Blog

How to preserve first-party identity in an ITP 2.0 world

By
Alex Dean
November 24, 2023
Share this post

For this post I want to go deep into a high-profile, complex and technical topic: how Snowplow works with major brands and publishers to preserve the integrity of their first-party customer data collection in the age of Intelligent Tracking Prevention (ITP). I'll also explore how we balance their objectives around identifying and understanding their own customers and audiences, with the pressing consumer need for online privacy.

Trigger warning: some of this post gets quite technical. But it starts simply, with a tale of two tribes. Let me (and Midjourney) paint you a picture…

Gulliver's Travels in Consumer Data Privacy

In Gulliver's Travels, the long-suffering Gulliver encounters Big-Endians and Little-Endians who violently disagree with each other on how eggs should be broken.

If Gulliver were to be washed ashore today in the world of Consumer Data Privacy, he would meet (at least) two tribes: the Madtech Millenarians and the Head-in-Sanders.

The Madtech Millenarians

The Madtech Millenarians believe in a looming Dark Age where we will all regress to observing and engaging with customer behavior using pen-and-pencil. The end-of-days event has a name - the ‘cookiepocalypse’ - and, like any good doomsday cult, plenty of energy is spent arguing about the exact date of said apocalypse.

Nobody knows exactly how many unique horsemen of the ‘cookiepocalypse’ there are (due to cookie deletion policies), but we know two by name: Google and Apple.

Like all believers in a looming apocalypse, the Madtech Millenarians are preppers. American preppers stockpile iodine, British preppers stockpile toilet paper. Madtech Millenarians stockpile PII-heavy profiles for the 250m adults in the USA.

The Madtech Millenarians have a Manichean outlook which is attractively black-and-white to some. Don't drink the Kool-Aid.

The Head-in-Sanders

By contrast, the Head-in-Sanders are in a constant state of denial about the constant march of browser privacy features and data privacy regulations.

Head-in-Sanders most often work at analytics and advertising vendors, at the agency holdcos, or at major publishers. If the Head-in-Sanders had a formal HQ, it would be Pete's Tavern in Gramercy Park.

Intelligent tracking prevention image 2

Common catchphrases for the Head-in-Sanders include:

  • "That only affects you guys in Europe"
  • "Tracking was only ever meant to be a sample"
  • "The Chrome team will blink first"

As a Global 2000 brand, unfortunately you likely have multiple vendors in your adtech and martech stacks who are Head-in-Sanders.

But third-party data is in trouble

Doomsday prophecies often coincide with a full solar eclipse, which makes everybody nervous for five minutes.

The Madtech Millenarians are right about one thing: third-party data is on the ropes. As I set out in my article, Why martech is interesting again:

Client-side third-party tracking is our industry's trans fatty acid: widely used for decades but suddenly deemed incredibly unhealthy to consumers.

I called out three reasons in that post:

  1. Increased regulation around the world to protect the rights of data subjects
  2. Browser vendors are becoming increasingly intolerant of third-party cookies
  3. Heightened awareness of the importance of protecting vulnerable constituencies online

There's a lot to dig into here - but for the rest of this post, we will zero in on the browser privacy point, specifically Apple's Intelligent Tracking Prevention.

Apple and browser privacy

Apple has put consumer privacy protection at the heart of its brand. In 2022, at the IAPP Global Privacy Summit, Tim Cook said that protecting privacy is not easy but "is one of the most essential battles of our time." His statements struck a chord with consumers wanting to see their privacy respected.

Apple's device footprint gives Safari 25% of the mobile browser market1, and 20% of the global web browser market (including PC and connected TV)2. Plus Apple users skew wealthier (on average!) than Android users. All of this makes Apple a major player in browser privacy.

So what did Apple do with Safari?

Intelligent Tracking Prevention 1.0

In September 2017, Apple updated the Safari browser to include a new feature called Intelligent Tracking Prevention (‘ITP’). ITP 1.0 introduced a browser setting called “Prevent Cross-Site Tracking”, which was enabled by default.

This feature limited the ability of third-party service providers to read cookies from an advertiser’s website beyond the initial 24 hours.

From Intelligent Tracking Prevention 1.0 to 2.3

For the next two years, Apple rolled out further ITP versions which came with significantly enhanced restrictions. By the time the dust had settled on ITP 2.3, Safari operated as follows:

  • Third-party cookies were blocked
  • First-party client-set cookies and items in browser storage were erased if users didn’t interact with the website for 7 days

This affected most tracking tools - but not a proper Snowplow setup, as we will see later.

April 2023: Safari 16.4

In April 2023, Apple Safari 16.4 introduced further restrictions on first-party cookies, imposing a maximum 7 day lifetime of server-set cookies for many tracking setups.

The new restriction required that the IP address of the website, and that of the server setting tracking cookies approximately match. It once again nullified the workarounds adopted by many companies as a result of Intelligent Tracking Prevention.

