What is Intelligent Tracking Prevention?
Intelligent Tracking Prevention is a feature of WebKit (the browser engine that powers Safari on macOS, and all mobile browsers on iOS and iPadOS), which protects users’ privacy by placing technical restrictions on tracking methods websites can use.ITP aims at “blocking practices that are harmful to users because they infringe on a user’s privacy without giving users the ability to identify, understand, consent to, or control them.”
— WebKit’s Tracking Prevention Policy
What does ITP block?
This section outlines the restrictions that impact marketing teams the most, and how OneView achieves compliance with them. For the full list of restrictions, please check WebKit’s technical documentation.Cookies
OneView achieves full ITP compliance when you send data from a tracking endpoint under your website domain (like
www.example.com/track), either by:- Using a Custom Domain for your Frontend Source
- Using a Backend Source
Understanding cookies:When you visit
www.example.com, cookies fall into two categories:- Regular cookies: set directly via
document.cookieby scripts on the browser; these are always first-party cookies. - HTTP cookies: set via
Set-Cookieheader by a remote server, called by scripts on the browser; depending on the remote server domain:- Same-site domains: Your domain (like
blog.example.comorapi.example.com), these are first-party cookies. - Cross-site domains: Any other domain (like
tracking.vendor.com), these are third-party cookies.
- Same-site domains: Your domain (like
| Restriction | Effect (Engineering) | Impact (Marketing) |
|---|---|---|
| Restricted cookie lifetime: 7-Day Cap on All Script-Writeable Storage | ➡️ Regular cookies (e.g. set by GTM Web): deleted after 7 days after the last user interaction. | ❌ Tracking data is lost after 7 days without user interaction, when using client-side tracking. |
| Tracking subdomains CNAME and Third-Party IP Address Cloaking Defense | ➡️ HTTP cookies (e.g. set by GTM Server): deleted after 7 days. Exemption for first-party same-origin cookies. | ❌ Tracking data is lost after 7 days, when using server-side tracking on a subdomain (e.g. track.example.com). |
- if set by
cross-sitedomains: they are blocked by default - if set by
same-sitedomains or javascript: they are deleted after 7 days of . - if set by
same-origindomains: they are exempted from the 7-day cap.
www.example.com/track) using a Custom Domain for your Frontend Source or by using a Backend Source, for which you manage the custom domain yourself.
URL Parameters
OneView achieves full LTP compliance when you:
- Use
utm_sourceparameters in your campaigns (matching the ones you configured in your OneView workspace) - Enable Enhanced Conversions for your Media Partners
Understanding link decorators:When you click on an ad, the redirect URL often includes parameters (“link decorators”) such as:
domain.example/landing?gclid=123abc(from Google Ads)domain.example/landing?fbclid=456def(from Facebook/Meta)domain.example/landing?msclkid=789ghi(from Microsoft Ads)
gclid, fbclid, msclkid) are detected in the URL on your website, they are used as a trigger to set advertising cookies:- as Regular cookies by javascript (e.g. via GTM Web)
- as HTTP cookies by a server (e.g. via GTM Server)
| Restriction | Effect (Engineering) | Impact (Marketing) |
|---|---|---|
| Parameter redaction: Detection of Cross-Site Tracking Via Link Decoration | 🌐 ➡️ Normal browsing: Regular cookies expiration capped to 1 day, if a tracking decorator (e.g. gclid, fbclid, msclkid) is detected in URL.🕵️♀️ ➡️ Private/Incognito browsing: Blacklisted decorators are stripped from URLs altogether. | 🌐 ❌ Normal browsing: Tracking data is lost after 24 hours when using client-side tracking. 🕵️♀️ ❌ Private/Incognito browsing: Tracking data is always lost. |
- Capping regular cookie lifetime to 24 hours when third-party link decoration (e.g.,
gclid,fbclid,msclkid) is detected - Stripping URL parameters that ad tracking scripts rely on altogether (private browsing mode only)
Normal Browsing mode
OneView workspaces are not affected by LTP restrictions because the cookieless advertising architecture saves Click ID information in your workspace, and not in users’ browsers.Private Browsing mode
OneView achieves LTP compliance through two complementary methods that work even when the browser, a plugin, or a VPN strips all tracking parameters:-
UTM-based attribution: You can configure the
utm_sourceyou use in your Media Partners campaigns, so that if their click ID is unavailable, this parameter will be used to identify them instead. -
Enhanced Conversions: When a source is identified via its
utm_source(and bothad_storageandad_user_dataconsents are granted), OneView sends data via Conversion API, without the need for a click ID.
Which decorators are blocked by LTP?
Which decorators are blocked by LTP?
Apple does not provide a public list of actively blocked decorators.
https://www.example.com/landing?myparam=123), and see if, after the page is loaded, the parameter is still present in the URL or not.Can I use custom tracking templates to bypass LTP?
Can I use custom tracking templates to bypass LTP?
Circumventing browser privacy protections is not recommended. Techniques like parameter renaming:
- Violate your users’ privacy expectations through active circumvention
- Are trivial for browsers to block in future updates
gclid to mygclid or gcl), to then rewrite the URL with the original parameters before sending it to OneView.Why this is fragile:Browsers currently block parameters primarily by name, but extending this to value-based detection is trivial. A click ID like 123456789.987654321 follows a distinctive, recognizable format regardless of whether it’s named gclid, mygclid, or my_tracking_param.Browser vendors already maintain blocklists of known tracking domains and parameters. Applying pattern matching to detect renamed click IDs—especially from known advertising referers—requires minimal additional effort.