Privacy & Consent

Safari ITP (“Intelligent Tracking Prevention”) and What it Means for Publishers

“Data is the foundation of interactive advertising.” – Interactive Advertising Bureau
“Hold my beer.” – Apple

In December 2017, one of the largest ad retargeting vendors – Criteo – saw its stocks plummet by 27%. The reason? They had announced the net negative impact of over 20% on their 2018 revenue – as a direct result of Safari ITP. (Source)

Programmatic publishers had barely adjusted to Chrome’s enforcement of Better Ads standards when GDPR arrived to compound monetization tenfold. Immediately after the GDPR deadline, on June 4th, Safari released another update to its Intelligent Tracking Prevention (ITP) feature.

We’re taking a look at the latest release of Safari ITP – v.2.0 – to see how it affects ad tech and how publishers can work it in their favor. But before we go deeper into ITP, here’s a brief explainer on how this ubiquitous cookie sharing/targeting thing works on the interwebs.

Demystifying Data Sharing in Ad Tech

First-party cookies are set and owned by the publisher, typically to save login credentials, restoring a shopping cart, recovering form field data on reload, etc. A website can only read/write/update cookies set by its own domain.

For an ad tech vendor to capture and associate user information across multiple websites, it has to maintain integrations with each of them.

Imagine a user who first browses for a new gadget and later browses for dinner ideas. If both of these sites load resources/scripts from, and has a cookie stored in the user’s browser, the owner of has the ability to know that the user visited both sites, what they did on those sites, what kind of web browser was used, etc.

This is called cross-site tracking. In our testing we found popular websites with over 70 such trackers, all silently collecting data on users.


If you recall how RTB (real-time bidding) works, you’ll know that in the above example is usually an SSP (sell-side platform). When the user arrives on a page, three different types of details are sent to the SSP via ad request: The page environment (ad location, size), the website (URL, contextual category), and the user (behavioral & demographic data such as browsing history, time zone, location).

The user calls the SSP server where the SSP reads that user’s SSP cookie ID, likely already on their machine. Assuming the user already has that SSP’s cookie on their machine (and most users will, given that the largest SSPs boast 80–90% reach rates to the US internet population), the SSP starts the auction by requesting bids from a host of demand sources. (via AdOps Insider)

Safari ITP interferes with SSPs’ ability to cookie users for the purpose of tracking their browsing history.

What is Safari ITP

ITP, abbreviated for Intelligent Tracking Prevention, is a feature developed by Webkit – the browser engine that powers Safari and other applications in iOS.

Safari blocks third-party cookies by default. But ITP goes a step further by diagnosing and blocking first-party cookies that can be used in third-party context, i.e., to track users across the web.

How Safari ITP 2.0 Defeats Ad Tracking

Intelligent Tracking Prevention works via a machine learning algorithm that is very good at identifying domains that can track a user across the web. BTW: If you’re comfortable with developers’ jargon, you can read more about this machine learning classifier on

Now, in Safari ITP, cookies – by any party – that are set specifically for cross-site tracking/ad targeting purposes are partitioned from the rest.

This means users only have long-term persistent cookies and website data from the sites they actually interact with; tracking data is removed proactively as they browse the web.


In Safari ITP 1.0, first-parties (publishers) had read/write cookie permissions. Third-parties (SSPs) had read-only cookie permissions. Third-parties that were found  by the machine learning classifier to be “trackers” had limited read access for only 24 hours after a first-party interaction.

Problem? For popular, frequently-revisited sites (like Google, Facebook, etc.), this 24-hour read-access window enabled them to continue targeting visitors forever.

That is, until June 2018—when Safari ITP 2.0 put an end to it.

ITP 2.0, as opposed to earlier versions, immediately partitions cookies for domains determined to have tracking abilities. The previous general cookie access window of 24 hours after user interaction has been removed. Instead, authenticated embeds can get access to their first-party cookies through the Storage Access API. The API requires that the user interacts with the embedded content.

This means that Facebook, for instance, won’t be able to track users on other sites simply through embeds—like social plugins. Safari will show users a pop-up (Storage access prompt) detailing that Facebook will be able to track them across this site. Users can allow or block that tracking.

It’s worth noting that Safari ITP 2.0 can also detect and block newer-age tracking techniques, like device fingerprinting.

How Safari’s Tracking Prevention Affects Ad Tech

Per NetMarketShare, 17.29% users are online in June 2018 via Safari browser (on any device). Since ITP is enabled by default, most Safari users are now off limits when it comes to ad targeting.

Needless to say, ad tech vendors are not happy. Upon initial release of Safari ITP last year, major trade bodies—AB (Interactive Advertising Bureau), ANA (Association of National Advertisers), 4A’s, American Advertising Federation among others—penned an open letter to Apple, calling the move ”arbitrary”.

They argued that such a “heavy-handed approach is bad for consumer choice and bad for the ad-supported online content and services consumers love”.

“Blocking cookies in this manner will drive a wedge between brands and their customers, and it will make advertising more generic and less timely and useful. Put simply, machine-driven cookie choices do not represent user choice; they represent browser-manufacturer choice.”  (via AdWeek)

The affect is comparable to that of General Data Protection Regulation (GDPR)—where vendors whose entire business model thrived on ad targeting and third-party data are the biggest casualties.

How Publishers Can Benefit from Safari ITP

Now that third-party data for ad targeting is just not flying, brands trying to target Safari (and by association: iOS) users will have to revert to first-party data, straight from publishers. This means another reason to divert spending to Direct Sales and PMP deals. 

Just as the GDPR will force advertisers to buy ads on sites with recognizable brands rather than target audiences whenever they wind up on the web, Apple’s data-gathering restrictions could benefit publishers not reliant on hypertargeting, said a product head at a comScore 200 publisher. (via Digiday)

In previous posts, we have discussed how publishers can use their wealth of first-party data (regardless of their scale) to silo their inventory into packages that can be sold directly or programmatically via private marketplace deals. We recommend you go through the guides and begin strategizing.

Impressions to iOS users are sold for significantly higher CPMs simply because the demographic tends to have higher avg. income and tends to spend more online. That’s not an outdated stereotype, in October 2017, Marty Meany of Wolfgang Digital shared insights after comparing 31 million iPhone and Android sessions.

On average, Android users spend $11.54 per transaction. iPhone users, on the other hand, spend a whopping $32.94 per transaction. That means iPhone users will spend almost three times as much as Android users when visiting an e-commerce site. (via Moz)

Take care to price inventory accordingly.

If GDPR didn’t hammer this in, Safari ITP ought to: It’s time for publishers to work their data into media sales, instead of blindly sharing it with any network/exchange that’s selling inventory on their behalf.