ITP (Intelligent Tracking Protection)

Apple's privacy framework, built into Safari, that restricts how tracking cookies and storage can be used. The single biggest force behind tracking degradation in the consumer web.

Daniel Busch
Written by Daniel Busch · Chief of Staff

In short

  • Blocks third-party cookies entirely
  • Caps first-party cookies set via JavaScript to 7 days (24 hours in stricter modes)
  • Limits CNAME-cloaked third-party trackers
  • Together with ETP and ad blockers, removes 30-40% of conversion data from typical pixel-only tracking

What ITP does

ITP shipped in Safari 11 (2017) and has tightened with every major Safari version since. The current 2026 ruleset:

  • Third-party cookies are blocked by default for cross-site tracking
  • First-party cookies set via document.cookie (i.e. by JavaScript) expire after 7 days
  • First-party cookies set in stricter modes (Private Browsing) cap at 24 hours
  • CNAME cloaking (where a third-party tracker uses a CNAMEd subdomain of your site) gets the same 7-day cap
  • Storage Access API required for cross-site iframes to access cookies at all

The cumulative effect: tracking that relies on persistent cookies set client-side stops working reliably for Safari users.

What ITP breaks

Concretely:

  • Cross-session attribution. A user who comes back after 7+ days appears as a new user.
  • Cross-device journeys. Without a stable cookie, you can’t anchor probabilistic identity matching.
  • Long-window attribution. A 30-day click attribution window degrades to effectively 7 days on Safari.
  • Retargeting audiences. Audience lists built on cookie persistence shrink dramatically.

ITP doesn’t break tracking universally, it specifically targets cookie-based tracking, especially the third-party kind that ad networks built their business on.

How to survive ITP

Three patterns work:

  1. Server-side first-party tracking. Set cookies via HTTP headers from your own server (not via JavaScript). These get longer lifespans than JavaScript-set cookies.
  2. Server-side identity. Identity lives in your backend, not in a cookie. Re-issued to the browser as needed.
  3. CAPI / Conversions API integration. When the browser pipeline degrades, the server pipeline still works. Pair pixel + CAPI for resilience.

These don’t perfectly replace what ITP took away, but they recover most of it for users who interact with your business in identifiable ways (logged in, repeat visitor, hashed-email match).

Common mistakes

  • Setting first-party cookies via document.cookie. Capped to 7 days by ITP. Use HTTP Set-Cookie headers instead.
  • Treating Safari as a small slice. In premium / DTC verticals it’s often 40%+ of traffic.
  • Relying on the third-party pixel as the only conversion path. Guaranteed to under-report.

FAQ about ITP (Intelligent Tracking Protection)

What is ITP?

ITP (Intelligent Tracking Protection) is Apple’s privacy framework built into Safari. It blocks third-party cookies entirely and caps first-party cookies set via JavaScript to 7 days.

How do I work around ITP?

Use server-side first-party tracking, set cookies via HTTP headers, not via JavaScript, and run conversion events through CAPI or similar server-side APIs that do not depend on browser cookies.

Does ITP affect Chrome and Firefox?

ITP is Safari-only. Firefox has a comparable system called ETP (Enhanced Tracking Protection). Chrome has its own evolving restrictions including Privacy Sandbox and ongoing third-party cookie deprecation.

How ITP (Intelligent Tracking Protection) works with adtribute

Related terms

Mentioned on these pages

Blog

Glossary

Directory

Unlock Better Data Today

Join 100+ leading e-commerce brands using adtribute to track, attribute, and optimize their marketing.

Book a Demo View Pricing