Skip to main content
Skip table of contents

What are the impacts of ITP on tracking?

What is ITP?

Intelligent Tracking Prevention (ITP) is a privacy feature built into Apple's Safari browser. It uses on-device machine learning to classify domains with cross-site tracking abilities and progressively restricts their access to cookies and storage. ITP has evolved through several versions, each tightening restrictions further.

Which browsers and devices are affected?

ITP applies to Safari on macOS (Mojave 10.14 and above) and Safari on iOS/iPadOS (iOS 12 and above). Since Safari is the default browser engine on all iOS devices (including in-app browsers), the impact extends to a significant share of mobile traffic.

Impact on visitor identification (cookie lifetime cap)

Starting with ITP 2.1, all persistent cookies created via document.cookie (JavaScript) are capped to a 7-day expiry. Since the Piano Analytics JS SDK sets its visitor identification cookie via JavaScript by default, this means:

  • If a visitor returns after more than 7 days without visiting your site, they may be assigned a new visitor ID.

  • This can inflate unique visitor counts and distort visitor-centric metrics (e.g., visits per visitor, new vs. returning visitors).

Measuring the impact: if you have implemented user identification (logged-in user tracking), you can analyze the number of distinct visitor IDs per identified user on iOS/Safari devices to estimate the effect of cookie expiration.

Recommended solution: implement a server-side cookie endpoint that sets Piano cookies via HTTP response headers. Cookies set this way by a first-party server are not subject to the same 7-day cap.

Alternatively, using Custom Domain Data Collection (CDDC) allows cookies to be set in a server-side first-party context, bypassing this limitation.

Impact on referrer and page URL data

For third-party requests to domains classified as possible trackers, Safari downgrades the referrer to the page's origin only (e.g. https://www.example.com/ instead of the full URL). If your implementation relies on the page URL rather than explicitly tagged page names, you may lose page-level detail in your reports.

Recommended solution: always tag page names explicitly rather than relying on the URL.

  • Enable addEventURL: true to capture full URLs including marketing parameters.

  • Set your Referrer-Policy to no-referrer-when-downgrade to preserve referrer data where possible.

Impact on third-party cookies

Third-party cookies for domains classified with tracking abilities are blocked entirely. Partitioned cookies are no longer supported. This means any tracking relying on third-party cookies will not work in Safari.

Recommended solution: use first-party cookies (the Piano Analytics JS SDK uses first-party cookies by default, so this particular restriction should not directly affect standard implementations.)

How to mitigate ITP effects with CDDC?

Custom Domain Data Collection (CDDC) is the most effective mitigation available. It works by collecting data on a customer-controlled subdomain via a CNAME record, which allows cookies to be set server-side (via HTTP response headers) rather than through JavaScript. Server-set cookies are not subject to the 7-day cap.

CDDC also reduces the impact of some ad blockers, since requests appear first-party from a network perspective.

Important: CDDC mitigates but does not fully bypass all Safari storage restrictions in newer versions. There is no single solution that completely restores pre-ITP behavior.

For organizations relying on the ePrivacy exemption, client-side cookies are required. This is due to synchronization needs (including the ability for JavaScript to determine privacy status and handle opt-out/consent state appropriately).

Because server-side cookies are not directly accessible to JavaScript in the same way, using only server-set identifiers can prevent the required real-time synchronization and can lead to privacy compliance issues depending on the implementation.

Other options are available, such as:

  • Self-Host the SDK: download the SDK from the Piano Analytics JS GitHub repository and host it on your own infrastructure. Optionally rename the file (e.g., yoursite.com/custom-name.js) to also avoid ad blocker detection.

  • NPM Integration: bundle the piano-analytics-js package directly into your JavaScript application via NPM/ESM. This makes the SDK a fully first-party component of your application bundle.

  • Server-Side Implementation: construct hits server-side using the Collection API, bypassing client-side restrictions entirely. Ensure the previous_url property is populated for each page view to avoid misclassification as Direct traffic.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close