Safari ITP (Intelligent Tracking Prevention) – From 1.0 to 2.3

Updated on: January 3, 2024
ITP only affects Safari users, which amounts to 13.78% of the total browser usage and so yes, it’s being used by millions of users.

At its Keynote Conference WWDC 2018, Apple announced the release of Intelligent Tracking Prevention (ITP) 2.0. As you know, it might have a significant impact on the digital advertising industry. So, we’ve decided to create a status page for ITP to help you learn and track what’s happening around it. 

Privacy is a Fundamental Human Right’ says the CEO of the world’s largest tech firm. Whether the firm is going to commit to the words of the CEO (read Timothy Cook) or not is still in question, as they’re planning to enter advertising soon. But let’s just say they are pretty serious about privacy.

Why? Intelligent Tracking Prevention 2.3 is here.

What is Intelligent Tracking Prevention?

Intelligent Tracking Prevention, also known as ITP is the privacy feature developed by Webkit, used by several applications including Safari. It is an open-source browser engine that is used by Safari, Mail, and many other applications on macOS, iOS, and Linux.

Safari browsers block third-party cookies by default and only allow the first-party cookies to be active. But first-party cookies can be used as trackers in some instances (not just for keeping you logged in, saving products in your cart, etc.). ITP focuses on the trackability of the first-party cookies to further protect the privacy of the users.

ITP only affects Safari users, which amounts to 13.78% of the total browser usage and so yes, it’s being used by millions of users.


When the user visits a website, it cookies the user to deliver a better user experience. That’s a first-party cookie and can also be used in third-party context (retargeting, personalized ads based on history). 

In Safari, if the user hasn’t visited the website again within a day, cookies can only be used in the first-party context (Ex: Saving login credentials). In other words, if the cookies have had the ability to track the users across the web, it’s disabled.

Furthermore, publishers can’t send cookies to third-parties who are regarded as trackers. Technically, retargeting can be done only for 24 hours in Safari. 

worse, if the user hasn’t visited the website again in 30 days, cookies will be purged permanently.

How ITP affects publishers?

Typically, publishers like you (as well as advertisers) rely on cookies to serve personalized ads. Without the cookies, publishers can only serve non-personalized ads and this, in turn, attracts depreciated CPMs

Advertisers, on the other hand, will be impacted on several fronts including audience segmentation, customer journey mapping, and attribution. Here’s a detailed take on how marketing will be affected.

“Safari will now block sending cookies to third parties determined to be “trackers”. This will be highly disruptive to buyers, sellers, and technology platforms, given the role third-party cookies play in audience addressability, segmentation (and thus targeting and personalization), and measurement”

IAB Tech Lab

What was Adtech’s reaction?

The publishers who rely on programmatic advertising and safari users suffered varied losses.

IAB Tech Lab published a blog post UNDERSTANDING & REACTING TO APPLE’S SAFARI BROWSER TRACKING CHANGES to help publishers, buyers, and adtech vendors deal with the issue. 

Then, there was ITP 1.1

In ITP 1.0, the machine learning classifier partitions the cookies of the website user haven’t visited in the last 24 hours. But, this also raised concern. 

For instance, when you embed Facebook’s Social Plugins on your site, the users can only like/comment if they have visited in the last 24 hours. Else, users have to go through an additional confirmation screen to do the desired actions. If the users haven’t visited in the last 30 days, then they have to log in again (even though they have never logged out of Facebook).

This may not sound like a big issue. Because of course, users who haven’t visited in the last 24 hours are negligible*.

*This has raised a few more concerns that the ITP is further going to solidify the duopoly in the digital advertising industry. 

But, it also affects third-party payment providers or video-subscription services. So, ITP 1.1 was released with a Storage Access API.

Storage Access API allows authenticated embeds which solves the problem we’ve discussed above.

Today – Intelligent Tracking Prevention (ITP) 2.0

This was the most recent update by WebKit and it removes the 24-hour window previously granted for first-party cookies to track users across the web. 

