Category: Marketing & analytics | Reading time: 6 min
There’s a feature built into every iPhone, iPad and Mac that has been dismantling ad attribution for years. Most marketers are vaguely aware it exists. Very few understand what it’s actually doing to their data – or how many of their visitors it’s affecting.
It’s called Intelligent Tracking Prevention (or ITP). It’s been active since 2017. And in 2026, it’s more aggressive than it has ever been.
What ITP is – and what it actually does
Intelligent Tracking Prevention is a privacy system built into Safari’s WebKit browser engine. It uses on-device machine learning to identify domains that have cross-site tracking capabilities – the Googles, Metas and ad-tech vendors of the world – and applies strict limits to how they can store and access data in the browser.
It is not an ad blocker. It doesn’t prevent your pages from loading or your ads from appearing. What it does is quietly degrade the tracking infrastructure those ads depend on.
The restrictions come in two forms and both matter enormously for attribution.
Third-party cookies: blocked entirely. Safari has blocked third-party cookies by default since 2020. Every cross-site tracking cookie that Meta, Google or any other ad platform tries to set in a Safari visitor’s browser is dead on arrival. Retargeting audiences built on cross-site data, audience matching, cross-device attribution – all of it relies on third-party cookies that simply don’t exist for Safari users.
First-party cookies: capped at seven days. First-party cookies set via JavaScript – which is how most analytics and tracking platforms work – are capped at a seven-day lifespan. If a visitor returns to your site on day eight, the cookie is gone. To GA4, they look like a brand new user. To your ad platform, the conversion has no attribution thread connecting it to the campaign that started the journey.
There’s an even sharper edge case. When a user arrives on your site via a tracked URL – one containing a Google Click ID (gclid) or Facebook Click ID (fbclid), as every paid ad click does – ITP classifies this as link decoration from a known tracking domain and reduces the cookie lifespan to just 24 hours. A user who clicks a Meta ad on Monday and converts on Wednesday has their attribution wiped before the purchase happens.
The scale of the problem
Here’s where the numbers become confronting.
Safari is now used by roughly one in four web users globally. Safari controls 23.4% of mobile browsing globally. Its share is especially strong in markets with high iOS adoption, such as the United States, Australia, Japan and parts of Western Europe.
For businesses targeting consumer audiences in these markets – and that’s most of the businesses running paid media on Google and Meta – Safari is not a niche browser. It is a primary channel. In Australia, the UK and the US, Safari regularly accounts for 30–50% of mobile sessions for consumer-facing brands.
Teams that under-invest in iOS Safari testing miss roughly one in four mobile sessions in mature markets. That same figure applies to tracking: one in four mobile sessions, in many markets, is operating under conditions where your tracking is significantly degraded or broken entirely.
And it’s getting worse, not better. Safari’s 18.4% global share is increasingly driven by iOS, where it controls 23.4% of mobile browsing globally. As iPhone penetration continues to grow in premium consumer markets, the proportion of your audience affected by ITP grows with it.
What this looks like in your data
You won’t see an error. Nor a warning. No gap in your dashboard either. ITP just gives you a series of invisible distortions that compound over time.
Return visitors look like new users. When the seven-day cookie cap erases a visitor’s session history, GA4 registers them as a new user on their next visit. Your new user numbers are inflated. Your returning user numbers are understated. Lifetime value calculations based on session data are unreliable.
Paid traffic gets attributed to direct. A user who clicked your Google or Meta ad and converted more than a week later – or even 25 hours later if they arrived via a tracked URL – shows up as direct traffic in your attribution report. The campaign that drove them gets no credit. Your direct traffic numbers are artificially high. Your paid channel performance is artificially low.
Purchase cycles longer than a week break entirely. In B2B, subscription products, higher-consideration retail and any category where customers research before buying, conversion windows routinely extend beyond seven days. For every Safari user with a purchase cycle longer than ITP’s cookie window, attribution is lost before the conversion fires. These are often your highest-value customers – considered buyers who researched carefully before committing. You lose the ability to remarket to these audiences too.
