iPhone & iOS Tracking: What's Lost, What Still Works

· Last updated · 12 min read

Apple's ATT (iOS 14.5+) requires explicit user consent for cross-app tracking—only 20-25% opt in. Safari's ITP limits cookies to 7 days (24 hours for link-decorated traffic). You've lost: IDFA for 75%+ of users, view-through attribution, cross-app journey tracking, and long attribution windows on Safari. What still works: first-party data, server-side tracking, SKAdNetwork (limited), and direct/organic measurement. Adapt by shifting to first-party data collection, server-side tracking, and probabilistic modeling.

The Privacy Timeline: What Apple Changed

Apple's privacy changes didn't happen overnight. Understanding the timeline helps you see where we are and where we're heading:

APPLE PRIVACY TIMELINE

  1. 2017
    Safari ITP 1.0
    Third-party cookies blocked after 24 hours.
  2. 2019
    Safari ITP 2.2
    First-party cookies from "tracking domains" limited to 24 hours. Link decoration triggers the limit.
  3. 2020
    Safari ITP 2.3
    All JavaScript-set cookies limited to 7 days. localStorage limited to 7 days for classified domains.
  4. 2021
    iOS 14.5 — ATT launches
    Apps must ask permission to track across apps and sites. IDFA access requires explicit opt-in.
  5. 2022
    iOS 15 — Mail Privacy Protection
    Email open tracking blocked (pixel loading randomised). IP address hidden from email senders.
  6. 2023
    iOS 17 — Link Tracking Protection
    Tracking parameters auto-removed in Messages, Mail, Safari Private. Affects gclid, fbclid, some UTM params.
  7. 2024
    Safari 17.4 — Stricter protections
    Enhanced fingerprinting prevention. Further third-party storage restrictions.

Each change removed another piece of the tracking puzzle. The trend is clear: Apple is systematically eliminating cross-site and cross-app tracking.

What You've Lost: The Detailed Breakdown

1. IDFA (Identifier for Advertisers)

Before ATT: Every iOS device had a unique IDFA that advertisers could use to track users across apps. Install an app from a Facebook ad? Facebook knew. Make a purchase in that app? Facebook knew.

After ATT: IDFA is only available if users explicitly opt in. With 75%+ opting out, IDFA is effectively dead for most users.

WHAT IDFA ENABLED (PRE-ATT)
  • Cross-app attribution
  • Retargeting audiences
  • Lookalike audiences
  • Frequency capping
  • User-level conversion data
WHAT YOU'VE LOST
  • View-through attribution
  • Precise app-install attribution
  • Cross-app user journeys
  • Accurate ROAS by campaign
  • Deterministic mobile matching
WHAT REMAINS FOR OPTED-OUT USERS
  • SKAdNetwork — aggregated, delayed
  • Probabilistic modelling — limited accuracy
  • First-party data — if the user logs in

2. View-Through Attribution

Before: User sees your Instagram ad, doesn't click, later opens your app and purchases. Meta credits the ad.

After: Without IDFA, there's no way to connect "saw ad" to "made purchase" for users who didn't click.

Attribution Type Before ATT After ATT (Opted Out)
Click-through ✓ Works ⚠️ Limited (24hr)
View-through ✓ Works ✗ Gone
Cross-app ✓ Works ✗ Gone
Deep linking ✓ Works ⚠️ Limited

Safari's Intelligent Tracking Prevention (ITP) progressively shortened cookie lifespans:

Cookie type Lifespan on Safari
Third-party Blocked entirely
First-party, server-set Up to 400 days
First-party, JavaScript-set 7 days maximum
First-party, after link decoration 24 hours
localStorage (classified domains) 7 days

"Link decoration" means URLs carrying tracking parameters like ?gclid=… (Google Ads), ?fbclid=… (Facebook), ?ttclid=… (TikTok), and sometimes ?utm_source=…. If Safari sees these, the cookie window collapses to 24 hours.

What this means: A user clicks your Google Ad on Safari. Google sets a cookie. If they don't convert within 24 hours, the cookie is gone. Your 30-day attribution window? It's actually 24 hours on Safari.

Starting with iOS 17, Apple automatically strips tracking parameters from links in certain contexts:

Context What's Stripped
Messages app gclid, fbclid, tracking params
Mail app gclid, fbclid, tracking params
Safari Private Browsing gclid, fbclid, tracking params
Regular Safari Not currently stripped

Impact: If a friend shares your link via iMessage, tracking parameters may be removed before the recipient clicks.

The compounding problem: These limitations stack. An iOS user who opts out of ATT, uses Safari, and receives links via Messages has almost no trackable touchpoints. For many B2C brands, this describes 20-30% of their audience.

What Still Works

1. First-Party Data

Apple's restrictions target cross-site/cross-app tracking. Your own first-party data is unaffected:

FIRST-PARTY DATA — STILL WORKS

  • Logged-in user behaviour on your site or app
  • Purchase history
  • Email engagement (with limitations)
  • Your own cookies (within ITP limits)
  • Server-side session tracking
  • CRM data
  • Direct customer surveys

The shift: Instead of relying on ad platforms to track users, you need to build your own customer identity system.

