If you haven’t heard, Apple’s iOS 17 and macOS Sonoma are releasing in 2023 and bringing changes to how Apple treats URL tracking parameters.

Over here at SegMetrics, we’ve been following the news since the announcement of these privacy enhancements at WWDC2023. This article compiles the facts, information, and latest findings as these changes apply to digital marketers selling products online.

What’s the deal with iOS 17 and macOS Sonoma for marketers?

TL;DR: iOS 17 Privacy Changes are a pretty big deal 🚨 🚨 🚨

First, SegMetrics will still work for you to track and report on your online marketing, funnels, and advertising.

• These changes are a curve ball for online marketers but aren’t impossible to overcome.
•  Systems like Google and Facebook won’t be able to track clicks on ads as easily anymore, so you’ll need a system like SegMetrics to understand your customer LTV and ROAS.
• These iOS 17 changes impact SegMetrics less than ‘the other guys’ because we help you have more insights into your customers via our integration with your CRM.
• Because SegMetrics tracks back to your CRM, we provide you with a solid source of truth about your customers, marketing, and advertising. (Get started today with a free 14-day SegMetrics trial.)

Second, iOS 17 updates how Safari treats known tracking resources and UTM parameters in Private Browsing in Safari on iOS and MacOS and shared links in Messages and Mail.

Third, the footprint for these changes is small (for now). These Link Tracking Protection changes in iOS 17 are primarily encountered in Private Browsing Mode in Safari, meaning they currently affect just a tiny portion of Safari users.

Fourth, these iOS 17 changes aren’t a huge issue at the moment, but it’s clear that this is where Apple is headed in the future.

• iOS 17 is only implementing these Safari changes to Safari Private Browsing mode, but there is a toggle to turn these privacy improvements on for all browsing (in Settings → Safari → Advanced → Advanced Tracking and Fingerprinting Protection → All Browsing).
• What does the future hold with Link Tracking Protection and iOS 18, 19, or 20? While we can’t predict the future, here at SegMetrics, we think it’s likely that these privacy changes will expand in future iOS or macOS releases.

What specifically do iOS 17 and macOS Sonoma change that affects online marketers and ad tracking?

These new versions of iOS and macOS update how Apple treats two things:

1. Known tracking resources in Private Browsing in Safari on iOS and MacOS (e.g., browser fingerprinting technology)
2. Marketing URL parameters that you encounter in two cases:
   • On links you share from Messages and Mail (e.g., you use Apple’s ‘share’ functionality to share a link you received in Messages, and the link has a tracking parameter on it like ?clickId=d77_62jkls. Those parameters are removed on sharing.)
   •  On links encountered while browsing when browsing in Private Browsing in Safari on iOS or MacOS. (e.g., you’re browsing the web in Private Browsing mode and land on a page with a URL like https://www.example.com/product-page?clickId=d77_62jkls. Link Tracking Protection in Safari Private Browsing will strip that clickID parameter.)

Out of the gate, depending on how many of your customers use Private Browsing in Safari during their customer journey, this likely won’t significantly impact your marketing analytics, tracking, or reporting in 2023.

But down the road, this might significantly impact your online marketing and how marketers track and report on their advertising campaigns (hello, iOS 18/19/20).

Will these iOS 17 changes affect SegMetrics?

SegMetrics will still work for you to track and report on your online marketing and advertising. These iOS 17 changes primarily impact “the other guys” with web-only (or web-first) tracking solutions.

Here at SegMetrics, we’re not web-only. We’re not even web-first, so we’re not very worried about this iOS 17 update. SegMetrics is your people-first tracking solution.

Because SegMetrics features native integrations to your CRM (like Ontraport, Klaviyo, or Infusionsoft), you can still collect and report on your customer journey data, even if iOS 17 removes your URL parameters and blocks your trackers. (Get started today with a free 14-day SegMetrics trial.)

There are two upcoming iOS 17 changes we’re paying close attention to.

Change #1: Link Tracking Protection (in Mail, Messages, and Safari Private Browsing)

Link Tracking Protection is a new feature automatically activated in Mail, Messages, and Safari in Private Browsing mode. It detects user-identifiable tracking parameters in link URLs and automatically removes them when you encounter them (like gclid=...).

With iOS 17, Safari will automatically detect which parts of the URL are identifying and remove only those parts, leaving the rest of the URL intact so you can access the web page you intended to visit. This process happens transparently during browser navigation in Safari Private Browsing mode and links that the user clicks on from the Mail and Messages app.

This change is a pretty big deal! Here is a 38-second excerpt from the WWDC2023 announcement video talking about this new privacy feature (“What’s new in privacy – WWDC2023”)

And here is an excerpted quote from Craig Federighi from a Fast Company article published in June of 2023, where he mentions these changes. (Craig Federighi is the Senior Vice President of Software Engineering at Apple and oversees the development of iOS and macOS.)

