Privacy & Security Highlights: How Tracking & Cookies Changed in 2019 (and What it Means for Your Testing in 2020)
2018 went down as the year privacy changed forever.
The GDPR left its mark… in memes that made us laugh and sweeping data collection, processing and transparency requests that left us (a little) overwhelmed.
But no one was expecting 2019 to be a whopper. Yet, it was. Browsers pitched in to make users feel more secure and trust that their personal details and preferences were NOT being used to relentlessly pitch ads around the internet.
Here’s a breakdown of the anti-tracking and tracking prevention changes that happened in 2019, what it means for marketers and testers and how Convert dealt with them.
How did tracking prevention & A/B testing change in 2019?
Mozilla’s anti-tracking policy
Introduced by: Mozilla (Firefox)
When: January 2019
Summary: Mozilla Firefox published an Anti-Tracking policy in January 2019 that defined which tracking techniques Firefox will block by default in the future. Outlined in the policy are the following types:
- Cookie-based cross-site tracking — Cookies and other storage types may be used by third-parties to track users on the Internet.
- URL parameter-based cross-site tracking — Another cross-site tracking practice that relies on URLs instead of cookies to pass on user identifiers.
- Browser fingerprinting — Sites may use data provided by the browser during connections or by using certain web techniques to create user fingerprints.
- Supercookies — Also known as Evercookies. Refers to storage used for tracking that is not cleared automatically when a user clears the browsing history and data. See this list of caches that Firefox uses.
Impact on Convert: After reading it in detail, Convert tracking is not impacted by this Policy as its tracking does not fall under the above categories.
Intelligent Tracking Prevention (ITP) 2.1
Introduced by: Apple (Safari)
When: February 2019
Summary: Apple announced ITP 2.1 in February 2019; this was the ITP update which mainly went after first-party cookies that are set using JavaScript.
Apple officially limited client-side (JavaScript-based) cookies to 7 days. The earliest versions of ITP (1.x) limited third-party cookie durations.
ITP 2.1 disrupted marketers’ core efforts to track, analyze, measure, target, and personalize for Safari users.
Let’s unpack this:
- Web analytics lost accuracy because a site visitor was forgotten after seven days, thus inflating the number of unique visitors that a marketer sees on the website. This inflation could impact how marketers develop content and promotions.
- A/B testing suffered as marketers had limited opportunity to obtain insights. A/B tests only have a seven-day window to test content and track results. Customers that visit sites less than weekly are considered new visitors and could be pooled into a different testing group, resulting in inaccurate results data.
- Data management platforms (DMPs) have seen an inflated number of mobile devices because the episodic cookie purges create new identifiers for mobile devices that aren’t new. This exaggerates audience sizes and may impact how audiences are created. Marketers risk building audience segments based on outdated or incomplete data.
- Personalization also suffered. Non-authenticated sites that leverage personalization tools based on past behaviors and preferences to create consistent customer experiences do not have historical data to personalize content. Because of this, customers have inconsistent web experiences.
- Attribution is harder to execute. With a shortened lookback window, marketers can’t attribute conversions that occur more than seven days after the user’s last site visit. Marketers misattribute credit to campaigns and credit the last marketing touch too highly, risking overspending on ineffective channels.
Impact on Convert: You can understand how the above can skew your Convert experiments’ results, especially if you’ve a large audience share using the Safari browser. Hence, we considered quite a few ways to resolve ITP 2.1 and finally settled on moving the cookie creation process away from the browser and into the server.
Since the new cookie duration restrictions apply only to browser-created cookies, we moved the cookie issuance part to your web server, which means your server will create the cookies and not the users’ browsers.
You can find the steps to facilitate such server-side cookie creation here. If you need any help with changing your web server infrastructure, please feel free to contact us.
Using A/B testing tools that are negatively impacting your results because of tracking issues? Try a 15-day free trial of Convert Experiences and check out the features that make us one of the most privacy aware tools on the market.
