Safari ITP 2.1 Impact on Adobe Experience Cloud and Experience Platform Customers
What information can I gain from reading this article?
- Apple changed how cookies are persisted in Safari Browsers so that some cookies expire after 7 days.
- Despite the change to Safari, data sets from Adobe Experience Cloud cookies are still being collected.
- Lookback windows and return visitor counts may be reduced for Safari traffic until an Adobe update is made available, targeting end of April to May 2019.
- Along with everyone in the industry, Adobe is developing both short and long-term mitigations. The details in this post can change at any time. What does not change is our commitment to our customers and consumer privacy and choice.
What is ITP 2.1?
On Feb. 21, 2019, Apple announced its latest update to ITP (Intelligent Tracking Prevention). Unlike previous versions focused on third party cookies, this version details new tracking prevention measures for first party cookies. In upcoming releases of iOS 12.2 and Safari 12.1 browsers, first party persistent cookies set through the document.cookie API, often known as “client-side” cookies, have their expiration capped at 7 days. First party cookies set via HTTP response methods are not affected by the update. Third party cookies will continue to be blocked, as stated in previous versions of ITP.
Other statements from ITP 2.1 can be found in the original release from Apple here.
What is the impact for Adobe Experience Cloud customers?
Potential increase of unique visitor counts
Due to the shortened expiration window of seven days, customers may see an increase of unique visitors coming from Safari browsers. Visit and page view counts should not be impacted by the update.
Decreased lookback periods for Target tests
Visitor profiles for Target tests may have a decreased lookback period during decisioning.
Profile Merge Rule impacts in Audience Manager
For customers with high volumes of Safari traffic and high authentication rates, the Total Devices and Avg Number of Devices counts in the Profile Merge Rule reporting may increase as Safari device IDs are re-generated and synced more frequently. This will also impact the composition of customers Profile Link device graph which evaluates the 3 most recent devices linked to a Customer ID, potentially leading to skewed device clusters.
Visitor profiles for Audience Manager segmentation may have a decreased lookback history
Anonymous Safari web data will only be available for 7 days from the user’s last visit. This will impact the amount of historical data available for a single device at the time of segmentation which may impact addressable audience size.
Conversions which occur after 7 days from user’s last visit will be not be attributed in Advertising Cloud
Since the first-party cookies will have a 7-day expiry, if they do not revisit the site to refresh the cookie, any advertising conversion events will not be able to attribute to the advertising campaigns.
What is the impact on user choices?
Adobe strives to offer our customers online Identity functionality that helps them align with their consumers’ privacy choices. User choices made in the browser will continue to be honored by Adobe’s services. Any mitigation efforts, used in line with industry guidelines and practices for notice and choice, will help ensure that the consumers who want a personalized experience can have more accurate personalization.
Which Adobe data sets are impacted the most?
Data sets with high Safari traffic
Across Adobe’s customer base, approximately 20% of total web traffic occurs on Safari. For mobile browser data collection, closer to 50% occurs on Safari. These numbers vary heavily by industry, by data set and by customer. It is important to measure the impact for your own business to understand reporting differences and evaluate changes in implementation. This can be done by methods mentioned below in the “How much does this affect my business” section.
Data sets with infrequent visitor traffic
For now, these cookies are capped at 7 days. If a visitor returns to your property within 7 days, this cookie expiration is renewed. If you have a property that has seasonal traffic, such as tax services or holiday retail, you may see higher impact as this visitor will not be connected between seasons.
First party cookies created through document.cookie are affected. If you are setting any of these cookies via HTTP response (server-side) or using CNAME certification, you are not affected by the changes in ITP 2.1.
- AMCV cookies set by the ECID (Experience Cloud ID) service library
- mbox (Target TNT ID and session ID) set by mbox.js, at.js 1.x and 2.x
- Analytics legacy fallback cookie, s_fid
- 1st Party AAM UUID cookie set by the DIL library or Audience Management Module
Adobe recommends customers measure the impact within their own company first before making any changes to data collection. This can be done by methods mentioned below in the “How much does this affect my business” section.
