How Apple's will crumble your Facebook cookie in 2020

"Cookiepocalypse" is happening...while most Facebook advertisers are still sleeping.

This is your wake-up call.

2020 will be a big year in the development of the internet towards a cookieless future.

And that will have a huge impact on digital marketers and advertisers, because the internet as we know it is built on pixels (to deliver information to a server) and cookies (to store that information in a user's browser so the server can read it again later).

Cookies are very useful because they help us track users across sessions, attribute sales to ad clicks, retarget, build lookalike seed pools, exclude purchasers, etc.

But they've also transformed websites into ugly banner displays with such intrusive targeting that people feel eavesdropped.

That's why Apple started a war to protect privacy and improve user experience by crumbling these cookies  ⚔️🍪

While most Facebook advertisers and even self-proclaimed  gurus are still sleeping on "cookiepocalypse", big adtech companies are getting EXTREMELY nervous.

Take for example Criteo, one of the world's major adtech companies that offers personalised retargeting advertisements.

Criteo relies on cookies for identifying users across websites and sessions.

This is what happened to their stock price since Apple started the war...

So what is this ITP 2.0, 2.1, 2.2 and 2.3 thing scribbled in the graph?

Intelligent Tracking Prevention (ITP)

Intelligent Tracking Prevention (ITP) is a feature of WebKit.

That's the engine that powers Apple's built-in Safari browser. ITP aims to prevent users privacy by reducing the lifespan of tracking cookies to just 7 days.

Since ITP was first introduced other web browsers followed. Like Mozilla Firefox with their Enhanced Tracking Protection (ETP). Actually all browsers, including the market leader Chrome, are implementing features that protect privacy by limiting cookies.

Their intention is good.

It's in the best interest of internet users.

But we're not just internet users. We're also savvy marketers and advertisers.

And this has a HUGE impact on digital marketing and the tools we use. Because a lot of these tools rely 100% on cookies.

A 7-day cookie lifespan causes problems for Facebook advertisers.

🍪Conversions are not attributed to ad clicks when these happened +7 days prior.

🍪Your retargeting audiences will last for maximum 7 days, then they're gone.

🍪Exclusion audiences of past Purchasers will only last for 7 days, after that your ads will start showing again to people who just purchased from you.

🍪Your lookalike seed audiences are super small (filled with just 7 days of users), so the resulting lookalikes will be of low quality.

And these are just a few examples!

Why is everyone sleeping on this cookiepocalypse?

The consequences of ITP are very serious, I think we can all agree on that.

So how is it possible that the stock value of one of the worlds biggest adtech companies crashes while everyone else is shockingly unaware of what's happening?

There are a couple of reasons I think.

First of all, the news around ITP is communicated mainly to developers. 

<script>"In their language;"</script>

When you read WebKit's blog you'll find they communicate very promptly about the latest changes and developments. It's not secret.

But how many marketers read dev blogs? 

And how many devs understand marketing?

Sure, you could've read about all of this on the big tech news outlets. AdExchanger posted "How Safari's ITP 2.3 Update Is Cracking Down On Link Decoration 'Abuses'" and TechCrunch published "Apple got even tougher on ad trackers at WWDC

But assessing the consequences of these articles, requires technical knowledge.

Did you for example know that "link decoration" in the first article is about the weird fbclid= string at the end of every URL when you click away from Facebook?

And did you know that "Safari cracking down on it" impacts your Facebook ad tracking?

Probably not.

No worries, this is your wake-up call.

To be clear, these developments impact everyone with a website and a buyers journey that takes longer than 7 days. 

That's why I decided to sit down and write a "warning" that explains in normal language what is happening, why you should care and what you should do to save your 🍪

Secondly, right now it "just" impacts the latest versions of Safari and Firefox. 

The deletion of cookies after just 7 days is implemented in the most recent versions of Safari and Firefox. This means it's active on mobile devices with iOS 13 installed. And in Safari 13 on desktop (that's macOS Catalina, Mojave and High Sierra).

