How Apple's will crumble your Facebook cookie in 2020

"Cookiepocalypse" is happening...while most Facebook advertisers are still sleeping.

This is your wake-up call.

2020 will be a big year in the development of the internet towards a cookieless future.

And that will have a huge impact on digital marketers and advertisers, because the internet as we know it is built on pixels (to deliver information to a server) and cookies (to store that information in a user's browser so the server can read it again later).

Cookies are very useful because they help us track users across sessions, attribute sales to ad clicks, retarget, build lookalike seed pools, exclude purchasers, etc.

But they've also transformed websites into ugly banner displays with such intrusive targeting that people feel eavesdropped.

That's why Apple started a war to protect privacy and improve user experience by crumbling these cookies  ⚔️🍪

While most Facebook advertisers and even self-proclaimed  gurus are still sleeping on "cookiepocalypse", big adtech companies are getting EXTREMELY nervous.

Take for example Criteo, one of the world's major adtech companies that offers personalised retargeting advertisements.

Criteo relies on cookies for identifying users across websites and sessions.

This is what happened to their stock price since Apple started the war...

So what is this ITP 2.0, 2.1, 2.2 and 2.3 thing scribbled in the graph?

Intelligent Tracking Prevention (ITP)

Intelligent Tracking Prevention (ITP) is a feature of WebKit.

That's the engine that powers Apple's built-in Safari browser. ITP aims to prevent users privacy by reducing the lifespan of tracking cookies to just 7 days.

Since ITP was first introduced other web browsers followed. Like Mozilla Firefox with their Enhanced Tracking Protection (ETP). Actually all browsers, including the market leader Chrome, are implementing features that protect privacy by limiting cookies.

Their intention is good.

It's in the best interest of internet users.

But we're not just internet users. We're also savvy marketers and advertisers.

And this has a HUGE impact on digital marketing and the tools we use. Because a lot of these tools rely 100% on cookies.

A 7-day cookie lifespan causes problems for Facebook advertisers.

🍪Conversions are not attributed to ad clicks when these happened +7 days prior.

🍪Your retargeting audiences will last for maximum 7 days, then they're gone.

🍪Exclusion audiences of past Purchasers will only last for 7 days, after that your ads will start showing again to people who just purchased from you.

🍪Your lookalike seed audiences are super small (filled with just 7 days of users), so the resulting lookalikes will be of low quality.

And these are just a few examples!

Why is everyone sleeping on this cookiepocalypse?

The consequences of ITP are very serious, I think we can all agree on that.

So how is it possible that the stock value of one of the worlds biggest adtech companies crashes while everyone else is shockingly unaware of what's happening

There are a couple of reasons I think.

First of all, the news around ITP is communicated mainly to developers. 

<script>"In their language;"</script>

When you read WebKit's blog you'll find they communicate very promptly about the latest changes and developments. It's not secret.

But how many marketers read dev blogs? 

And how many devs understand marketing?

Sure, you could've read about all of this on the big tech news outlets. AdExchanger posted "How Safari's ITP 2.3 Update Is Cracking Down On Link Decoration 'Abuses'" and TechCrunch published "Apple got even tougher on ad trackers at WWDC

But assessing the consequences of these articles, requires technical knowledge.

Did you for example know that "link decoration" in the first article is about the weird fbclid= string at the end of every URL when you click away from Facebook?

And did you know that "Safari cracking down on it" impacts your Facebook ad tracking?

Probably not.

No worries, this is your wake-up call.

To be clear, these developments impact everyone with a website and a buyers journey that takes longer than 7 days. 

That's why I decided to sit down and write a "warning" that explains in normal language what is happening and why you should care.

Secondly, right now it "just" impacts the latest versions of Safari and Firefox. 

