Major Web Tracking Challenge – the acceptance & persistence of cookies is falling

November 4, 2020

With browsers increasingly limiting the acceptance and persistence of cookies – tracking systems are at a risk of losing the attribution of a growing share of conversions to their actual referrers. The outcome is that publishers will be getting less credit than they deserve in driving leads and sales.


Since 1994, browser cookies and particularly 3rd party (aka “cross-site”) cookies have been the foundation of online tracking and attribution. Placing a cookie i.e. setting JS code snippet of a tracking vendor on your web pages was seamless. Also, tracking vendors would use redirects to place 1st party cookies, in combination with 3rd party communication with their root domain to facilitate the tracking and reporting functionality.

With online privacy concerns growing, 3rd party cookies were put on the spotlight since 2017. Also, AI engines (for example safari’s webkit engine) were put to work to identify “tracking domains” – such that place 1st party cookies, but not in a real “1st party context” – i.e. users wouldn’t visit the site actively to consume content but rather redirected for tracking / cookie setting purposes.

Apple’s safari browser introduced ITP (intelligent tracking prevention) in September 2017. This feature blocks by default 3rd party cookies of trackers, and also limits the persistence (duration) of 1st party cookies.

Google chrome announced that it will phase out support for 3rd party cookies in 2022, allowing the ecosystem some time to adjust to this gigantic change. More on that below.

iOS announced that all browsers running on it will be blocking 3rd party cookies by default from 2021.

Firefox introduced in June 2019 their “enhanced tracking protection” which is blocking by default most 3rd party tracking cookies.

What happens when a browser blocks a 3rd party tracking cookie?

Major Web Tracking Challenge - the acceptance & persistence of cookies is falling

Apple Safari’s ITP

Apple Safari is the second largest browser on the web. According to statcounter, it commands 17% of the global browser market share. But we’re seen cases here at Seperia, where it reached 60%, depending on the primary audience’s device, country and mix.

Apple’s aim is to prevent cross site tracking of users. Since its release to date, ITP has had eight releases, each one further tightening the restrictions and closing “loopholes”. Main changes introduced by ITP:

  • Full blocking of 3rd party cookies by default – March 24, 2020
  • Detecting 1st party cookies from “known trackers” and limiting their persistence from 30 days to 7 days and then down to 1 day
  • But, not on all 1st. Party cookies. Some cookies are set on the client side, and some of the server side. The ones set on the server side are considered safer (as they are necessarily set by the site’s server)
  • Limiting access to LocalStorage (an HTML5 protocol that allows sites to store and read larger amount of data), used as a way to bypass cookie limitations) and requiring explicit user consent
  • It also impacted embedded widgets (social sharing, social logins, functional,…etc.) so there was some back and forthFor a thorough review of the development of ITP, see this article

Google Chrome

Chrome announced plans to block 3rd party cookies by 2022. This gives some time for the ecosystem to adjust to the new reality. In the meanwhile, Google worked on implementing a samesite attribute for cookies, which will increase control over who can access cookies, 1st party only or 3rd parties. Adoption among developers however, has been slow.

What are the alternatives to tracking cookies?

Using first party cookies

It appears that safari targets tracking systems using a referral to their domain before redirecting the user to the actual target site (setting first party cookies through a redirect, rather than real “first party context”)

Using first party cookies

Local storage

Before HTML5, application data had to be stored in cookies, included in every server request. Web storage is more secure, and large amounts of data can be stored locally, without affecting website performance.
Unlike cookies, the storage limit is far larger (at least 5MB) and information is never transferred to the server.
Web storage is per origin (per domain and protocol). All pages, from one origin, can store and access the same data.
More on that:

It’s worth noting that as part of its ITP iterations, safari also limited / disabled the use of localstorage.

Apple’s new restrictions for App tracking

In its iOS14 release, apple has announced a major change to tracking users. In a nutshell:

  • iOS uses IDFA (identifier for advertisers) – a long number that uniquely identifies an iOS device
  • IDFA was passed over to advertising networks and tracking platforms (e.g. appsflyer) unless the user actively opted out of it.
  • With the change, IDFA will become opt-in – meaning users will have to actively approve the app tracking them, with a “toned” message dictated by apple.
  • Each app will be able to display an opt-in message once to the user to get permission to track. They will be able to customize the second part of the message.
  • iOS will have an attribution mechanism for campaigns which is separate to the IDFA, and should broadly enable attribution back to the source, but in a very limited granularity.

No known change in Android’s AAID (the parallel to IDFA).


Publishers, advertisers and tracking providers should be fully aware of these tectonic changes and adjust their systems and implementations to adhere to these stricter cookie regimes. The advertisers and tracking vendors that will fail to attribute accurately and overcome these challenges – will have to pay higher CPAs to publishers and / or to move to CPC based models. Otherwise they’ll see a declining traffic from publishers that do not get attributed properly.