So it's spreading slowly.

But it's "just" a matter of time before people will upgrade or buy a new device.

I can almost hear you think..."but the market share of these 2 browsers is fairly small".


On my website around 20% of all visits are on Safari or Firefox. And when I look just at traffic from mobile devices, Safari takes a 40% share. That's not nothing!

You can check this for your own website in Google Analytics, in the Browser & OS report.

Let's address the elephant in the room...🐘

What if Google Chrome will follow?

The development version of Chrome (Google Chrome Canary) clearly shows that they are working on features that will protect users against being tracked by cookies.

Luckily at this point it's still speculation...

Will they also limit cookie lifetime to just 7 days? Yes, they are dependent on cookies themselves (Google Ads products). But they also have a lot of logged-in users that could serve as an alternative for ad click attribution.

I mean everyone is always logged-in to some Google product right? They don't REALLY need cookies for attribution.

The value of Facebook's ad platform relies mostly on cookies for attribution and proving their ROAS, so Google could even implement anti-cookie measures as an attack to steal the ad budget from Facebook advertisers to their Google ads platform.

Justin Schuh, Chrome's Director of Engineering, has announced recently that they want to build a more private web and that  their intention is to make 3rd-party cookies obsolete within the next 2 years (I'll explain 1st vs 3rd cookies later in this article).

After that announcement Criteo's stock crashed even further...

Personally I completely agree with Google's view on this matter. 

"Users are demanding greater privacy--including transparency, choice and control over how their data is used--and it's clear the web ecosystem needs to evolve to meet these increasing demands. Safari and Firefox have reacted to these concerns by blocking cookies, but we believe this has unintended consequences that can negatively impact both users and the web ecosystem."

Their goal is to make the web more private and secure for users, while also supporting advertisers. That's much better! 

Only time can tell...🔮

I'm sure even Mark is nervous.

Otherwise Facebook wouldn't have launched so many "protective" measures recently.

What has Facebook done to save their cookies?

OK, this is going to be a bit technical.

TL;DR = Facebook implemented a bunch of hacks in a whack-a-mole attempt to save their cookie. But these hacks only work short-term and the "loopholes" are closed with every new ITP release. The only durable solution is to load Facebook's cookie as a (server-side) 1st-party cookie. Facebook can't do this for you. You can only fix it yourself. In the final section I'll explain how to do that.

They've broadened the scope of Advanced Matching.

Advanced Matching means Facebook grabs customer identifiers (like name and email) along with your pixel events. This way they can match more conversions to ad clicks, because they know who clicked on your ads.

Remember how ITP impacts Facebook advertisers?

🍪Conversions are not attributed to ad clicks when these happened +7 days prior.

🍪Your retargeting audiences will last for maximum 7 days, then they're gone.

🍪 Exclusion audiences of past Purchasers will only last for 7 days, after that your ads will start showing again to people who just purchased from you.

🍪Lookalike seed audiences are super small (filled with just 7 days of users), so the resulting lookalikes will be of low quality.

These are the benefits of Advanced Matching in their own words:

Before, they could only get this data from (checkout) form fields. But now they've broadened the scope to basically scrape your website for everything they can get.

Sure it helps, but it doesn't fix the problem.

They've added link decoration to every outgoing link click and "hacked" their cookie to look like a 1st-party cookie.

Let me explain.

There is a big difference between cookies. There are multiple types and browsers will treat them differently.

1st-party cookies 🍪 are set on your computer by the domain you're visiting, via the webserver or through Javascript code in the browser. Often they have a function like saving the contents of your basket or remembering you're logged-in.

3rd-party cookies 🍪🍪🍪 are set on your computer by another party than the owner of the domain you're visiting, via a 3rd-party webserver or a script embedded on the website. Facebook sets this cookie through the pixel, like buttons, social logins etc. This is how they track users across the internet.

