The latest version of Safari, and all browsers running on iOS for iPhones or iPads, limit the ability for Google Analytics (and any other marketing tags) to track users across domains, and between visits more than a day apart. Here’s how to get this fixed for your site.
This article was updated January 2021 to include the changes for iOS 14
How does this affect my analytics?
Safari's Intelligent Tracking Prevention (ITP) dramatically changes how you can attribute marketing on one of the web's most popular browsers, and ITP 2.3 makes this even more difficult.
How will the changes affect your analytics?
Currently your marketing attribution in Google Analytics (GA) relies on tracking users across different visits on the same browser with a first-party user cookie - set on your domain by the GA tracking code. GA assigns every visitor an anonymous ‘client ID’ so that the user browsing your website on Saturday can be linked to the same browser that comes back on Monday to purchase.
In theory this user-tracking cookie can last up to 2 years from the date of the first visit (in practice, many users clear their cookies more frequently than that), but anything more than one month is good enough for most marketing attribution.
ITP breaks that user tracking in major ways:
- Any cookie set by the browser, will be deleted after 7 days (ITP 2.1)
- Any cookie set by the browser, after the user has come from a cross-domain link, will be deleted after one day (ITP 2.2)
- Any local storage set when the user comes from a cross domain link is wiped after 7 days of inactivity (ITP 2.3)
- With Safari 14, any script known to send events about the user is blocked from accessing cookies or any way of identifying the user
- From iOS 14 onwards all browsers will implement these restrictions by default, unless the user opts in to 'allow cross-website tracking'.
This will disrupt your marketing attribution. Let’s take two examples.
Visitor A comes from an affiliate on Saturday, and then comes back the next Saturday to purchase:
- Before ITP: sale is attributed to Affiliate
- After ITP: sale is attributed to ‘Direct’
- Why: 2nd visit is more than one day after the 1st
Visitor B comes from a Facebook Ad to your latest blog post on myblog.com, and goes on to purchase:
- Before ITP: sale is attribute to Facebook
- After ITP: sale is attributed to ‘Direct’
- Why: the visit to the blog is not linked to the visit on another domain
The overall effect will be an apparent increase in users and sessions from Safari or iPhones, as the same number of user journeys are broken in down into more, shorter journeys.
How big is the problem?
This is a big problem! Depending on your traffic sources it is likely to affect half of all your visits.
Apple released iOS 14 and Safari 14 on 16th September 2021, and at the time of writing around 20% of all web visits came from iOS 14, and another 20% of visits from Safari 12 or higher, on a sample of larger sites.
The volume for your site may vary; you can apply this Google Analytics segment to see exactly how many iOS users you have.
The affected traffic will be greater if you have high mobile use or more usage in the US (where iPhones are more popular).
Why is Apple making these changes?
Apple has made a strong point of user privacy over the last few years. Their billboard ad at the CES conference in Las Vegas earlier this year makes that point clearly!
Although Google Chrome has overtaken Safari, Internet Explorer and Firefox in popularity on the desktop, Safari maintains a very dominant position in mobile browsing due to the ubiquitous iPhone.
Apple develops Safari to provide a secure web interface for their users, and with Intelligent Tracking Prevention (ITP) they intended to reduce creepy retargeting ads following you around the web. Genuine web analytics has just been caught in the cross-fire.
Unfortunately this is likely not to be the last attack on web analytics, and a permanent solution may not be around for some time.
Our belief is that users expect companies to track them across their own branded websites and so the workarounds below are ethical and not violating the user privacy that Apple is trying to protect.
How to fix this
There is only one fix I would recommend. I’m grateful to Simo Ahava for his research on all the possible solutions.
If you’re lucky enough to use Littledata's Shopify app then contact our support team if you'd like to test the private beta of our 'trusted cookie' solution.
Server-side cookie service
ITP limits the ability of scripts to set cookies lasting for longer than 7 days (or 24 hours in some cases). But this limit is removed if a web server securely sets the HTTPS cookie, rather than via a browser script.
This also has the advantage of making sure any cross-domain links tracked using GA's linker plugin can last more than one day after the click-through with ITP 2.3.
The downside is this requires either adapting your servers, proxy servers or CDN to serve a cookie for GA and adapt the GA client-side libraries to work on a web server.
If your company uses Node.js servers or a CDN like Amazon CloudFront or Cloudflare this may be significantly easier to achieve. If you don’t have direct control of your server infrastructure it’s a non-starter.
Also, a caveat is that Apple recommends settings cookies as
HttpOnly to be fully future proof - but those would then be inaccessible by the GA client tracking.
What about other marketing tags working on Safari?
All other marketing tags which track users across more than one session or one subdomain are going to experience the same problem.
With Google Ads the best solution is to link your Ad account to Google Analytics, since this enables Google to use the GA cookie to better attribute conversion in Google Ads reporting.
Facebook will no doubt provide a solution of their own, but in the meantime you can also attribute Facebook spend in GA using Littledata’s connection for Facebook Ads.
Are there any downsides of making these changes?
As with any technical solution, there are upsides and downsides. The main downside here is again with user privacy.
Legally, you might start over-tracking users. By resetting cookies from the local storage that the user previously requested to be deleted, this could be violating a user’s right to be forgotten under GDPR. The problem with ITP is it is actually overriding the user’s preference to keep the cookie in usual circumstances, so there is no way of knowing the cookie was deleted by the user … or by Safari supposed looking out for the user!
Unfortunately as with any customisation to the tracking code it brings more complexity to maintain, but I feel this is well worth the effort to maintain marketing attribution on one of the world's most popular browsers.