Which Adobe data sets are least impacted?
Data sets with active visitors who return frequently
If the content of your site is such that customers return daily or at least a couple times a week, the cookies for these active users will be renewed before they expire. Social network, news and other media sites are most likely to have large communities of users who return frequently.
Analytics data sets collected with a legacy, first-party visitor ID cookie
Customers who are using s_vi as their primary visitor ID, and are configured with first party data collection using a CNAME will not be impacted by ITP 2.1. Note that in instances where s_vi cannot be set, the fallback cookie, s_fid may be used and will have a seven day expiration. Analytics legacy s_vi cookie as a third party cookie, including collection targets of 2o7.net or omtrdc.net, continues to be blocked based on earlier versions of ITP.
How much does this affect my business?
It’s important to understand which type of visitor and cookie tracking you have implemented and traffic from Safari to measure impact to reporting and testing. Before changing any implementation, please understand the potential impact first.
Use the following ideas for measuring the impact on your individual business.
Check to see what types of cookies are being set by your Adobe libraries
Open your developer console in your latest Safari browser. If you see any of the cookies listed above set in your first party domain, you may be affected by this announcement.
If you see an mbox cookie set in the context of a CNAME like metrics.mycompany.com, you are using a CNAME for Target reporting and your Target usage is not affected by this announcement. If you see an s_vi cookie, but not an AMCV cookie set in the context of a CNAME, you are using a CNAME for visitor identification and your Analytics usage is not affected by this announcement. If you see both an s_vi cookie and an AMCV cookie set in the context of a CNAME, you have recently or currently are using Grace Period and some of your Analytics traffic may be impacted.
Compare visitor traffic trends between browsers
Use Google Chrome visitor data to help interpret the trends noticed in your Safari visitor data. Depending on the percentage of traffic to Safari and the frequency of your visitors to your properties, your web traffic may not be significantly impacted.
Measure your traffic percentage from Safari browsers
If you have Adobe Analytics you can measure the amount of traffic that is coming from Safari. You can create a segment where Browser Type = Apple.
Then in Analysis Workspace you can apply this segment to the number of visits. We use visits because this metric will not be affected by ITP 2.1 and will give you an accurate view of relative usage of Safari in your user base (assuming Safari users don’t use your site more than other browsers). This will let you create a table like this:
Measure the percentage of visitors who do not return within 7 days
The following segment will show you how many visitors go more than 7 days without returning.
This will let you select visitor who have had a GAP of more than 7 days (the new expiration of cookies set via document.cookie) in their usage patterns. These are visitors who would get a new visitor ID the next time they come to the site. This will let you run a report like the following.
Run this report for dates from January 2019 or before. ITP was announced in February and we saw some users receiving the update in early March. This will give you the number of users who could be affected under ITP 2.1. and can be used to understand how much you will be affected.
How can I mitigate the impact of ITP 2.1 in the short-term?
Adobe’s CNAME and managed certificate program is a differentiator in the industry and a program we are leveraging with ITP adjustments. The Adobe Managed Certificate program lets you implement a new first-party certificate for first-party cookies at no additional cost. Today, Adobe has several CNAME services by solution but we will be looking to leverage the Analytics certification program in short-term.
Any current Analytics customer with a CNAME setup that is also using Experience Cloud ID Services for visitor identification will be able to take advantage of a future ECID library update. This change will allow CNAME certified tracking servers to maintain ECID and be used as reference for visitor identification. Exact details are still being tested and more information to follow in an upcoming version of the ECID library, targeted for general availability the end of April to early May 2019.
We are aware that not all ECID library customers use CNAMES or Analytics. All ECID customers will be offered a CNAME setup in effort to utilize the same capability.
More details to follow from the ECID team in future releases.
If you are not currently leveraging a CNAME for your implementation, you can start the process by talking with your account rep and reading documentation here.
Audience Manager Profile Merge Users
Adobe is investigating ways to mitigate this impact to provide more accurate cluster reporting and segmentation via future feature enhancements.
