Apple’s Safari Quietly Made It Harder for Sites to Work With Third Parties Like Google Analytics
Apple’s Safari browser, which has long positioned itself on the side of user privacy, is limiting another kind of data collection. And in the process, it’s stoking the anger of some in the ad-tech industry, especially due to Apple’s lack of communication about the move, which will affect the architecture of many websites.
Apple is closing a loophole where sites could pass off third-party partners as first-party cookies. Websites use first-party cookies to know who audiences are when they return to their sites. First-party cookies, for instance, mean that people don’t have to log in every time they visit a publisher’s site.
“I think the lack of transparency about this [move] by Apple is part of what everyone is upset about,” said ad-tech vet Jonathan Mendez, who first tweeted about the change earlier this month and told Adweek that developers spotted the change in the new version of Safari 16.4.1, which was released April 7.
“It just shows that they will do whatever they want and don’t care what people think,” he added. “Which, of course, is what people have been upset about with Apple for some time.”
Here’s what to know about Apple’s latest crackdown.
Legitimate cases for sites working with third parties
Websites work with plenty of third parties to enhance their functions, from tools like Google Analytics, which help publishers learn about their audiences, to Adobe Analytics, which improves site performance, to content hosting services. Sites want these partners to have the ability to track their audiences to perform their functions, but third-party cookies are no longer an option to do so since Safari deprecated them in 2017.
As a result, websites have developed a variety of techniques to cloak third-party cookies as first-party cookies, which Safari, over the past several years, has been steadily trying to curtail, spurring a steady game of whack-a-mole.
Even if there are legitimate use cases for the practice, it flies in the face of Safari’s efforts to limit third parties’ access to web users’ information, and there are plenty of shady ad-tech firms that can use these techniques to covertly track users.
Apple’s ongoing MO
In October 2022, an Apple engineer posted on GitHub Apple’s intention to curtail one such cloaking technique. In more simple terms, the post detailed how Apple planned to compare the IP address in the incoming response with the IP address of the main resource response. If they are mostly different—which they would be if they are coming from third parties—these cookies can only live for seven days before they are destroyed, limiting the ability of websites to use and make inferences from this data.
Apple never made a formal blog post about the change or indicated when it would go into effect.
Anton Lipkanou, president of Delve, an analytics-focused agency that offers support for tools like Google and Adobe Analytics, said the change is live and already creating anomalies in websites’ data.
However, Jen Simmons, Apple Evangelist on the web developer team for Safari & Webkit, tweeted on April 11 that the change had not shipped. Apple has not responded to a request for comment.
Part of ad-tech execs’ dissatisfaction with the change is how little Apple has communicated about it, given that it will affect the architecture of many websites.
How publishers and advertisers could be impacted
Sites that work with many third parties using this technique may have to retool how their websites work, said Loch Rose, chief analytics officer at Publicis-owned data firm Epsilon.
“There is plenty of sites where the majority of their traffic is Apple,” Rose said. “So they lose a lot of functionality.”
It creates a lot of blind spots and it creates a lot of unnecessary headaches
Ratko Vidakovic, founder of ad-tech consultancy AdProfs
Brands should start breaking up their reporting into other browsers to avoid making decisions on the wrong data, said Lipkanou. With these types of cookies now deleted every seven days, returning users will be much harder to identify.
Lipkanou also advised brands to rely on shorter-term metrics, such as last-touch or data-driven attribution, instead of first-touch.
The change will also impact publishers and their advertising products, said Ratko Vidakovic, founder of ad-tech consultancy AdProfs.
“The less a publisher knows about their audiences, the less they can provide insights to advertisers,” he said. “It creates a lot of blind spots, and it creates a lot of unnecessary headaches.”
How worried should the industry really be?
This isn’t Apple’s first rodeo trying to stop the practice of hiding third parties in first-party cookies, and it won’t be the last.
Sources say there exists yet other workarounds that Apple hasn’t yet squashed. Equally, sources say that the industry should not be surprised by Apple’s ongoing moves to close these loopholes.
The safest way for websites to work with third parties, both in terms of user privacy and avoiding future changes in browser policy, is by sharing information server-to-server, bypassing the browser entirely. But websites using this approach miss some key signals about users that can only be gleaned by knowing browsing behavior, Lipkanu said.
Ultimately, in an age of cookie deprecation, savvy brands should be working on building their own stores of data and analytics paradigms and rely less on shortcuts like Google Analytics, he added.
“There is a default way to do marketing,” Lipkanu said. “Launch a campaign on Facebook … [or ] Google Ads and measure it in Google Analytics…For the brands doing that, nothing really changes.”
“The brands that are a bit savvier … Google Analytics or Adobe Analytics were not enough for them anyway,” he added.
https://www.adweek.com/media/safari-quietly-made-it-harder-for-sites-to-work-with-third-parties-like-google-analytics/