iOS 17, released last month, includes two different privacy initiatives: Link Tracking Protection and Advanced Tracking and Fingerprinting Protection.
Overall the impact on marketing attribution is limited. It’s link tracking which has fired up the analytics community so far, but the biggest impact is probably the collateral damage to Google Tag Manager (GTM) in private browsing mode.
Let’s look at Link Tracking Protection first.
Link Tracking Protection
This initiative is part of Apple’s user privacy protection. It limits the ability for ad platforms to add identifiers into the link click URL, which could be used to tie the click back to a unique user.
These URL click identifiers have been used by ad platforms to auto-tag campaigns. Rather than explicitly adding UTM parameters (e.g. utm_campagin=summersale), Google Ads (and GA4) could track the click back to a campaign based on a unique click ID and infer campaign name etc.
Link Tracking Protection is embedded in all Apple software now (Safari for iOS, Safari for Mac, Apple Mail etc) and can’t be turned off. It doesn’t affect other browsers on Apple devices (Chrome, Gmail etc).
While stripping these click parameters out of the URL will disrupt campaign attribution, the simple workaround is to consistently add UTM parameters to every marketing campaign. Read more about workarounds below.
Removing click identifiers is NOT the first step down a path to wiping all URL parameters (including UTM parameters). Apple isn’t trying to wipe out the online ad industry – it is now the 4th biggest ad platform globally – but rather to protect user privacy.
So what about Advanced Tracking and Fingerprinting Protection?
Private Browsing blocks Google Tag Manager
Advanced Tracking and Fingerprinting Protection is currently enabled only in Private Browsing in Safari, although it can be opted in for all browsing.
With this protection enabled a long list of trackers is disabled, including:
- Google Tag Manager (GTM)
- Gtag (for Google Analytics and Google Ads)
- Facebook Pixel
That’s right: Google Tag Manager and every tag in it is blocked, probably as collateral damage from being loaded from the same domain (googletagmanager.com) as gtag.
Why is Apple doing this? I think it’s a genuine move to match user’s expectations of how Private Browsing should work. In a survey in 2017, the biggest reason users opened a Private Browsing window was to ‘hide from the website I visit’. But until now that wasn’t true; cookies were limited in Private mode, but websites could still track the user.
I can’t find any details of how fingerprinting protection works, but I suspect it blacklist trackers that are known to use fingerprinting (as Firefox does).
What’s the impact of GTM being blocked
For now the tracking impact is limited. Safari has 25% of global browser usage and I’d estimate that private browsing is around 15% of those sessions – so as iOS 17 rolls out tracking will be blocked for around 4% of your users.
But, based on Apple’s previous Intelligent Tracking Prevention updates, there’s a big risk they update this setting in a future release to be the default for all Safari browsers. If Google Tag Manager couldn’t run on 25% of browsers that would seriously undermine it’s benefits.
And even if you don’t use GTM – and Littledata’s tracking doesn’t rely on it – then Google Analytics may still get blocked for more users in the future. That’s something we’re working on solving at Littledata.
The impact of Link Tracking Prevention
All these changes come into effect when the user upgrades their Apple device, or buys a new one. Based on previous roll outs, 90% of Apple device users will have iOS 17 / MacOS Sonoma within 6 months.
This means you’ll see increasing impact from now into early 2024.
For Google Ads, assuming you also use UTM tagging (which is now absolutely essential), the removal of auto-tagging is going to mean:
- Less cost data imported to GA4
- Fewer conversions and engagement metrics linked from GA4 to Google Ads
For Facebook Ads, the impact will be more limited – since the vast majority of ad link clicks are from Facebook’s app, not from Safari. This is probably true of TikTok and Pinterest too.
Assume the loopholes will be closed
I’ve seen a few posts about how to work around iOS changes. But having covered previous iOS tracking changes I can confidently say that many of the loopholes that exist today will be closed.
There’s some randomness with this first release about which platform click IDs are blocked (Mailchimp but not Klaviyo, TikTok but not Pinterest) – but I’d expect the list of known click identifier parameters to grow.
So let’s explore what WON’T work as a long term fix.
1. Add clickID in a UTM
You could move the click ID into a UTM parameter, like `utm_term=123xyz` rather than `gclid=123xyz`.
Firstly, it’s hard to actually rewrite that URL before the user opens it in their browser.
If you do this it will work in the short term but I suspect it’s easy for Apple in the long run to distinguish between a user hash / identifier (with a random collection of numbers and letters) and a genuine keyword or campaign name.
2. Move to a site-specific URL parameter name
Channels could decide to rename the global parameter name to a site-specific one; instead of “fbclid”, move to “brandname_fbclid”.
This might work initially, but like fix #1 is highly likely to be blocked in time, making it not worth all the disruption for non-Safari clicks.
3. Move click ID to the URL Path
Although this requires even more URL rewriting, it is possible for the channel to add the click ID in the URL path – e.g. mysite.com/page/123xyz. This would be risky / impossible for Apple to block, because altering the page path could disrupt website functioning – but it also makes it very risky for ad platforms to implement for the same reason.
I think the analytics industry has to learn to live with these changes, and embrace UTM / campaign tagging more fully as the best route to campaign-level attribution.
The risk of Apple banning UTM parameters is overblown, and doesn’t fit with Apple’s stated aims of protecting user privacy. Campaign attribution is fine; user attribution is not.
But the risk of GTM and other tracking being blocked more generally by Safari is real and growing. And server-side tracking is one of the best technologies to protect against this threat.