It means as soon as the machine learning classifier predicts the domain with cross-site tracking capability, it partitions the cookies immediately. Authenticated embeds can get access to the first-party cookies with the help of Storage Access API provided that the user interacted with the embed.

This time, Facebook can’t track the users by default, just because of the embeds (social plugins). With the ITP 2.0, users will be given a pop-up as shown below:

ITP 2.0

“Safari works really hard to protect your privacy and this year it’s working even harder”

– Craig Federighi,  Apple’s SVP of software engineering, WWDC Keynote 2018.

In addition, Safari browsers are going to detect and prevent first-party bouncers and fingerprinting techniques from tracking users across the web. Besides, it also downgrades the page URL to just origin (just, instead of…) for third-party requests identified as trackers by ITP and which doesn’t receive any user interactions. 

When did ITP 2.0 go live?

ITP 2.0 has been launched this month (June 2018) and has impacted the bottom lines of several ad tech companies across the globe. From advertisers to affiliates to publishers, everyone is working to prevent any huge revenue losses.

Okay, What is Intelligent Tracking Prevention (ITP) Version 2.1?

As you’ve guessed, ITP 2.1 is the next iteration/update aiming to solve the loopholes of the previous version. When ITP 2.0 went live, adtech companies and intermediaries gradually found workarounds to bypass the hiccup created by Apple.

For instance, some stored third-party cookies as first-party cookies to prevent the ITP system from purging their cookies. ITP 2.1 tries to curb the workarounds by reducing the accessibility and longevity of first-party cookies.

“With this update, we further reduce trackers’ ability to establish user identities across sites.”


The first major update is, Apple Safari browser decided not to support the partitioned cookies. Partitioned cookies are used by third-parties to get first-party cookie access to communicate fundamental information (they cannot track the users though). From now on, third-parties will have to use the Storage Access API to get any type of cookie access – both tracking and non-tracking purposes.

Second, client-side cookies can only be stored for 7 days, even when they don’t track users across the web. In general, cookies can be set via server-side (server HTTP response) or Client-side (through JavaScript’s Document.cookie API). Cookies set using JS will now have the expiration of 7 days. It affects a lot of MarTech tools including Google Analytics as they use the client-side method to set cookies.

The updates are likely to continue as the vendors tend to frame workarounds. And, it did.

ITP Version 2.2

ITP 2.2, as it implies, is an update to Safari’s Intelligent Tracking Prevention feature to prevent third-parties from utilizing workarounds they’ve found for ITP 2.1. With this update, Safari brought down the expiration period of first-party cookies from seven days to one day.

“Many actions advertisers are interested in attributing back to digital marketing efforts happen outside the newly implemented 24-hour window, creating a blind spot for advertisers and brands”

– Amanda Martin, VP of Enterprise Partnerships, Goodway Group (Digiday).

Not all first-party cookies are affected. ITP 2.2 only targets first-party cookies dropped by the site on behalf of another company that is identified as a tracker. To be specific, it aims to curb the ‘link decoration’ technique used by companies like Google and Facebook to track Safari users across the web.

So, did it work? Did ITP 2.2 end cross-site tracking via link decoration? Well, no. That’s why Safari released its next ITP update 2.3.

ITP Version 2.3

When did ITP 2.3 go live?

ITP 2.3 was launched in the month of September 2019 aimed to clear the workaround that enables companies to track the user’s performance on other sites without depending on cookies.

ITP 2.3 took two steps to fight against link decoration.

a. LocalStorage Capping and deletion:

If a cross-tracking website sends a user to a URL (with link decoration), then the site will be marked for “non-cookie deletion”. If there’s no interaction with the site for the next 7 days, all the non-cookie data will be deleted permanently.

b. Document.referrer:

Instead of decorating the website URL, some decorate the referrer URL and then use document.referrer to store and read tracking ID. So, Safari will downgrade the document.referrer to eTLD+1. In other words, if the referrer’s decorated URL is, then Safari will only return to prevent the mechanism.

