06 July 2023

Apple ITP targets HTTP cookies with 7 day cap

In summary

• The Safari 16.4+ update further limits cookie lifespan for server based cookies
• Louder’s experts explain how to check if you’ve been impacted and what you can do about it

About Safari’s latest release

In Safari’s latest release, Apple has decided to extend the reach of ITP technology to limit (HTTP) cookies and their lifespan, even if they are set in a first-party domain context.

How does the Safari 16.4+ release impact me?

For businesses that have implemented server-side tagging via Google Tag Manager (sGTM), you may want to pay attention.

Louder has found that for some sGTM implementations, campaign attribution windows have been reduced back to down to 7 days for Safari users on versions 16.4 and later when they have been previously extended to up to 2 years in sGTM set ups.

How to check if you’ve been impacted

Check your websites cookies expiry dates before (in Safari 16.3) and after the change (in Safari 16.4 and later).

Safari Version 16.3

In Safari 16.3 the FPID (HTTP) cookie is set to expire on the 18th May 2025. Approx. 2 years after it was initially set by server-side GTM

Safari Version 16.5

After updating MacOSX versions, Safari is updated to version 16.5.

After updating to Safari 16.5 you can see the same cookie is now limited to expire the 26th May 2023. 7 days after the cookie was initially set for this domain via server-side GTM.

What exactly has changed with the Safari release?

There are two circumstances where Safari ITP applies new restrictions:

1. CNAME cloaking, which is when the server setting the cookie is behind a CNAME that resolves (at any point) to a host that is third-party to the website the user is currently browsing.
2. The server setting the cookie is set with A/AAAA records that resolve to an IP address (IPv4 or IPv6) where the first half of the address does not match the first half of the IP address for the server on the website the user is currently browsing.

Example scenario 1, no impact

Consider the following scenario:

• Your website’s IP address is 8.8.8.8
• Your server container’s (sGTM) IP address is 8.8.4.4

In Safari 16.4 and the context of the new ITP restrictions - these 2 IP ranges would be considered OK and won’t attract the new 7 day cookie limit.

Example scenario 2, restriction applied

• Your website’s IP address is 8.8.8.8
• Your server container’s (sGTM) IP address is 8.4.4.4

In this scenario, the first half of the IP ranges no longer match, meaning the cookie lifespan will be capped at 7 days, despite being a secure (HTTP) type cookie.

Can anything be done to address the limited attribution window for Apple users?

The good news is, there is a couple of things you can do to overcome the 7 day limitation.

Option 1

You can move your server-side tagging infrastructure under the same services as your primary website domain. So that both your website and tagging server share the same or at least first half of their IP range(s). Apple ITP won’t limit cookies down to 7 days in this context.

However if you’ve decided to manage your server-side GTM (sGTM) via the default Google Cloud App Engine infrastructure or via Google Cloud Run, and your website is hosted via another service such as Amazon AWS for example, you will probably need to look to move your sGTM container inside a Docker image. This basically enables you to run sGTM via non Google Cloud platforms such as Amazon AWS or Microsoft Azure.

Option 2

If you don’t like the idea of Apple and its ITP technology being able to dictate how long a visitor identity (eg: Client ID) can persist for when a user engages with your business then you should consider providing your own user identity via User ID. We view this option as complimentary to option 1 rather than as an alternative.

By supplying your own identity to products like Google Analytics 4 (GA4), you can have a much more durable persistent identity which isn’t at the mercy of cookie expiration dates set by individual browser vendors. Learn how you can send a User ID to GA4.

What does this change mean?

Apple’s latest change attempts to catch out third party cookies posing as first party cookies.

Whilst we don’t believe Apple’s intention was to target first party cookies used by analytics tools such as Google Analytics, it just so happens that sGTM and GA4’s user identity cookies like FPID (first party ID) were in the cross fire.

Louder’s recommendation

The privacy landscape is constantly evolving and its hard to keep up. Louder recommends having an experienced analytics and tagging specialist team on your side to help you navigate through these updates and ongoing industry changes.

Need help with server-side GTM?
Get in touch to discuss how we can help you or sign up to our newsletter to receive the latest industry updates in your inbox.