Smart Bidding trains on a distorted dataset. Every conversion that goes unattributed is a signal the algorithm never receives. Google’s Smart Bidding and Meta’s Advantage+ are learning which users, placements and contexts produce conversions – but for your Safari audience, a large portion of those conversions are invisible. The algorithm’s model of who your customer is has a systematic blind spot. A big one.
Why ITP is particularly damaging for mobile
Mobile deserves specific attention here, because the ITP problem is most acute on the device most of your customers are using.
Safari is the default browser on every iPhone and iPad. Users don’t choose it consciously in most cases – it’s simply what opens when they tap a link.
This means the ITP restrictions aren’t affecting a subset of Safari enthusiasts. They’re affecting the vast majority of iPhone users who visit your site – which in premium consumer markets is the majority of your mobile audience. Mobile traffic itself accounts for a growing share of total web sessions. The intersection of “mobile traffic” and “Safari ITP degradation” is not a niche. It is mainstream.
The purchase journey problem
Let’s put a specific scenario on this, because the abstract numbers are easy to dismiss.
A customer sees your Instagram ad on a Tuesday. They tap through, browse your product, don’t buy. They come back on Thursday via Google search, read reviews, still don’t buy. On the following Wednesday – eight days after the original ad click – they return directly and complete a purchase.
Under client-side tracking with ITP active:
- The Meta pixel cookie from Tuesday has expired. The ad impression that started the journey has no attribution.
- The gclid cookie from the Thursday Google search has been capped at 24 hours. That touchpoint is also gone.
- The purchase on Wednesday is attributed to direct traffic.
Meta and Google see a direct conversion. No channel gets credit. The campaigns that drove the customer through the funnel are penalised in attribution reporting. If you’re using last-click or even data-driven attribution models that depend on intact cookie chains, the entire journey is invisible.
This isn’t an edge case. When that Safari user comes back to your site seven days later to convert, they’re not clicking the original UTM-tagged link anymore. They’re typing your domain directly or clicking a bookmark. The UTM parameters are gone, and without a persistent cookie to connect this session to the original visit, you’ve lost the attribution thread.
Your ad platforms can’t optimize accordingly, and you can’t report on what’s worked.
What server-side tracking recovers
Server-side tracking doesn’t eliminate ITP – Apple’s restrictions apply at the browser level and can’t be fully overridden. What it does is recover a significant portion of the signal that ITP destroys under client-side tracking alone.
The key mechanism is the shift from JavaScript-set cookies to server-set cookies. While ITP caps JavaScript cookies at seven days, server-set cookies on your own domain can persist for longer – preserving the attribution thread across visit sessions that a JavaScript-only implementation would lose.
Additionally, server-side event collection routes tracking through your own domain’s infrastructure rather than through third-party domains. Because the request doesn’t originate from a known tracking domain, it isn’t subject to the same ITP classifications that trigger the most aggressive restrictions.
The result is more complete event collection, more intact attribution chains and a more accurate picture of how your Safari audience – one in four of your visitors, and growing – is actually converting.
Tiide’s browser breakdown dashboard makes this visible in concrete terms.When your site is connected to Tiide, you can see exactly how many Safari events were recovered server-side that would have been lost – and what percentage of your Safari audience’s behaviour would have been invisible without it.
For most businesses, that number is somewhere between 30% and 50% of all Safari events.
That’s the scale of what ITP has been taking, quietly, while your campaigns ran and your reports populated and everything looked normal.
The bottom line
ITP is not a niche technical problem. It’s a structural issue affecting roughly one in four of your visitors – more in markets like Australia, the UK and the US – that has been silently degrading your attribution, your campaign optimization, and your marketing decisions for years.
It isn’t going away. Apple has shown no indication of loosening ITP and every version update since 2017 has made it more restrictive, not less. Privacy is central to Apple’s brand – which means the trajectory is one direction only.
The question isn’t whether ITP is affecting your data. It is. The question is how much – and whether you can see it.
