The Safari ITP Conundrum: How to Maintain First-Party Data Without an Expiration Date

In the words of Greek Philosopher Heraclitus, “πάντα χωρεῖ καὶ οὐδὲν μένει.” Or, if your ancient Greek is rusty, “Everything changes and nothing stands still.”

Surely Heraclitus couldn’t predict the impact customer data would have on digital marketing, but his sentiment rings true today.

Over the years, marketers and engineers alike have followed industry trends on customer privacy. From key browsers eliminating the third-party cookie to the rise of GDPR and CCPA, it’s clear that the need to protect customer privacy is at the forefront of these changes. And relying on first-party data was thought to be the clear winner. First-party data has ruled supreme, becoming the gold standard for marketers who want to send customized content to their customers and engineers who want to remain compliant. 

Today, we’re going to take a deeper dive into a part of the Apple Safari regulation, which puts first-party data in the hot seat. In short, the Safari browser will now clear the cache of customer data after 7 days of inactivity. So if a customer buys running shoes on your website, and returns 7 days later, that customer will not be linked with their purchase. They will look like a random, new user to your site. This is creating a huge void in the world of marketing, affecting retargeting ads, attribution, and providing an incomplete view of your customer using data.

But this isn’t our first rodeo. We won’t leave you to fend for yourself in this “wild west” of customer data regulations. In this blog, we’ll outline the changes to browser caches, its impact to marketers, and how Segment's Edge SDK offering can help extend the life of your first-party cookies.

Safari’s ITP limits life of first-party data

A key player in this story is the Intelligent Tracking Prevention (or ITP for short). Introduced by Safari in 2017, the ITP, “reduces cross-site tracking by further limiting cookies and other website data.”

A quick refresher: first-party cookies are used to store preferences and identifiers and track analytics to give users a more personalized experience.

Third-party cookies are created and stored by third-party companies that are separate from the website’s owners. They’re responsible for the ads that follow you around the internet, and are understood as providing less accurate data on the customer.

Third-party cookies lost their traction throughout the years due to government regulations and general distrust by consumers. So it makes sense that with ITP, third-party cookies are blocked by default.

It’s important to note that even though first-party data is not being targeted, it can be restricted by ITP because it has the potential to be abused for cross-tracking.

Safari has limited the time to live for JavasScript’s document.cookies to 7 days. If a user returns to the advertiser’s website within a week, the expiration date extends another 7 days.

If these JavaScript document.cookies are created by a tracking domain and use a link decoration, they expire after 24 hours.

This expiration date makes it very challenging to maintain user data for long periods of time.

How these changes will affect marketing teams

Studies show almost half of consumers say they will become a repeat buyer after they have a personalized shopping experience with a retailer. And thanks to first-party data, marketing teams have an easier time collecting and acting on insights provided by the customers themselves.

But ITP’s limitation of first-party cookies is posing a challenge to marketers. 

Imagine a world where marketers could only access customer data for seven days. After this week, a user will be registered as “new” to the website, regardless of whether they visited before. 

Conversions taking longer than 7 days will lose their true attribution source, meaning marketing teams won’t be able to determine the true success of their campaigns. It can also derail efforts to understand user preferences across devices. Such a limited view of the customer’s history and interactions also renders retargeting advertisements relatively useless.

Incomplete data leads to a lack of data fidelity, which is the accuracy with which the data truly matches the source. So marketers will be left with a tricky solution- switch to more general, less data-driven campaigns, or risk sending inaccurate “one size might fit you” messages to their customers.

Thankfully, there is a solution that allows marketers to continue collecting first-party data without an expiration date.

The not-so-secret ingredient: Server-side cookies

Earlier, we outlined that cookies are stored by the browsers themselves. And at the hands of browsers, are able to be deleted when the browser sees fit. These cookies are considered to be on the “client-side.” 

Server-side (HTTPOnly) cookies, unlike regular cookies, cannot be accessed by client-side scripts like JavaScript. The primary distinction between the two lies in their level of accessibility. While regular or client-side cookies can be both created and manipulated by scripts running in the browser, HTTPOnly cookies can only be created and modified by the server. This difference means HTTPOnly cookies provide a more controlled environment for data storage as they are strictly handled by server-side operations.

Server-side cookies play nicely with Safari ITP because, since they’re only accessed by the web servers, they inherently offer more privacy protection. ITP is less likely to block them, as they’re not as prone to be used for user tracking purposes. So, they’re often a better choice than normal, or client-side cookies, for maintaining website functionality while respecting user privacy.

How can a CDP like Segment help?

Twilio Segment provides an early solution to maintaining customer data beyond 7 days in the Segment Edge SDK currently available / compatible with Cloudflare Workers. Cloudflare’s Worker handles HTTP traffic and provides serverless computing, allowing engineers to write and run their own code across Cloudflare's global network of servers. The result is a more quick and efficient way for developers to build and deploy their applications instead of spending time managing servers and infrastructure.

• Customer data retention with ITP: 7 days

• Customer data retention with Edge: 365 days

The Segment Edge SDK adds a component to Segment’s traditional client-side mode, called the edge, which sits between the device SDK and Segment infrastructure. It works with the customer’s Cloudflare infrastructure and the Segment servers to deliver Analytics.js to the customers application pages, and send traffic directly to the Segment servers. 

The SDK is open-source and available on GitHub, so developers can contribute to the project and improve it over time.

The edge component also includes an Edge Worker. Think of it as a serverless function that is fast, affordable, and can intercept all the requests between browser to/from Segment, or browser to/from a customer website, and also modify and re-route those requests.

Segment Edge will run under the customer’s domain (rather than running in Segment) so it offers some advantages for first-party data collection. By running a Cloudflare edge worker on the customer’s first-party domain, the Segment Edge SDK will be able to manage first-party delivery and transport.

The Edge SDK will modify analytics.js cookies into HTTPOnly cookies through the interception of existing cookies or the generation of new ones at the Edge. This process involves extracting the user identity from an identify event and subsequently assigning a server-side cookie when responding to the user. By utilizing the cookie identifier, subsequent requests to the Edge SDK can be associated with the user's identity. Intercepting identity cookies like ajs_user_id and ajs_anonymous_id at the Edge also facilitates personalization use-cases.

For full details, read this blog!

Conclusion

As internet browser rules are created and modified, it’s clear that customer privacy will remain at the forefront. While Safari’s ITP is dedicated to protecting user’s online privacy, it presents challenges for teams who want to understand customer attribution and a complete view of their customer. It also presents an opportunity for software developers to reconsider traditional data collection methods in a more privacy-friendly approach.