Put all this together and it's clear that Apple is serious about preserving the browser privacy of its device owners. As brands and publishers seeking to understand and better serve our customers, where do we go from here?

It was always about first-party data

There is a third way between the Madtech Millenarians and the Head-in-Sanders, although not every actor in this market is commercially, technologically or culturally ready for it.

It involves understanding - and respecting - the needs of all stakeholders:

  1. Consumers - the right to privacy; the expectation of receiving a high-quality digital service
  2. Publishers - the ability to monetize their audiences
  3. Brands - the ability to acquire and retain their customers
  4. Platforms - preserving or growing market share; monetizing activity on the platform (e.g. advertising, app purchases)
  5. Regulators - protecting consumer privacy; preventing anti-competitive behavior

This looks complicated but really these competing priorities boil down to two: the right for consumers to a material degree of online privacy, and the commercial imperative for businesses to make money.

The only way to square these two competing forces is through first-party data.

The third way is first-party

First-party data is data collected by a brand or publisher when observing their own customers, viewers, readers or users.

Snowplow has been proudly helping brands and publishers generate first-party data since we launched as an open-source project in 2012.

As a primary tag across web, mobile, connected TV and more, Snowplow enables brands to generate rich first-party customer behavioral data and flow it directly into the brand-owned data warehouse or data lake. The same applies for publishers: we are used heavily by the Comscore 50 to understand their audiences in unmatched detail.

First-party data and ITP

There is a really important point to make here: Intelligent Tracking Protection is not designed by Apple to prevent brands and publishers from understanding their own customers.

Apple's complaint is with adtech vendors, ad networks and other middlemen who are trying to insert themselves into the data supply chain between consumers and brands.

Apple doesn't have a problem with their device owners being somebody's customer - they have a problem when their owners become the advertising product being sold. From the consumer perspective, it’s similar: it is a vast difference if I consent to give my data to a company, versus if my data gets exposed and shared with a dozen third parties I have no direct relation to.

Theory → Practice

Enough exposition, let's talk about an applied example: specifically, how Snowplow has been navigating the new browser privacy landscape of Intelligent Tracking Protection.

While ITP is not designed to target brands collecting first-party data, it has some sharp edges and gotchas which have to be navigated carefully. In contrast to using classic third-party solutions, Snowplow helps its customers overcome these sharp edges and tracking prevention challenges to allow rich, consented first-party data collection with maximum accuracy over long periods of time.

Handling Intelligent Tracking Prevention

Some technical jargon: a well-configured Snowplow pipeline will server-set first-party cookies with the Set-Cookie HTTP response header. The server (‘collector’) setting the cookies will have its domain configured with A/AAAA records - no CNAME cloaking.

Thanks to these steps, Snowplow sets first-party cookies which are not impacted by ITP. A brand or publisher using Snowplow can track their customers with a persistent ID across their first-party domain.

However, in April 2023 things got more complicated…

Reacting to Safari 16.4

In April 2023, when the Safari 16.4 news came out, Snowplow Senior Solutions Engineer Trent Kalisch-Smith wrote an article for our blog, Safari ITP update: is it possible to have cookies that last longer than 7 days in 2023?

This article provided context on the new ITP development, provided an interim solution for Snowplow pipelines and invited the community to reach out to us to discuss a more elegant solution.

Customers, community members and partners responded to this post with awesome ideas and feedback - thank you! As a result, last month we released the Snowplow ID Service, a response to ITP 2.0 which preserved the integrity of first-party customer data collection - all while respecting Apple's intent around Intelligent Tracking Protection.

What’s next?

Snowplow’s technological innovations in this area, such as anonymous tracking, advanced privacy controls around PII, and now the Snowplow ID Service, are not built to circumvent regulations or understandable privacy wishes of consumers.

They allow you to remain in control over one of the most valuable datasets: customers’ behavioral data, while fully respecting customers and law.

We continue to keep a close watch on innovations across the browser privacy landscape, whether from Apple, Google or others. We are committed to understanding - and respecting - the needs of all stakeholders.

Closing thoughts

In today’s world of Consumer Data Privacy, the Madtech Millenarians and the Head-in-Sanders can continue to debate the looming ‘cookiepocalypse’, but this does not solve for the customer, or consumer.

Consumers want their privacy respected and protected, but they also crave personalization. According to Accenture, “83% of consumers are willing to share their data to create a more personalized experience."

As an industry, we all have to work together to thread the needle and balance these competing imperatives of privacy and personalization. The only way to square these competing forces is through first-party data.

Read more articles like this

This article originated from Alex Dean's Substack Source of Truth where he charts the 'Great Reset' that is coming in the adtech-martech solution space.

Subscribe to our newsletter

Get the latest blog posts to your inbox every week.

Get Started

Unlock the value of your behavioral data with customer data infrastructure for AI, advanced analytics, and personalized experiences

Book a Demo