One of my favorites is Link Tracking Protection, in Messages, Mail, and Safari Private Browsing. This feature cuts off the extra bits in a link’s URL that is added by marketers and sites to track a user around the web.

This is the bit of the URL that contains user-level tracking information, for example: www.examplewebsite.com/top10vacationdestinations?clickId=d77_62jkls. That “?clickId=d77_62jkls” bit is the tracking part.

By auto-stripping this unneeded user-level tracking information out in iOS 17, iPadOS 17, and macOS Sonoma, Apple is making it harder for marketers and others to stalk your movements.

Craig Federighi, Senior Vice President of Software Engineering at Apple

These changes are a big deal because they will affect how marketers track contacts, visitors, and customers using URL parameters with user-level tracking information.

But these iOS 17 changes aren’t an apocalyptic issue. (At least, not yet.)

If you’re using URL tracking in most CRMs (like Ontraport, Klaviyo, and Infusionsoft), they have the URL parameters AFTER the click, not before them.

For example, here at SegMetrics, we use Active Campaign for our CRM and email marketing. When we have a tracked link in our emails, it shows up like this big ol’ link:

https://segmetrics.lt.acemlna.com/Prod/link-tracker?redirectUrl=b3V0dS5iZSUyRnBXdlNGRjZQVW13JTNGdXRtX3NvdXJjZSUzRE5ld3NsZXR0ZXIlMjZ1dG1fbWVkaXVtJTNEZW1haWwlMjZ1dG1fY29udGVudCUzRFdhdGNoK3RoZStyZXBsYXkrb2YrQmV5b25kK3RoZStDbGljayUzQStVbmxlYXNoaW5nK3RoZStMb25nK1Rlcm0rSW1wYWN0K29mK0FkcytvbitDdXN0b21lcitKb3VybmV5cyUyNnV0bV9jYW1wYWlnbiUzRFdlYmluYXIrLStLZWl0aCtQcmVzZW50aW5nK3RvK0FkK091dHJlYWNoKy0rMjAyMyswNSsyNCstK1JlcGxheQ==&sig=CHqdgS5XVv4CidBUszrrc3hE6irv7aJJwhNWWTaVK4F&iat=1685977646&a=||476539507||&account=segmetrics.activehosted.com&email=I0IVc30LSXXolyKdcwH2SxMjIWQfMmdyJvqNteqFaKY%3D&s=86edf86b2f204909f505ebbc5af28b09&i=766A1209A1A5690

When clicked, if that were a real link, it would redirect to a specific URL that we set — so that the UTMs and tracking information are added after the click and redirect (which is good). However, this approach makes tracking reliant on ActiveCampaign (or another CRM) supporting the new privacy changes.

What parameters does Link Tracking Protection remove?

Jesse Hanley, the founder of the email marketing and automation software Bento, shared this about the iOS 17 changes:

“I’m testing Link Tracking Protection, and it does seem to remove UTMs. The iOS 17 update seems to be super focused on Facebook, TikTok, etc., tracking. So fbclid, gclid, etc., all get removed. If you use Google Analytics to track your marketing, that might be impacted by iOS 17.”

Jesse Hanley, Founder, Bento

UPDATED 06/28/23: Steve at Word to the Wise did a great experiment testing iOS click tracking with known parameters. You should go read Steve’s article, it’s a great resource for the community. (Thank you, Steve!) Here is a screenshot of the table of parameters Steve tested and the resulting action from Link Tracking Protection in iOS 17. (tl;dr: UTMs don’t seem to be stripped and parameters like fbclid and gclid are stripped from URLs.)

Steve has an additional finding about when/where the Link Tracking Protection URL stripping seems to take place. Go check out his article.

Change #2: Fingerprint blocking and other added protections (Safari Private Browsing)

Private browsing mode prevents known tracking and fingerprinting resources from being loaded.

Over to Webkit in their announcement post “News from WWDC2023.” In the “Browser Changes” section, they share this additional information:

Safari Private Browsing

 In Safari 17, Private Browsing gets even more private with added protection against some of the most advanced techniques used to track you. Technical changes include:

1.  Adding blocking for known trackers and fingerprinting.
2.  Adding support for mitigating trackers that map subdomains to third-party IP addresses.
3.  Adding blocking for known tracking query parameters in links.
4.  Adding noise to fingerprintable web APIs.
5.  Adding console log messages when blocking requests to known trackers.
6.  Adding support for blocking trackers that use third-party CNAME cloaking.
7.  Adding support for Private Click Measurement for direct response advertising, similar to how it works for in-app direct response advertising.

Changes #1-4 and #6 of that list impact digital marketers.

These changes are a big deal if your site loads known tracking and fingerprinting resources (scripts or subdomains), query parameters (covered in the above section on Link Tracking Protection), fingerprintable web APIs, or trackers that use third-party CNAME cloaking.