2. Server-Side Tracking

Server-side tracking bypasses some browser restrictions because cookies are set by your server, not JavaScript:

Tracking Method ITP Cookie Limit Implementation
JavaScript cookies 7 days (24hr with link decoration) Client-side
Server-set cookies Up to 400 days Server-side
Conversions API (Meta) Uses server events Server-side
Google Ads Enhanced Conversions Uses server events Server-side

Important: Server-side tracking extends cookie life but doesn't restore cross-site tracking. You still can't track users across domains you don't own.

3. SKAdNetwork (For Apps)

Apple's privacy-preserving alternative to IDFA-based attribution:

SKAdNetwork constraint What it means
Timing 24–48 hour delay before data available
Granularity Aggregated — no user-level data
Values Limited to 64 conversion values
Campaigns Limited campaign ID slots
Re-engagement Very limited support
View-through Reduced fidelity

What you actually get back: app install attributed to an ad network, a single conversion value (0–63), limited campaign differentiation, aggregated rather than user-level.

SKAdNetwork tells you "this campaign drove approximately X installs" but not "User ABC installed from Campaign XYZ and made a $50 purchase."

4. Probabilistic/Modeled Attribution

Without deterministic identifiers, platforms increasingly use probabilistic matching:

Accuracy warning: Probabilistic matching accuracy varies wildly—from 50% to 90% depending on the methodology and data available. Always treat modeled data as directional, not precise.

Platform-Specific Impacts

Meta (Facebook/Instagram)

Meta was hit hardest by ATT because their attribution relied heavily on cross-app tracking:

Metric Pre-ATT Post-ATT Impact
Reported conversions Baseline -30% to -50% underreporting
Audience targeting accuracy High Significantly reduced
Lookalike quality High Degraded
View-through attribution Available Mostly unavailable
Attribution window 28-day Now 7-day click, 1-day view

Meta's adaptations:
- Aggregated Event Measurement (AEM) — limited to 8 events per domain
- Conversions API (CAPI) — server-side event tracking
- Modeled conversions — ML-estimated missing data

Google was less impacted because they own Chrome (no ITP) and have first-party data from Search:

Channel Impact
Search Ads Minimal (users clicking = first-party)
YouTube (app) Significant (ATT affects app tracking)
Display Network Moderate (Safari ITP affects web)
App Campaigns Significant (ATT + SKAdNetwork limits)

Google's adaptations:
- Enhanced Conversions — first-party data matching
- Consent Mode — modeling for users who decline tracking
- Privacy Sandbox — Chrome's eventual third-party cookie replacement

TikTok, Snap, Pinterest

All affected similarly to Meta:
- Heavy reliance on view-through attribution (now broken)
- Mobile-first audiences (higher iOS exposure)
- Adapting with Conversions APIs and modeled data

iOS attribution loss by platform, post-ATT

How much of pre-ATT attributed iOS conversions each platform now reports.

Pre-ATT (baseline) Post-ATT (reported) Reported loss

Meta

−35%
PRE
100%
POST
65%
highest impact — Meta relies heavily on cross-app tracking

TikTok

−25%
PRE
100%
POST
75%

Google

−12%
PRE
100%
POST
88%
lower impact — Google has signed-in users across Search, YouTube, Chrome

Snap

−30%
PRE
100%
POST
70%

Platforms didn't lose the conversions — they lost the ability to attribute them. The conversions still happen on iOS. The platform just can't tie them back to the click that drove them. Server-side tracking and modeled conversions are how platforms paper over the gap; the gap is still real underneath.

Industry estimates · Sources: AppsFlyer iOS measurement reports, Meta Q1 2022 earnings disclosure ($10B revenue impact attributed to ATT), public ad-tech vendor benchmarks

How to Adapt Your Attribution Strategy

1. Invest in First-Party Data Collection

Build direct relationships that don't depend on third-party tracking:

CAPTURE
  • Email (with consent)
  • Phone (with consent)
  • Account creation
  • Loyalty programmes
  • Post-purchase surveys
USE FOR
  • Customer matching
  • Offline conversions
  • Cross-device identity
  • Purchase attribution
  • Channel discovery ("how did you hear about us?")

2. Implement Server-Side Tracking

Move tracking from client (browser/app) to server:

Platform Server-Side Solution
Meta Conversions API (CAPI)
Google Enhanced Conversions
TikTok Events API
Pinterest Conversions API
Your attribution Server-side event collection

3. Use Triangulation

Don't rely on any single measurement method. Combine approaches:

Method Strength Use For
MTA Tactical, granular Day-to-day optimization
MMM Strategic, privacy-safe Budget allocation
Incrementality Causal Validating both
Surveys Self-reported Dark funnel insight

(See MTA, MMM & Lift Studies: The Triangulation Approach for detailed methodology.)

4. Adjust Attribution Windows

With Safari's 24-hour cookie limit for ad traffic, long attribution windows are fiction for a significant portion of users:

Platform setting What you actually get on Safari
30-day window 24 hours for link-decorated traffic
7-day window 24 hours for link-decorated traffic
1-day window 24 hours — matches reality

Recommendation: use 7-day windows in platforms (captures Chrome/Android), understand ~30% of users have a 24-hour effective window, supplement with server-side tracking where possible, and use MMM to capture longer-term effects that fall outside any window.