See the difference?

OK, then let me explain the hack Facebook came up with. It also includes the fbclid= URL parameter I've mentioned a little earlier.

This is how it works worked:

🍪When a user clicks an ad on Facebook, a unique fbclid= string is added to the URL.

🍪The user is sent to the advertiser's site.

🍪The URL is interpreted by the Facebook pixel on the advertiser's website and it stores the unique fbclid= string in the users browser as a 1st-party cookie by using Javascript in the browser to write the cookie.

🍪The Facebook pixel communicates with Facebook and sends back the data stored by this 1st-party cookie.

This was a hack to circumvent the shortened 7-day lifespan of cookies. By saving the fbclid= parameter in the local storage of your web browser, it could identify who clicked and still correctly attribute ad clicks to purchases made at a later time. 

But this "link-decoration-and-1st-party-javascript-cookies"-loophole was closed when WebKit released ITP version 2.3.

Hacks will always only work short-term. The only durable solution to protect cookies against ITP is to set them as 1st-party cookies, without using Javascript.

So straight from your webserver.

Facebook doesn't have access to it, so they simply can't fix it for you.

Needless to say, this also applies to any other marketing cookie you would like to save.

What can you do to save your cookies?

Heads up: this post contains affiliate links. If you purchase something through one of these links, you won't pay more, but we'll get a small commission.

I woke you up.

It would be harsh to warn you about what's coming, without also guiding you to a solid solution to protect your cookies in Safari / Firefox and save you from a disaster when Google Chrome follows their example.

Luckily you don't need to have development skills to save your cookies 🍪

You should implement CookieSaver to transform your cookies into server side 1st-party cookies, so they keep their maximum lifespan instead of just 7 days.

This is one of my websites, on which I don't have CookieSaver installed yet 👇

Let me zoom in a bit so you can see the expiration dates.

I'm writing this on January 7th, they will be killed on January 14th. As you can see, both the _fbp (Facebook) and _ga (Google Analytics) cookie will expire in 7 days.

This completely messes up everything!

🍪If someone clicked on my Facebook ad and purchases more than 7 days after that click, the cookie has been deleted and the sale will not be attributed to the click.

🍪If a user visited my website, I can only retarget for 7 days because after 7 days the cookie will be deleted and I can't reach them.

🍪If I want to build lookalikes of a custom audience of people who triggered a Purchase event, it will be a small audience that only includes last 7 day purchases.

🍪If I want to exclude an audience of people who just purchased from me from seeing my ads, I can only do that for 7 days. After that they'll see them again.

CookieSaver is running on InterestExplorer to save my cookies from premature deletion.

As you can see both my Facebook cookie and Google Analytics cookie are set to expire months or even years from now.

CookieSaver saved them 🙏

I can still attribute sales, retarget, build quality lookalikes and exclude purchasers.

My other marketing cookies (like Google Analytics, Google Ads, etc) are also safe.

Learn more about CookieSaver

CookieSaver is created by Accutics, a Danish marketing-data company that works with companies like Dyson, Coop and Nordea.

They've built an effective and durable solution against ITP's impact on marketing, because they needed it themselves to protect their client's cookies. 

"I feel safe knowing it now also saves my cookies and makes sure I can keep making informed decisions about my ad spend by staying on top of my Safari and Firefox users (currently 20% of my overall traffic, up to 40% on mobile)."

Paco Vermeulen

Founder and

Do you also want to improve your marketing attribution and safeguard your cookies when winter is coming? It's simple, just install CookieSaver on your websites.

It's a set-and-forget solution that you'll implement once to keep you safe.

If you create an account through any of the links in this article, you'll get a free 30-day trial (normally it's just 14 days, so it's a bit extended). Plans start from just €9/mo.

Now you know cookiepocalypse is coming... 

You can't go back to sleep 💤

I know... it's a lot to swallow 🍪🍪🍪

If you have any questions or concerns, just message me at