Here at SegMetrics, we’ve seen the writing on the wall about this change, so we moved to server-side fingerprinting in 2022 (in addition to our frontend-based fingerprinting). With these changes, front-end fingerprinting technology will likely be worthless going forward, so you’ll want to ensure your marketing analytics and reporting tooling offers server-side fingerprinting.

Now, Safari has had tracking and fingerprinting protection for years ([PDF Link] Safari Privacy Overview White Paper Nov 2019). That protection has been dialed up in this latest release.

The only genuinely new Safari privacy feature announced at WWDC2023 (as we understand it) is that Safari automatically removes tracking from URLs in Private Browsing mode. 

How should marketers react and adapt to these iOS 17 changes?

First, these Safari privacy changes are only for Safari Private Browsing mode. Link Tracking Protection is only for links shared from Mail, Messages, or Safari Private Browsing mode or encountered in Safari Private Browsing mode.

iOS and macOS Sonoma are bringing impactful changes, but they’re limited to a small slice of Safari’s users (for now). 

Knowing Apple and its focus on customer protection and privacy, it’s likely that these changes will expand outside of Safari’s Private Browsing or into other parts of the Apple ecosystem at some future date and iOS/macOS release.

Apple has recommended a way that the community should adapt to these changes (Private Click Measurement, more on that below), and the advertising/marketing community has also shared a few ideas on how to overcome these challenges. We’re capturing a sampling of these below.

Solution #1: “Use a people-first marketing reporting tool like SegMetrics.”

Unlike the web-first tracking solutions from “the other guys,” SegMetrics’s tracking is people-first. 

That means our marketing tracking technology centers around collecting your data using our deep + native integrations with your marketing tooling (like your CRMs and advertising, email marketing, and payment platforms).

That means that where web-only or web-first tracking solutions will struggle with these iOS 17 changes, SegMetrics will continue to excel by providing you with comprehensive insights into your customers and their journeys through your funnels.

Get started today with a free 14-day SegMetrics trial.

Solution #2: “Use more tagging in your CRM/Email Platform to track and understand your customers’ journies.”

With your emails, you can tag people based on when they’re opening and what they’re clicking on, and use that information to better understand how your customers are behaving.

We’ve put together our Ultimate Tagging Guide to help you understand how you can level up your tagging in your CRM/Email Platform: https://segmetrics.io/guides/ultimate-tagging-guide/.

Solution #3: “Use Apple’s Private Click Measurement Technology to understand campaign success without tracking user-level information.”

Apple has a method for advertisers to measure campaign success without tracking user-level information: Private Click Measurement ad attribution.

Private Click Measurement allows advertisers to track ad campaign conversion metrics but does not reveal individual user activity. Private Click Measurement is an in-progress standard. Here is how PCM approached web-to-web click measurement.

Solution #4: “You’ll just see the URL parameters renamed to evade Link Tracking Protection detection.”

At SegMetrics, we can imagine a world where popular advertising platforms that use tracking parameters allow you, the user, to rename them to something custom.

So, for example, if the tracking platform’s parameter is ?clickid=..., as a user on the platform, you might be able to rename that to ?adgihdgt=... (or something sneaky like ?fname=...) bypassing immediate detection.

Solution #5: “You’ll see the parameters incorporated into the URL path or included in some other way that’s difficult for browsers to remove.”

We might see online marketers move to more ‘opaque’ URLs that don’t communicate where you’ll end up once you click the link, but that preserve parameters.

Marketers might start to use a single encoded parameter (a marketing ‘blob’) in their URLs instead of URL parameters. Then the receiving server could decode that URL ‘blob’ and ingest all relevant details. Instead of http://example.com/page/?tracking=abv, it’ll become something like http://example.com/d89y3tounwbv.

In fact, Facebook already used this approach to circumvent Firefox’s “query Parameter Stripping” (privacy protection in the Firefox browser similar to Link Tracking Protection in Safari).

In 2022, this Reddit thread noted that instead of using the standard FB URL parameter that we all know (?fbclid=), Facebook started using pretty URLs with a tracking blob at the end, like so:

This ‘blob’ approach could be how many marketers adapt, stuffing the relevant tracking/non-tracking parameters into an encoded blob that Apple can’t decode.

It takes some server-side development time/effort/resources, but you can use this approach to route around the disappearance of URL parameters.

However, in some of the iOS 17-focused discussions, a commenter on HackerNews (AltairPrime) raised this point:

Historical patterns with Mail.app on iOS suggests that Apple will simply code something that fetches all such links in order to collect a preview, whether or not the preview is ever shown to the user, just as they do with Mail.app images today when iCloud Private Relay is enabled. At which point the tracking value becomes less than zero because it pollutes the core dataset attribution of “a human saw this.”

