FAQ: BlueConic, Cookies, and ITP

What is Tracking Prevention?

Browser vendors, in particular the Apple Safari browser, are increasingly adding features to prevent third parties from tracking visitors when they visit a website. Although this tracking prevention is primarily focused on AdTech vendors, it potentially impacts any technology that collects data about customers or prospects on your website.

The major browsers have various names for tracking protection:

  • Apple Safari: Intelligent Tracking Prevention (ITP)
  • Mozilla Firefox: Content Blocking
  • Microsoft IE/Edge: Tracking Protection / Prevention
  • Google Chrome: TBD

This FAQ focuses mostly on ITP.

What is ITP (Intelligent Tracking Prevention)?

Apple announced a new version of Intelligent Tracking Prevention (ITP) in February 2019. In previous versions, third-party cookies were already disabled by default. ITP 2.1 impacts client-side cookies as well, by deleting them after 7 days. With the most recent ITP update, ITP 2.2, client-side first-party cookies set that come from known trackers with querystring (for example, the utm_ parameters used by Google or Facebook) now have an expiration cap of 24 hours.

To understand the impact of this, let's unpack this by exploring the various cookie types relevant here:

  • First-party server-side cookies are set and read server-side through the HTTP connection of the site a visitor is visiting.
  • Third-party server-side cookies are also set and read server-side through an HTTP connection, but they are set because the original page references a third party (for example, to read an image or JavaScript from a third-party site) which triggers that HTTP request.
  • Browser or client-side cookies are set through JavaScript in the browser and belong to the domain of the visited page.

Apple already blocked third party server-side cookies by default. This means that visitors cannot be tracked across different domains on the Internet. Now Apple has made an additional change so that client-side cookies only work for 7 days; this means that if a visitor doesn't come back within 7 days, those cookies are removed. 

What is link decoration?

Apple is introducing link decoration limits in ITP 2.2. Link decoration is the practice of adding parameters such as UTM codes to a URL. Apple limits this by checking if a user comes from a known tracker website (such as Facebook, Google, or ad networks) to another website and there are additional parameters (like UTM codes); in this case, the first-party cookie is capped even lower, to 1 day. This isn’t an issue for BlueConic users, since it is primarily targeted at visitors clicking on an ad, for example an ad on Facebook to your own website. BlueConic runs only on your own website.

How has BlueConic updated its platform to handle this?

Apple suggested moving toward using another browser technology: localStorage. This technology is an alternative to cookies, but only works for the visited website, not for other domains of that same website or even third-party domains. We changed the BlueConic storage mechanism to store the profile UUID in localStorage, to synchronize the UUID to client-side cookies, and, depending on what browser the visitor uses, to synchronize to first- or third-party cookies as well.

Does using localStorage as primary storage impact my data?

That depends on the browser the visitor uses:

  • Chrome users will be tracked across subdomains and domains, as before.
  • Firefox users will be tracked across subdomains (so if a visitor visits www.blueconic.com and support.blueconic.com, the visitor will have 1 profile).
  • Safari users will be tracked on the current visited site and across first-party subdomains, but only if they visit both sites within 7 days. (So if a visitor goes to www.blueconic.com and then after a week passes, they visit support.blueconic.com, that visitor will have 2 profiles instead of 1.)

This table describes if users can be tracked across domains and subdomains:



Across Domains

Across Subdomains

Example hostname













Only when both are visited within 7 days





With these changes, which types of traffic are impacted?

The majority of your visitors are tracked as usual. If you have the following types of traffic on your websites, you might see some impact:

  • If you have a lot of visitors using Safari, either from laptops or from iPhones and iPads, combined with infrequent visits that are longer than 7 days apart on average and have multiple subdomains.
  • If you have a lot of Firefox or Safari visitors and multiple domains.

How does this change what I see in BlueConic?

Some visitors might be represented in BlueConic by multiple profiles instead of just one. Depending on your setup and usage of BlueConic, this could lead to inflated ‘unique visitor’ counts for views, clicks, or conversions because ‘unique’ statistics are not based on the total number of views, clicks, or conversions, but are based on the number of unique profiles. 

Other parts of BlueConic are not impacted. Most BlueConic Connections do not work with anonymous profiles but with identifiable profiles (meaning there is at least one additional ID such as an email address or subscriber number, in addition to the BlueConic-generated ID). Insights and dialogues will continue working as before.

Do I need to be worried about where this is going?

The industry is moving more and more toward privacy protection technologies, especially related to third-party tracking. BlueConic and other CDPs are first-party data processors. We do not own the data, you do. We are a subcontractor for you, our customers. Most privacy protection technology is focused on preventing third-party tracking, which feels logical as consumers do not expect to be tracked by third-parties when visiting a website. CDPs, in general, are about giving all touchpoints with customers better data, and consequently providing better service, a great user experience, and offering customers what they want. Most CDPs also have consent management services built directly into the platform.

Technology will continue to evolve and change, but having a level playing field for everyone provides opportunities to earn trust, gain consent by providing clear value, and achieve better results.

BlueConic focuses on providing the tools you need to provide that value, by researching new privacy technology, implementing our own technology to accommodate privacy and consent, and providing you with expert guidance, so you can take advantage of these new technologies.

Why does first-party data matter now more than ever?

There are tactics you can deploy to continue to collect data in a world of tracking protection:

  • Because CDP is used in a first-party context directly on your touchpoints like websites, you should focus on getting identifiers and consent from your visitors, something that would be hard or impossible for AdTech, except parties that have first-party interactions (like Google and Facebook). Having identifiers and having consent makes it easier to merge profiles back into one single profile using profile merge rules in BlueConic. For example, instead of having a paywall, you might have an intermediate step that asks for an email address and verifies the email address. Or, you might set up logins for visitors to reach restricted pages.
  • Request your own hostname for BlueConic. By default, customers use a blueconic.net hostname for hosting BlueConic, but we offer a premium service where you can use your own hostname. Using your own hostname integrates BlueConic more into your own websites, and makes BlueConic a first-party subdomain instead of a completely different domain. Read Deciding on the BlueConic Hostname for more information and contact support@blueconic.com or your BlueConic CSM if you want to know more.

Where can I read more about browser tracking protection?