5. Accept Measurement Uncertainty

The era of precise, user-level, cross-platform attribution is over. Adapt your mindset:

Old approach: "Campaign X drove exactly 847 conversions at $12.34 CPA"

New approach: "Campaign X drove approximately 700-900 conversions at $11-14 CPA, validated by incrementality testing"

What's Coming Next

Apple continues tightening privacy controls:

Expected Change Impact
Broader link tracking protection More parameter stripping
Enhanced fingerprinting prevention Probabilistic matching harder
IP address masking (iCloud Private Relay) Location/IP matching degraded
Further ITP restrictions Even shorter cookie windows

The direction is clear: Build for a world with less tracking, not more.

THE iOS GAP IN NUMBERS

  • Share of traffic. In US/AU/UK markets, iOS represents roughly 50–60% of mobile web traffic and a higher share of higher-LTV customer cohorts. In APAC and emerging markets, the share is closer to 15–25%.
  • ATT opt-in rate. Industry-wide, ~25% of users grant tracking permission when prompted. The rest are invisible to cross-app attribution.
  • Conversion-rate paradox. iOS users typically have higher AOV and conversion rates, but worse attribution. Last-click reports systematically understate iOS-driven revenue.
  • What recovers it. Server-side tracking captures iOS conversions that client-side tags miss — cookies expire fast on Safari (7 days for first-party, even faster for fingerprintable surfaces), but server-to-server events tied to a logged-in identity persist. See server-side vs client-side tracking for the architecture.

Summary

Apple's privacy changes have fundamentally altered mobile and web attribution:

What's Lost What Still Works
IDFA (75%+ of iOS users) First-party data
Cross-app tracking Server-side tracking
View-through attribution SKAdNetwork (limited)
Long cookie windows (Safari) Probabilistic modeling
Link tracking params (some contexts) MMM and incrementality

The path forward:

  1. Build first-party data — email, accounts, surveys
  2. Implement server-side tracking — Conversions APIs, enhanced conversions
  3. Use triangulation — MTA + MMM + incrementality
  4. Accept uncertainty — ranges and confidence intervals, not false precision
  5. Test incrementally — holdout tests reveal true impact

The companies adapting fastest are those treating this as a strategic shift, not a technical problem to hack around.

Further Reading

On Privacy-Safe Measurement:
- Server-Side vs Client-Side Tracking — Implementation approaches
- The Dark Funnel — Measuring the unmeasurable

On Measurement Triangulation:
- MTA, MMM & Lift Studies: The Triangulation Approach — Combining methods
- Why Platform Reports Don't Match — Cross-platform reconciliation

Key Takeaways

  • ATT opt-in rates are only 20-25%—you've lost IDFA for 75%+ of iOS users
  • Safari ITP limits cookies to 7 days (1 day for ad click traffic)
  • View-through attribution is essentially dead on iOS
  • First-party data and server-side tracking are your path forward
  • SKAdNetwork provides limited, delayed, aggregated conversion data
What is ATT and when did it start?
App Tracking Transparency (ATT) launched with iOS 14.5 in April 2021. It requires apps to ask explicit permission before tracking users across apps and websites. The prompt asks 'Allow [App] to track your activity across other companies' apps and websites?' Most users tap 'Ask App Not to Track.'
What's the ATT opt-in rate?
Global ATT opt-in rates are around 20-25%. This varies by app category—gaming apps see lower rates (15-20%), while utility apps see slightly higher (25-30%). Effectively, you've lost cross-app tracking for 75%+ of iOS users.
Does Safari ITP affect desktop or just mobile?
ITP affects all Safari browsers—iOS, iPadOS, and macOS. Since Safari is the default browser on all Apple devices and holds ~20% global browser share (higher in the US at ~30%), ITP impacts a significant portion of your web traffic.
Can I still track iOS users at all?
Yes, but differently. First-party data (your own cookies, logged-in users) still works. Server-side tracking bypasses some browser restrictions. SKAdNetwork provides limited conversion data for app installs. You just can't track users across apps/sites without consent.
What about fingerprinting as a workaround?
Apple explicitly prohibits fingerprinting in their App Store guidelines. Apps caught using device fingerprinting face rejection or removal. While some vendors claim 'probabilistic matching,' Apple is actively closing these loopholes. Don't build your strategy on techniques Apple is trying to eliminate.
Holly Henderson
Holly Henderson

Co-Founder, mbuzz

Holly Henderson is Co-Founder of mbuzz. With 10+ years in marketing including roles at Westpac, Avon, and Forebrite, she's obsessed with making measurement actually useful.

Harvard Extension School Forebrite Westpac Avon

How mature is your marketing measurement?

The free Measurement Maturity Assessment shows where you stand, where you're exposed, and what to fix first. 10 questions, 3 minutes.

Take the Assessment

Ready to try server-side attribution?

Set up in 10 minutes. Free up to 30K records/month.

Get Started Free Try Demo