Safari ITP Is Quietly Killing Your Ad Attribution. Here’s How to Fix It
Safari’s Intelligent Tracking Prevention deletes cookies, strips Click IDs, and blocks storage, making it impossible for ad platforms to attribute conversions from over half of US mobile traffic. Read on for the fix.
Safari controls over 50% of mobile browser traffic in the United States. If you’re running paid ads, that means more than half of your mobile visitors are subject to Apple’s Intelligent Tracking Prevention (ITP), a set of privacy restrictions that systematically breaks ad attribution.
The result: conversions that actually happened never make it back to Google, Meta, or any other ad platform. Your campaigns look worse than they are, your algorithms optimize on incomplete data, and your CPAs are higher than they need to be.
Here’s exactly what ITP does, why it matters for your ad spend, and how to fix it.
What Safari ITP actually does
Intelligent Tracking Prevention is built into WebKit, the engine that powers Safari on every Apple device: iPhones, iPads, and Macs. Apple has been tightening these restrictions since 2017, and each update removes another piece of the tracking infrastructure advertisers depend on.
Here’s what ITP enforces today:
Client-side cookies expire in 7 days
Cookies set through JavaScript (document.cookie) are capped at 7 days of expiration. It doesn’t matter if you set them to last a year. Safari will delete them after 7 days of browser use.
For many B2B companies where sales cycles run weeks or months, this means the cookie linking an ad click to a conversion is long gone by the time the user converts.
Link decoration triggers a 24-hour cap
When a user clicks a link from a domain Safari classifies as a cross-site tracker (which includes Google, Meta, and the other major ad platforms), and the URL contains query parameters like a Click ID, ITP imposes a stricter limit. Cookies set via JavaScript after that navigation expire in just 24 hours.
This is the rule that directly targets ad click tracking. A visitor clicks your Google ad, lands on your site with a gclid parameter, and your JavaScript stores it in a cookie. If that visitor doesn’t convert within 24 hours, the cookie is gone and the conversion can’t be attributed.
Script-writable storage gets purged too
It’s not just cookies. As of ITP 2.3, all script-writable storage (LocalStorage, IndexedDB, SessionStorage, and Service Worker caches) gets purged without user interaction on the site. Storing Click IDs in LocalStorage as a workaround doesn’t help.
Click IDs are being stripped from URLs
Starting with Safari 26 and iOS 26 (released September 2025), Apple expanded Link Tracking Protection to strip known tracking parameters from URLs. In Private Browsing mode (as well as links opened from Mail and Messages), Safari removes gclid (Google), fbclid (Meta), msclkid (Microsoft), and twclkid (Twitter/X) from the URL entirely, before your page even loads.
UTM parameters (utm_source, utm_campaign, etc.) are not affected, since they track at the campaign level rather than the individual user level. But Click IDs, the parameters ad platforms need to attribute a specific conversion to a specific click, are the ones being removed.
Third-party cookies are completely blocked
Since Safari 13.1 (released in 2020), all third-party cookies are blocked by default. There are no exceptions. If your tracking relies on a cookie set by a domain other than your own, Safari won’t store it.
Why this matters for your ad spend
The scale of impact is hard to overstate.
Safari dominates US mobile traffic. Safari holds roughly 51% of mobile browser market share in the United States, according to Statcounter (January 2026). Mobile accounts for about 46% of all US web traffic. Do the math: roughly one in four of your website visitors is on Safari and subject to these restrictions. For paid social, the skew is even sharper: across the US brands we work with, over 70% of website traffic from Facebook Ads comes from Safari. If Meta is a meaningful channel for you, ITP is affecting the majority of that traffic.
The attribution gap compounds. When you combine ITP’s 24-hour cookie cap on decorated links, the 7-day limit on client-side storage, full third-party cookie blocking, and Click ID stripping in Private Browsing, the percentage of Safari conversions your ad platforms can actually attribute drops dramatically.
Ad blockers make it worse. Up to 30% of internet users in the United States use ad blockers, which block tracking pixels and scripts entirely, even on browsers without ITP. Layer ad blockers on top of Safari’s restrictions and the data gap grows further.
Algorithms can’t optimize on invisible conversions. Every conversion that goes unattributed is a conversion Google’s Smart Bidding, Meta’s Advantage+, or TikTok’s optimization algorithms can’t learn from. They’re optimizing your bids and targeting based on maybe half the actual picture, which means higher CPAs, worse targeting, and wasted budget.
Why client-side workarounds don’t work
Some teams try to work around ITP with client-side fixes:
- Setting longer cookie expiration: Safari ignores it. JavaScript cookies are capped at 7 days regardless.