The deletion of cookies after just 7 days is implemented in the most recent versions of Safari and Firefox. This means it's active on mobile devices with iOS 13 or iOS14 installed. And starting from Safari 13 on desktop (that's macOS Catalina, Mojave and High Sierra) and 14 (that's on Big Sur)

So it's spreading.

It's "just" a matter of time before people will upgrade or buy a new device.

I can almost hear you think..."but the market share of these 2 browsers is fairly small".


On my website around 20% of all visits are on Safari or Firefox. And when I look just at traffic from mobile devices, Safari takes a 40% share. That's not nothing!

You can check this for your own website in Google Analytics, in the Browser & OS report.

Let's address the elephant in the room...🐘

What if Google Chrome will follow?

The development version of Chrome (Google Chrome Canary) clearly shows that they are working on features that will protect users against being tracked by cookies.

Luckily at this point it's still speculation...

Will they also limit cookie lifetime to just 7 days? Yes, they are dependent on cookies themselves (Google Ads products). But they also have a lot of logged-in users that could serve as an alternative for ad click attribution.

I mean everyone is always logged-in to some Google product right? They don't REALLY need cookies for attribution.

The value of Facebook's ad platform relies mostly on cookies for attribution and proving their ROAS, so Google could even implement anti-cookie measures as an attack to steal the ad budget from Facebook advertisers to their Google ads platform.

Justin Schuh, Chrome's Director of Engineering, has announced recently that they want to build a more private web and that  their intention is to make 3rd-party cookies obsolete within the next 2 years (I'll explain 1st vs 3rd cookies later in this article).

After that announcement Criteo's stock crashed even further...

Personally I completely agree with Google's view on this matter. 

"Users are demanding greater privacy--including transparency, choice and control over how their data is used--and it's clear the web ecosystem needs to evolve to meet these increasing demands. Safari and Firefox have reacted to these concerns by blocking cookies, but we believe this has unintended consequences that can negatively impact both users and the web ecosystem."

Their goal is to make the web more private and secure for users, while also supporting advertisers. That's much better! 

Only time can tell...🔮

I'm sure even Mark is nervous.

Otherwise Facebook wouldn't have launched so many "protective" measures recently.

What has Facebook done to save their cookies?

OK, this is going to be a bit technical.

TL;DR = Facebook implemented a bunch of hacks in a whack-a-mole attempt to save their cookie. But these hacks only work short-term and the "loopholes" are closed with every new ITP release. 

They've broadened the scope of Advanced Matching.

Advanced Matching means Facebook grabs customer identifiers (like name and email) along with your pixel events. This way they can match more conversions to ad clicks, because they know who clicked on your ads.

Remember how ITP impacts Facebook advertisers?

🍪Conversions are not attributed to ad clicks when these happened +7 days prior.

🍪Your retargeting audiences will last for maximum 7 days, then they're gone.

🍪 Exclusion audiences of past Purchasers will only last for 7 days, after that your ads will start showing again to people who just purchased from you.

🍪Lookalike seed audiences are super small (filled with just 7 days of users), so the resulting lookalikes will be of low quality.

These are the benefits of Advanced Matching in their own words:

Before, they could only get this data from (checkout) form fields. But now they've broadened the scope to basically scrape your website for everything they can get.

Sure it helps, but it doesn't fix the problem.

They've added link decoration to every outgoing link click and "hacked" their cookie to look like a 1st-party cookie.

Let me explain.

There is a big difference between cookies. There are multiple types and browsers will treat them differently.

1st-party cookies 🍪 are set on your computer by the domain you're visiting, via the webserver or through Javascript code in the browser. Often they have a function like saving the contents of your basket or remembering you're logged-in.

3rd-party cookies 🍪🍪🍪 are set on your computer by another party than the owner of the domain you're visiting, via a 3rd-party webserver or a script embedded on the website. Facebook sets this cookie through the pixel, like buttons, social logins etc. This is how they track users across the internet.

See the difference?

OK, then let me explain the hack Facebook came up with. It also includes the fbclid= URL parameter I've mentioned a little earlier.

