Google Privacy, Apple ITP 2.3, and your PartnerStack program

  • Updated

It has never been safer to browse the internet.

Built-in privacy controls, powerful adBlockers, and initiatives from Mozilla, Apple, and web consortiums to restrict web-based tracking give today's consumers powerful control over their data.

Additionally, regulations such as Privacy Shield and the EU's GDPR (General Data Protection Regulation) work to institutionalize the protection of consumer data online.

While PartnerStack strongly supports data and privacy regulations, we also acknowledge how data protection efforts can introduce new challenges for your performance marketing efforts.

In this post, we'll highlight how PartnerStack keeps your partner program humming while staying compliant and respectful of your user's data.

Cookie Tracking & Performance Marketing

Most modern browsers provide consumers with strong controls over the types of cookies websites can store. Cookies are generally described as being either 1st-party or 3rd-party cookies. 

1st-party cookies

First-party cookies are cookies that are set by the current website you visit, and control things like:

  • login authentication
  • user preferences
  • web interfaces (presence of a pop-up)

Because these cookies can affect the usability of the website you're on, these cookies are usually not the target of blockers or user controls

3rd-party cookies 

Third-party cookies are cookies that are set by a website other than the one you are currently on. 

For example, might have a Facebook "Like" button on their site. That like button will set a cookie that can be read by Facebook. That would be considered a third-party cookie.

Many advertising networks lean on 3rd-party cookies to tag traffic and individuals who have taken a certain action on another website. These can be actions such as "Liking" a Facebook page, making a purchase on a website, or simply just visiting a particular page.

The tracking nature of these cookies has resulted in them to be the target of adBlockers, web browsers, and industry leads who natively block them from tagging traffic. 

What kind of cookies does PartnerStack use?

PartnerStack has not relied on 3rd party cookies since 2017. All PartnerStack tracking implementations rely on 1st-party cookies.

The method through which cookies are set can vary based on your  PartnerStack implementation. Most companies are using server-side cookies set via HTTP, while some still use script-written cookies from the  PartnerStackJS snippet. 

We are currently working with our legacy companies individually to upgrade their integrations to this future-proof HTTP method. 

What is the impact of Google's privacy updates and Apple's ITP 2.3 on my program?

New PartnerStack programs can expect no impacts on your program.

Some legacy vendors who have not migrated to custom domains will see a small attribution drag across Safari traffic (not Chrome or other browsers).

Why is Safari different?

While PartnerStack does not use 3rd-party cookies or local storage to persist attribution data, some legacy PartnerStack vendors using PartnerStackJS to create 1st-party cookies will be caught by ITP’s new "Capped Lifetime For All Script-Writeable Website Data”. After clicking on a link, a cookie will be capped at 7 days if the user does not return to your website.

While the impact is small, we continue to encourage PartnerStack programs to migrate to a custom domain integration that does not use JavaScript-generated cookies.

Google Chrome privacy update (2024)

Being an advertising company, it is not a shock that Google is the last to join the browser privacy party. You may have heard that Google has begun rolling out a feature called Tracking Protection to curtail user tracking via third-party cookies.

While only deployed to a small set of users today, all Chrome users will be enrolled by late 2024 when all 3rd party cookies will be blocked.

Impact of Google Chrome's privacy update

To adapt to these changes, advertisers and programs on PartnerStack have been transitioning to PartnerStack’s custom domain server-to-server tracking since 2017.

Our proactive approach makes this update have no impact on PartnerStack customers.

With browser developers moving towards rendering third-party cookies obsolete, server-to-server tracking emerges as a viable solution. This approach not only ensures compliance with browser policies but also enhances attribution accuracy and reduces reliance on user data sharing.

Apple Safari WebKit & ITP (2023)

Intelligent Tracking Prevention (ITP) was first introduced by Apple in 2017 as a way to better protect the privacy of Safari users by limiting the scope of tracking data available to 3rd-parties.

If you have the time and interest you can read the most recent blog post here:

What's the latest in ITP 2.3?

Every version of ITP has continuously built towards the goal of limiting device tracking through cookies and link decorations (, with each iteration closing a new loophole or workaround created from the last version.

As ITP 2.2 limited 3rd-party cookie tracking, developers shifted focus to tracking using device local storage. ITP 2.3 primarily closes this loophole.

Apple WebKit ITP - Technical breakdown

Each new development of ITP builds up on the original premise to limit the most common methods of tracking. Here is how ITP approaches that problem:

Step 1: Classification of Domains

Domains are dynamically classified:

  • First Party Bounce Tracker Detection. Detects when a domain is used for redirect tracking only. This will be applied recursively for all domains in the redirect chain.
  • Sub Resource under number of unique domains. Related to the number of paths available under a domain. Tracking platforms currently have a very small number of these.
  • Sub Frames under number of unique domains. Related to the number of page frames available under the domains.
  • Number of unique domains redirected to. If you’re still reading, this one probably doesn’t need any explanation.

The system does not have a whitelist or blacklist. Rather each device will build its own tracking prevention list based on web usage. Apple suggests this can be reset by clearing cookies.

Step 2: Destroy all Cookies

If a domain is classified as a tracking domain via the machine learning-based classification engine described above, Safari will prevent the storing of cookies. To persist cookie data, Apple will require three things:

  1. The cookie must be from a first-party domain.
  2. That first-party domain must have user interaction. This definition isn’t totally clear, but it seems to suggest that the user must actually browse the site and click on something.
  3. That first-party domain must receive repeat user interaction. Cookies will persist for only 90 days. After 90 days, data will be blackholed until the next user session.

Step 3: Limit Referrer Data

For domains classified as possible trackers that have not received user interaction, the referrer will be truncated to just the fully qualified domain name, therefore dropping any additional path information. This will prevent trackers from gaining access to user information contained in the path that may have required cookie access to obtain.

This action will make it impossible for most tracking domains to store and recall cookies. It will also make it impossible to obtain user interest information from the referrer collection. It would seem the target of many of these enhancements are the “like” and “+1” buttons that track user interactions across the internet, but it’s obvious there will be collateral damage in performance advertising as well. 

Where does that leave us now?

This is an exciting time for partner channels and performance marketing platforms. Working alongside companies and partners in the PartnerStack Marketplace, we are formalizing new solutions to your unique channel attribution issues.

Chat with us at with any questions about how these changes in the privacy landscape may impact your program. 

Was this article helpful?

2 out of 2 found this helpful