Intelligent Tracking Prevention (ITP) 2.2
Introduced by: Apple (Safari)
When: April 2019
Summary: In April 2019, Apple continued to close loopholes in Safari’s anti-tracking feature, Intelligent Tracking Prevention. ITP 2.2’s biggest change from 2.1 and 2.0 limited the duration of some first-party JavaScript-set cookies to one day—down from the seven days that ITP 2.1 implemented.
For a cookie to be capped at one day by ITP 2.2, it must fulfill three conditions:
- The cookie is set via JavaScript (or in their words, “set through document.cookie”). This condition was also applied with ITP 2.1.
- The site that sent the user to the landing page has been classified by ITP as “having cross-site tracking capabilities” (major ad networks, Google and Facebook are certainly classified this way)
- The link uses link decoration (it uses query string parameters and/or a fragment identifier)
Impact on Convert: The above three factors combined mean that cookies set by Convert are affected by ITP 2.2, IF (i) your site where the Convert tracking code is installed receives traffic from domains that are considered with cross-site tracking capabilities AND (ii) you use link decoration for attribution purposes.
Fortunately, from the above conditions, only the first had an impact on Convert cookies since these are created via Javascript’s document.cookie. We suggested our customers to move the cookie creation process away from the browser and into the server as we did with ITP 2.1 workaround.
SameSite Cookies
Introduced by: Google (Chrome version 76)
When: May 2019
Summary: Google leveraged the HTTP cookie “SameSite” feature to allow developers to communicate if they want to allow their cookies to be read in a third-party context.
Effectively, developers can say, “this cookie is private” and make the cookie more secure at cookie creation time. The update in Chrome 76 set a default SameSite value even when a web developer didn’t explicitly set one. That means most server-side cookies out there were automatically more secure by default.
The Stable version of Chrome 80 in February 2020 is targeted for enabling this feature by default as summarized below:
- Cookies without a SameSite attribute will be treated as SameSite=Lax.
- Cookies with SameSite=None must also specify Secure.
Impact on Convert: So far, the SameSite feature seems to only affect transmission of the cookie to the backend which is not important as Convert does not do that.
It only bears impact if customers use backend reading of Convert cookies for different purposes. To just not rely on default, we set our Convert cookies with SameSite=Lax and Secure flags.
Tracking Prevention
Introduced by: Microsoft Windows (Edge)
When: June 2019
Summary: Microsoft introduced a new feature in June 2019 to block tracking scripts in its Chromium-based Edge browser. The company called this feature “Tracking Prevention” and was initially available only in Edge Insiders Preview Builds (starting with 77.0.203.0). The company said that the feature was under development and that they released the early version for feedback and accelerated development.
Basically, what Microsoft did was enable new tracking protection categories (Basic, Balanced, Strict) in Edge to block more trackers. To avoid compatibility issues, Microsoft devised a system that relaxed tracking prevention based on engagement scores in balanced mode.
This feature is similar to the Enhanced Tracking Protection in Mozilla Firefox and the Intelligent Tracking Protection in Apple Safari and blocks off any tracking scripts loading from a domain that isn’t accessed directly by the user.
Impact on Convert: The Convert tracker might be listed in the Trust Protection List, and we say might because it is a hidden component that Edge has not revealed fully. In any case, the Microsoft Edge Tracking Prevention will block the Convert tracker ONLY when a visitor has set Tracking Prevention to the Strict mode (and not to the Balanced mode which is the default one). Hence, in normal browsing Convert’s experiences are NOT affected by the new settings that Edge will impose.
Enhanced Tracking Protection
Introduced by: Mozilla (Firefox)
When: June 2019
Summary: New users who installed Firefox for the first time after 5th June 2019 had Enhanced Tracking Protection (ETP) set on by default. ETP is automatically set on by default as part of the ‘Standard’ setting in the browser and blocks (i) known “third-party tracking cookies” and (ii) known trackers in all Private/Incognito browser windows according to the Disconnect list that Mozilla has partnered with.