That does make sense as a counter-move from Apple.

If Apple starts to fetch + render ‘blobbed’ links, a lot of noise will get mixed into that tracking data, making this approach pretty worthless for marketers.

The Inevitable Solution #6: “This will turn into an arms race between Apple’s blacklists and advertisers working to escape the blacklists.”

As marketers adapt to these changes, Apple will, in turn, adapt, and what used to work to bypass/route around Link Tracking Protection will no longer work. The more people that know about Link Tracking Protection and work to circumvent it, the harder it will become to circumvent.

Frequently Asked Questions About Link Tracking Protection

Q: “Is Link Tracking Protection this the end of UTM tracking?”

Most likely not. 

These changes — at this time — are only in URLs encountered while in the Private Browsing mode of Safari and links shared from Messages and Mail.

It’s doubtful that Apple would want to break/remove UTM tracking altogether, as that would break a fundamental part of web technology that’s been there since 2000. 

Removing UTMs would also just be removing what has become a standard practice/feature of online marketing and likely would just be replaced by a bunch of different tags that do the same feature.

And from Steve’s testing on Word to the Wise, it seems that Apple is not stripping UTM parameters.

Q: “How will Link Tracking Protection differentiate between parameters that are necessary for an app/website vs tracking queries?”

Right now, we (the community) don’t know.

Apple likely has a safelist of known safe parameters that they won’t discard (e.g., /search?q=segmetrics, /watch?v=iI8K-OccmPY, /store?productid=1234, /checkout?coupon=save20percent).

Apple will likely have a known list of not-safe tracking parameters that they will discard (e.g., ?fbclid=…).

From initial testing of the iOS 17 beta (and public comments like what Craig F. said in that Fast Company article), it appears that this does only strip tracking parameters that are focused on tracking individual actions, though how Apple is deciding which are the ‘good’ parameters and which aren’t good is anyone’s guess.

We can see something like that with the testing that Steve did at Word to the Wise.

Q: “Do these changes affect all Safari users?!”

Nope.

Right now, these privacy changes only affect Safari Private Browsing users on the public betas of iOS 17 and macOS Sonoma. However, you can toggle these protections on for all browsing in Safari. Just go to Settings → Safari → Advanced → Advanced Tracking and Fingerprinting Protection → All Browsing in the iOS 17 public beta to toggle that on for all of your browsing.

Knowing Apple and the Webkit team’s focus on privacy, we suspect it is only a matter of time until some/all of these privacy-focused changes make their way to other parts of Safari in a future iOS or macOS release.

Q: “Are these changes rolling out right now?”

Slowly. 

These changes are currently in the betas for iOS 17 and macOS Sonoma. These are rolling out to the public across 2023.

• iOS 17 is currently in public beta and slated for release in mid-September 2023.
• macOS Sonoma is currently in a developer/public beta and is slated for release in late 2023.

People in the beta reported that Link Tracking Protection isn’t highly featured, likely making it similar to Apple’s Mail Privacy Protection: they announced it, but it wasn’t quite ready for the full rollout and appeared over time. Link Tracking Protection may roll out over 2023 in a similar fashion.

“Why are these changes happening now?”

Q: “Is this Apple going after Google’s GA4?”

Likely no, though the timing is interesting. As of publishing this article (in June of 2023), we are days away from the sunsetting of Universal Analytics and the ascendancy of Google Analytics 4.

Q:“Is this Apple trying to break all ecommerce?”

Likely no, though this will have knock-on effects for ecommerce stores and marketers.

There’s a persistent fear that these Link Tracking Protection changes will strip out parameters necessary on some ecommerce sites (like ?productid or ?coupon) and that loss of functionality will completely break ecommerce.

Here at SegMetrics, we doubt that’s the case. (‘All Ecommerce’ would be a weird fight for Apple to pick under the banner of increased privacy.) We think there’s likely a safelist that preserves ‘good’ parameters, like ?coupon or ?productID.

“What should I do now that I know the latest information about the iOS 17 privacy changes?”

First, don’t panic. This level of privacy protection is likely the direction Apple is moving, but the sky isn’t falling for now. 

Second, you’ll be able to continue to track and report on your customer journeys as long as your marketing analytics and reporting tooling support features like server-side fingerprinting or native CRM integrations. But you may have a challenging time if your reporting tool is web-only or web-first (those web-first tools seem to be the tools that these privacy changes impact the most).

Third, try SegMetrics and see if our people-first tracking helps you improve your marketing. With our server-side fingerprinting and native integrations, you can monitor your customer journeys, measure your marketing, and optimize your funnels, even with iOS 17. Get started with Segmetrics today with a 14-day free trial.

You’re in good company with SegMetrics. Marketing organizations, including Ontraport and CopyHackers, use SegMetrics to measure, monitor, and report on their marketing.