Advertising Cloud cross-sub-domain tracking
Some of the options to handle the changes in ITP 2.1 do not allow for a Brand to track activity across sub-domains in their site. Advertising Cloud is investigating a near-term option for Brands which have site traffic flowing across sub-domains which will also allow extending cookie expiry beyond 7-days for pixel conversions.
What is Adobe’s perspective of data collection in the future?
Adobe respects consumer privacy options. The Adobe Experience Platform is investigating various identification capabilities to be built as fundamental pieces to future implementations.
- CNAME certification self-serve options across all Adobe solutions
- Flexible visitor ID collection methods, BYOI (Bring your own Identity) and API-first data collection
- Adobe Experience Platform’s identity graphs
- Unified approach to Adobe data collection
These areas, used in line with industry guidelines and practices for notice and choice, will ensure that the consumers who want a personalized experience can have more accurate personalization. Adobe strives to offer our customers, online Identity functionality that helps them align with their consumer’s privacy choices.
Frequently asked Questions:
What if I use a GRACE PERIOD?
You may not see an impact in your Analytics reporting but you will see inconsistency between Analytics and other Experience Cloud solutions
Does this change affect mobile apps on iOS?
No, ITP 2.1 will not apply to embedded browsers in Mobile Apps
Does this change affect other browsers on iOS devices?
No, this change is only related to Safari browsers
Why can’t Adobe create an option for us to set a cookie in local storage?
Local storage prevents customers from tracking cookies across subdomains; data loss from subdomain tracking issues appeared greater than the loss from potential 7 day expiration on first party cookies. Adobe is investigating a fallback option that would allow customers to leverage local storage but there is no official solution at this time.
Will any of my Adobe solution integrations be affected?
ECID-leveraged integrations do not appear to be affected above and beyond the new cookie expirations already stated. However, we are still testing and will provide updates on any individual integration findings.
Additional information by solution
Will my implementation be affected?
That depends on the how you are implemented.
- If you use the visitor ID service — your implementation will be affected in the ways listed above
- If you use a first party CNAME in the first party context and don’t use the visitor ID service — Your implementation will not be affected
- If you use a first party cookie domain in the third party context — 3rd parties have been blocked for some time on Safari so analytics trends won’t change.
- If you use any of the standard 3rd party domain names (e.g 2o7.net, omtrdc.net, etc) — 3rd parties have been blocked for some time on Safari so analytics trends won’t change.
- If you use a custom visitor ID — This will depend on how your store your visitor ID. If you store your ID in a first party “client-side” cookie then you will be subject to the 7 day expiration. If you use other means to store your custom ID then you will need to evaluate if you are affected.
Adobe Audience Manager
Will my implementation be affected?
If you currently use the visitor ID service your implementation will be impacted in the ways listed above.
If you do not use the visitor ID service, the main impact of ITP 2.1 is the availability of the 1st Party AAM UUID cookie which will also be subject to the 7-day expiration.
How will my Addressable Audience counts be impacted?
Users may see a decrease in overall Addressable Audience rates due to the increase in unique visitor IDs. Since Safari natively blocks 3rd party cookies, these additional visitor IDs won’t be synced to partner cookie IDs.
Will my implementation be affected?
If you are leveraging Adobe Target’s client side libraries such as mbox.js, at.js 1.x or at.js 2.x you will be impacted in the ways listed in the section above. This is due to the fact that Adobe Target’s client side libraries utilizes first-party cookies that now have a 7-day expiration in order to execute your personalization campaigns.
Adobe Experience Platform Launch and DTM
Launch itself is not affected by the changes introduced in ITP 2.1 as it relies on local storage for persistence, rather than cookies.
DTM uses 1st-party cookies set client-side for the persistence of data element values and for rule conditions which require persistent storage. Custom code can also be written to set and read cookies directly.
Data elements attempt to retrieve the value as defined when it is accessed. If that produces no result and the data element is set to persist, the persisted value is used as a fallback. This fallback will not be available after seven days.
Similarly, rule conditions can depend on persisted values in cookie storage. When cookies are deleted, then the conditions may not return the results you expected.
Customers concerned about DTM cookie storage should upgrade to Launch.