Impact on Convert: The Convert tracker is listed in the Disconnect list. However, the Firefox Enhanced Tracking Protection will block the Convert tracker ONLY when a visitor is using a Private/Incognito window. In addition, in Convert, in our efforts to be GDPR compliant, third party cookies were disabled on February 21st, 2018. Hence, in normal browsing Convert’s experiences are NOT affected by the new settings that Firefox has imposed.
WebKit Tracking Prevention Policy
Introduced by: Apple (Safari)
When: August 2019
Summary: Apple’s WebKit team released its full “Tracking Prevention Policy” in August 2019.
This policy outlined WebKit’s tracking efforts and details what types of tracking WebKit prevents, countermeasures, and more. It prevents several tracking techniques including cross-site tracking, stateful tracking, covert stateful tracking, navigational tracking, fingerprinting, covert tracking, and other unknown techniques that do not fall under these categories.
Impact on Convert: Convert tracking is not impacted by this Policy as its tracking does not fall under the above categories.
Intelligent Tracking Prevention (ITP) 2.3
Introduced by: Apple (Safari)
When: September 2019
Summary: Previously, ITP 2.2 cut the lifespan of persistent client-side cookies from seven days to 24 hours (if the three conditions listed below were met), and restricted cross-site tracking via link decoration:
- The cookie is set via JavaScript (or in their words, “set through document.cookie”). This condition was also applied with ITP 2.1.
- The site that sent the user to the landing page has been classified by ITP as “having cross-site tracking capabilities” (major ad networks, Google and Facebook are certainly classified this way)
- The link uses link decoration (it uses query string parameters and/or a fragment identifier)
But WebKit engineers noticed that some trackers had responded by moving their first-party cookies to other forms of first-party website data storage to track users. They have added code to their own referrer URL to read the tracking ID on the destination page.
Under ITP 2.3, sites that do this will see all of their non-cookie website data deleted after seven days. Combined with the capped expiration of client-side cookies, this means trackers won’t be able to use link decoration combined with long-term first-party website data storage to track users.
ITP 2.3 therefore relates to link decoration.
Impact on Convert: As explained here, it is clear that Convert tracking and cookies are NOT affected by the new two steps under ITP 2.3 that the WebKit team has taken to combat the above trackers.
IsLoggedIn API
Introduced by: Apple (Safari)
When: September 2019
Summary: In the W3C Technical Plenary and Advisory Committee Meeting (TPAC) 2019, WebKit announced that it’s in the very early stages of testing an API that would give browser operators the ability to see whether or not users are logged in to a website.
This has remained just a topic of discussion in the TPAC agenda and no further implementation has been carried out.
Impact on Convert: It appears that the cookies that allow cross tracking, like cookies set when being redirected from a URL classified as tracker based on some query string params are the ones being affected. Convert does not do such tracking and thus there is no impact from it.
Enhancements to ITP
Introduced by: Apple (Safari)
When: December 2019
Summary: This update to Safari arrived with iOS 13.3, iPadOS 13.3, and Safari 13.0.3 on macOS Catalina, Mojave, and High Sierra.
Features like tracking prevention and content blocking can themselves be abused for tracking purposes. But three new enhancements make it hard or impossible to detect which web content and website data it can track.
- Origin-Only Referrer For All Third-Party Requests: As an example, a request to https://images.example that would previously contain the referrer header https://store.example/baby/strollers/deluxe-stroller-navy-blue.html will now be reduced to just https://store.example/.
- All third-party cookies blocked without prior user interaction
- The storage access API takes the underlying cookie policy into consideration
Impact on Convert: Convert is not impacted by these enhancements that level up tracking prevention in Safari WebKit.
SUMMARY
That’s a lot of technical details to take in. You don’t need to be an expert on all the ITP updates. But given the state of flux, we feel one thing is clear.
Browsers will continue to tweak things and until an alignment occurs, testing tool set-up and installation time will increase, given the complexity of the use cases you are addressing.
If we had one piece of advice to give it’d be to partner with privacy-oriented vendors like Convert and not collect any data your lawyer is unwilling to argue on your behalf in a court of law!