Impact of Intelligent Tracking Prevention (so far)?


Google search ads which eat up to 80 percent of the US search ad market, have a feature to retarget users on search results. Dubbed as ‘RLSA (Remarketing lists for search ads)’, the feature helps advertisers and marketers to target the audience who have previously visited their website or left items on the cart.

As Safari accounts for more than 50% of the US mobile searches, Google’s RLSA has been all-time low (for the year), according to Merkle, a digital agency.


Criteo, one of the few public adtech companies and a retargeting giant initially cut the company revenue at the start of 2018. And, to be clear, this is due to the release of ITP.

One of the largest digital advertising firm Criteo said ITP will cut its revenue by more than a fifth. 


And, when ITP 2.0 hit the shed along with the EU’s GDPR, it’s apparent for them to diversify their revenue model. They jumped into in-app and email advertising. In fact, last quarter they acquired, Manage, a mobile in-app advertising company to expand towards the in-app ad market.

Still, the damage has been done.

What publishers can do to Mitigate the impact of ITP?

  • Publishers can make use of the first-party data that willfully provided by users to know their interests and run targeted ads.
  • Publishers can also mitigate this issue by following the IAB Tech Lab’s guidelines. Read the post to access it.

What about the Open Internet?

Both the hype and hope of the ID-based solutions are on the rise. Recently, the Trade Desk launched its own id-based solution ‘Unified ID’ and has been boasting about the match rates.

On the other side, publishers (in Germany) are planning to devise an EU-wide login based system to avoid cookie syncing and chip away the market share from the duopoly. Advertising Consortium keeps pushing its initiative to bring an industry-wide ID-based solution.

Well, what happens to affiliate marketing now?

So, let’s consider you run some affiliate products from different sellers across your site, and usually, when any of your readers click on the mention and buys the product, you’ll get a commission.

As Safari partitions cookies immediately this time, it’s not feasible to run with the current tracking technology. Fortunately, many affiliate networks have launched their workarounds to ensure you’re getting paid as usual.

For example, Impact, an affiliate network said it’s Universal Tracking Tag (UTT) which relies on monitoring inbound traffic rather than publishers’ tracking code. You should check with the respective networks and make sure you follow the right tracking technologies offered.

“We expect a range of companies are facing similar negative impacts from Apple’s Safari tracking changes. Moreover, we anticipate that Apple will retain ITP and evolve it over time as they see fit”

– Dennis Buchheim, General manager, IAB Tech Lab.

What’s next?

As a publisher, you can’t find your way out of the safari’s ITP alone. We need the industry to work together and devise a workaround (also a long-term solution) as soon as possible. But that doesn’t mean there’s nothing you could do. We see two ways as of now.

a. Prepping up for a Post-Cookie Era

Do you remember what happened to Adobe’s Flash?

Adobe systems predicted there will over 1 billion devices running flash players by 2015. Just after 2 years, the company admitted that flash player has become obsolescence. If you’re wondering how, read the open letter from Steve Jobs. In a line, Apple kicked the flash player out of its family altogether. Many followed the suit.

We’re not comparing the flash player with cookies here. However, they have some similarities including data leakage, privacy, and security. Hence, it’s better to start working on the first-party data strategies and device ID targeting.

b. Mitigating the Impact

Simultaneously, you can plan some workaround. This will help you compensate for the loss of revenue (short-term).

Dennis, General Manager of IAB Tech Lab recommends the adtech to follow the IAB Tech Lab’s guidelines to manage the issue. 

As usual, we compiled a few strategies (proven) to help you deal with the ITP issue. Here you go.

c. Help us help you

Found the article informative? We thought so. Let us notify you whenever there’s an interesting update on ITP or any other privacy laws.


News and Tips for Publishers

Get the inside scoop on publishing and programmatic with our 5-minute newsletter.