S., the browser grabbed over 50% market share on mobile every month during the past year. So while ITP 2.0 makes Safari one of the most
secure places to browse the internet, it also makes Safari a nightmare for advertisers who use traditional online tracking methods to measure their campaigns. ITP does this by interfering in three areas vital to client-side tracking
Impact Area #1: Domains
In Safari, every domain is dynamically classified by a machine learning algorithm. The algorithm is designed to sniff out “trackers,” or websites with tracking abilities, and classify them separately from websites that provide content. It’s important to note that a website does not need to be a tracking domain to be classified as a tracker; it simply needs to demonstrate an ability to track cross-site. To classify domains, ITP looks for behaviors demonstrated by two types of trackers:
First-party bounce trackers.
ITP detects when a domain is used solely for redirect tracking, and never as a third-party content provider.
Colluding cross-site trackers.
When ITP classifies a domain as a first-party bounce tracker, ITP also detects and classifies all domains involved in its redirect chain.
It’s also important to note that there is no whitelist or blacklist built into Safari; each device builds its own tracking
prevention list based on the individual user’s web usage.
Impact Area #2: Cookies
We’ll say it again: The third-party cookie is dead — on Safari, at least. When ITP classifies a domain as a tracker, it checks to see if the user has interacted with the domain in the last 30 days. If not, Safari immediately purges the website’s data and cookies, and prevents new cookies from being stored.
To persist cookie data, Apple requires three things:
- The cookie must be from a first-party domain.
- The first-party domain must have user interaction. (Apple defines a user interaction as a tap,
click, or form entry.)
- The first-party domain must receive repeat user interaction.
When a website meets all three requirements above, cookies will be persisted, but only for 30 days after the user’s
last interaction. If 30 days pass and there is no new user interaction, all data and cookies are purged, and new
cookies are blocked until the requirements above are met again.
Impact Area #3: Referrer Data
For domains that are classified as trackers and do not receive user interaction, ITP truncates the referrer URL to the domain name only, dropping the rest of the URL path. For example, if a user visits www.advertiser.com/writing-products/books/ad-copy-101.html and that page loads a resource from a tracking domain, the request for that resource will appear to come from www.advertiser.com instead of the full URL. This prevents trackers from accessing any user information contained in the URL path that may have required cookie access to obtain. In addition, this behavior makes it impossible for most tracking domains to store and recall cookies on Safari, and also makes it impossible to obtain user interest information from referrer URLs.
What Does This All Add Up To?
In essence: Unsecured, client-side session tracking is dead. This is the current reality on all updated Safari browsers, and on updated Firefox browsers where users have opted in to third-party cookie blocking.
In the end, these changes will lead to improvements in the user experience of performance advertising, and will ultimately prove beneficial for all parties involved. But right now, these changes mean a revolution in tracking and reporting methodologies — one that won’t be easy for some in the digital advertising industry to adjust to. So we’re here to help.
Next Steps for Digital Advertisers
What ITP 2.0 means for you today: If you use client-side (pixel-based) tracking on Safari, your tracking cookies will be blocked, unless you are using a subdomain of your site’s primary domain to track. For example: If your primary domain is advertiser.com, then track.advertiser.com would be acceptable as a tracking subdomain.
server-side tracking solution that can handle conversion notifications, you risk facing discrepancies of up to 40% with affiliates, not to mention possible loss of interest in your programs. You can still make use of pixels and cookies, as long as the cookies are on the same domain as your primary domain. Cookie storage and access is also possible, but there are constraints, including 30-day limits on cookie storage and forced data purges.
Next Steps for Publishers and Ad Networks
What ITP 2.0 means for you and immediate steps to take: Your tracking cookies will never be accepted on Safari, and your domain will likely be flagged by the ITP algorithm. This is unavoidable. However, you can mitigate the impact with the following steps:
- Immediately switch to server-side tracking to prevent traffic loss.
- Work with your advertiser to make sure they use a tracking platform that can support first-party cookie-to-server-side notification tracking.
- Make sure that your advertiser is using a first-party domain for all of their tracking pixels. You will see less referral data as a side effect.
Why Postbacks Are the Way Forward
While these steps may sound dire for digital advertisers, there is a silver lining. Both Apple and Mozilla have stated the following as their preferred methods of tracking going forward:
- link decoration, which is also known as query string parameter-based tracking; and
- server-side notifications, i.e., postbacks.
Good news! These methods still allow for the standard tracking that performance marketers have come to expect from mobile campaigns. But there is one problem: unless you are using an attribution SDK, or are already tracking your offers in HasOffers, it’s unlikely that your platform is able to support postbacks.
Why? Because tracking on mobile is more complex to implement than tracking on web. The HasOffers platform is uniquely equipped to handle the challenges presented by ITP 2.0 because our history of mobile and web tracking innovation has led us to develop tools that turn client-side tracking into server-side notifications. Tools like the postback — a defining feature of our platform, and our recommended attribution method since we invented it nearly 10 years ago.
Postback tracking uses two servers to collect and send all necessary click and conversion information, hence the “server-side” in server-side tracking. But while postback tracking is more difficult to set up, it is much more reliable to run, because it doesn’t rely on cookies. Cookies just don’t work on mobile web. And tracking on app? That’s a whole different world entirely. (One we’re very familiar with, and would love to introduce you to.)