This is how it works worked:

🍪 When a user clicks an ad on Facebook, a unique fbclid= string is added to the URL.

🍪 The user is sent to the advertiser's site.

🍪 The URL is interpreted by the Facebook pixel on the advertiser's website and it stores the unique fbclid= string in the users browser as a 1st-party cookie by using Javascript in the browser to write the cookie.

🍪 The Facebook pixel communicates with Facebook and sends back the data stored by this 1st-party cookie.

This was a hack to circumvent the shortened 7-day lifespan of cookies. By saving the fbclid= parameter in the local storage of your web browser, it could identify who clicked and still correctly attribute ad clicks to purchases made at a later time. 

But this "link-decoration-and-1st-party-javascript-cookies"-loophole was closed when WebKit released ITP version 2.3.

Hacks will always only work short-term

It's a game of whack-a-mole

Various workarounds have popped up, like tools that cloaked 3rd-party cookies to make them look like 1st-party (so their lifetime wouldn't be capped to 7 days).

Earlier this year we promoted CookieSaver as a solution to this problem.  

But then that door was also closed again...

We even started to develop our own solution for extending the cookie lifetime.

But with every update, it gets harder. 

We feel it's time to come to the conclusion that there's no way around this issue. And that it's something that we as advertisers have to adjust our strategies to.

As said before, it's a good thing that big tech platforms are held accountable and that the privacy of internet users is a increasingly important topic.

But it also heavily affects our abilities as Facebook marketers to target, track and attribute sales and create retargeting audiences.

Especially now iOS14 has been launched and includes even more stringent measures to protect users against tracking. Now users have to give their explicit permission to be tracked, otherwise the Safari browser will prevent trackers from profiling.

Not just in the browser, but also inside apps.

That will only further limit the number of people that can be tracked.

If you're interested to learn more about the impact of iOS 14 on your Facebook ads, read this article by Facebook and this information from Apple's side.

The TL;DR version is:

🍪 The number of available conversion events will be limited.

🍪 If you're running ads for app installs, you're basically screwed.

🍪 Conversion windows will be limited to just 7-day click

🍪 The size of your website custom audiences will decrease.

Facebook is now playing the blame game

As all the loopholes that existed seem to be getting closed, Facebook is now shifting from trying to keep this a secret to advertisers - to publicly asking for support.

They launched a special webpage where they feature the stories of small business owners whom's existence is threatened by Apple's privacy concerns.

And they even published a series of newspaper ads in the New York Times, Wall Street Journal, and Washington Post where they claim to be "standing up to Apple".

This public blame game definitely not something I expected when I initially called for "Cookiepocalypse" to happen in 2020. But it's escalating rapidly now.

It would not surprise me anymore to see Facebook now also start law suits against Apple for anti-competitive behavior and loss of revenue as a result of that.

Are there still things left you can do?

Well... I'm not going to promote workaround solutions anymore.

Because I fear these will always be shortlived. It seems we just need to start adjusting our strategies to a cookieless future.

What I recommend you to do:

💡 Start collecting email addresses from your visitors as a major part of your strategy. Even consider putting part of your content behind an email login. While new tracking methodologies will emerge to replace cookies, email addresses have always been the best way to recognize people. I'm betting on their growing importance.

💡 Sharpen your customer persona / avatar. As targeting based on pixel data will gradually be limited, it becomes even more important to KNOW which characteristics define your perfect audience. Things like their demographic profile, their interests, etc. These are native elements on the Facebook platform that will remain available. If you haven't read my Definitive Guide on Facebook Interest Targeting yet....

💡 Verify your domain with Facebook and reconsider the number of conversion events you're currently using in your account. Here's a link to the Facebook help article on the Facebook pixel vs iOS14 changes.

I know... it's a lot to swallow 🍪🍪🍪

I'll keep you posted if further developments dictate that.