- Storing Click IDs in LocalStorage: Purged after 7 days without interaction, same as cookies.
- Using first-party subdomains for tracking pixels: Safari’s classification system catches CNAME cloaking. If the underlying IP resolves to a known tracker, the 7-day cap still applies.
- Fingerprinting: Safari 26 introduced Advanced Fingerprinting Protection by default, which adds noise to the browser APIs used for fingerprinting techniques.
Apple has systematically closed every client-side workaround. Each ITP update patches the gaps that advertisers found in the previous version.
The fix: server-side cookies and server-side tracking
ITP’s restrictions apply specifically to client-side storage: cookies set via JavaScript, data written to LocalStorage, and similar browser-side mechanisms. But cookies set by your server through HTTP response headers (so-called “server-side cookies”) are not subject to the 7-day or 24-hour caps.
This is the key distinction. When your web server sets a cookie in the HTTP response, Safari treats it as a genuine first-party cookie with the full expiration you specify. ITP doesn’t cap it.
The approach has two parts:
1. Set tracking cookies server-side
Instead of using JavaScript to store Click IDs and attribution data in the browser, capture them on the server when the landing page loads and set them as HTTP-only cookies in the server response. These cookies persist at their full expiration, surviving well beyond ITP’s 7-day and 24-hour limits.
This means a visitor who clicks your ad on Monday and converts two weeks later still has the original Click ID stored in a cookie that Safari hasn’t deleted.
2. Send conversions server-side
Instead of relying on a browser pixel to fire when someone converts, send conversion data directly from your server to the ad platform’s Conversions API (Google Enhanced Conversions, Meta CAPI, etc.). This bypasses ad blockers entirely and ensures every conversion reaches the ad platform with the original Click ID and first-party matching parameters attached.
Together, these two changes recover the attribution signal that ITP destroys.
How Aetra can help Segment users
If you’re using Segment, there’s a critical piece of the puzzle that often gets overlooked: Segment’s anonymous_id is set client-side, which means after an ad-click Safari caps it at 24 hours. When that cookie expires, Segment treats a returning visitor as a brand-new user. Your identity resolution breaks, your conversion paths fragment, and the ad click that started the journey gets lost.
Solving this isn’t automatic—it depends on your website architecture. But if you’re on Segment, we can help.
We’re experts at Segment implementations and have a deep understand how the tracking works. We can help you set up a Cloudflare Worker that runs on your existing domain to set Segment’s anonymous_id as server-side cookies when visitors land on your site. Safari treats those as genuine first-party cookies with their full expiration intact, so the thread that ties an ad click to a conversion survives even weeks later.
Here’s what that setup enables:
Server-side anonymous_id When a visitor lands on your site, the Worker sets Segment’s anonymous_id as a server-side cookie. Safari won’t delete it.
First-party data collection through Aetra. Aetra collects matching parameters (email, phone, etc.) from your existing Segment events and builds an attribution profile for each visitor, giving ad platforms the first-party signals they need for Enhanced Conversions and Advanced Matching even when Click IDs are stripped.
Identity resolution that survives ITP. When an anonymous visitor returns and identifies themselves days or weeks later, Aetra links their original ad click to their identified profile. Because the anonymous_id was set server-side, Safari hasn’t expired it, and the connection holds.
Enriched server-side conversions. Every conversion event flowing through Segment gets enriched with the original click data and matching parameters before it reaches Google, Meta, TikTok, or any other ad platform destination. The data goes server-to-server. Ad blockers and ITP don’t touch it.
Teams using Aetra are seeing 30–50% higher match rates and 25% lower CPAs, improvements driven largely by recovering the Safari conversions that were previously invisible.
After setting up Aetra, we doubled orders in Google Ads and saw a 36% increase in leads on Facebook
Stefan Harvalias, CMO, Tawkify
The bottom line
Safari ITP isn’t a temporary inconvenience. Apple has been tightening these restrictions for nearly a decade, and the direction is clear: every version removes more client-side tracking capability. With Safari 26 now stripping Click IDs from URLs entirely in Private Browsing, the trend is only accelerating.
If you’re still relying on client-side pixels and JavaScript cookies for ad attribution, you’re already losing a significant portion of your conversion data from Safari users, and that share of traffic is too large to ignore.
Server-side tracking is the durable fix. Move your tracking infrastructure off the browser and onto the server before the next Safari update takes another piece away.
If you’re running ads and using Segment, schedule a demo to see exactly how much Safari conversion data you’re missing and how Aetra recovers it.
Engineer turned marketer with 10+ years in ad tech and marketing technology. Obsessed with closing the gap between ad spend and accurate attribution.