If you run paid social ads (Meta, TikTok, Pinterest) for a Shopify store, you are likely optimizing campaigns using a 7-day or 28-day attribution window. However, under the hood of modern web browsers, a silent executioner is actively deleting your tracking cookies, turning your 7-day window into a 1-day window for a massive chunk of your traffic.
That executioner is Apple's ITP (Intelligent Tracking Prevention). In this article, we'll explain how Safari treats cookies set by JavaScript, why your analytics are underreporting returning customers, and how server-side tracking restores attribution accuracy.
The Core Conflict: Third-Party vs. First-Party Cookies
To understand ITP, we must separate cookies into two categories:
- Third-Party Cookies: Cookies set by a domain other than the one the user is currently visiting (e.g., Meta setting a cookie from
facebook.comwhile a user is onyourstore.com). In 2026, third-party cookies are completely blocked by Safari, Brave, Firefox, and Chrome. - First-Party Cookies: Cookies set by the domain the user is visiting (e.g.,
yourstore.comsetting a cookie to remember a shopping cart). These are allowed, as they are necessary for standard web functionality.
When third-party cookies were blocked, ad networks shifted to using client-side JavaScript to set first-party cookies. For example, when a user clicks a Meta ad, they land on your site with a URL parameter called fbclid. Meta's client-side JavaScript pixel reads this parameter and writes it into a first-party cookie on your domain (e.g., _fbc).
Enter Apple ITP: Capping JS-Set Cookies
Apple realized ad platforms were using JavaScript to bypass third-party cookie blocks. To close this loop, Apple updated ITP to restrict the lifespan of any first-party cookies set via JavaScript (using document.cookie):
- The 7-Day Cap: By default, any first-party cookie written by client-side JavaScript is deleted after 7 days.
- The 24-Hour Cap (The 1-Day Limit): If a visitor lands on your store from a domain classified as a "tracker" (like
facebook.com,instagram.com, orgoogle.com) and the landing URL contains query parameters (likefbclid,gclid, or UTM parameters), ITP restricts the cookie's lifespan to exactly 24 hours.
⚠️ Why this matters: If a customer clicks your Meta ad on Monday, browses your store, and returns on Wednesday to make a purchase, their ad click cookie (_fbc) was deleted on Tuesday. To your pixels and Google Analytics, this user is a "new direct visitor", and the ad campaign gets zero credit for the sale.
How Cookies Differ: Client-Side JS vs. Server-Side HTTPOnly
ITP only targets cookies created by the browser's client-side JavaScript engine. It does not restrict cookies set directly by a server response using the Set-Cookie header with the HTTPOnly and Secure flags.
| Cookie Creation Method | Created By | ITP Lifespan (Safari) | Attribution Security |
|---|---|---|---|
| Client-Side JS (Standard Pixels) | Browser Script (document.cookie) |
1 to 7 Days Max | Attribution lost if purchase takes >24h |
| Server-Side CAPI (Basic) | Cloud Endpoint / API (JS rewrite) | 7 Days Max | Attribution lost if purchase takes >7 days |
| First-Party Proxy (GotTracked) | Server Header (HTTPOnly) |
30+ Days | Full 30-day attribution window preserved |
How GotTracked Bypasses Safari ITP
GotTracked bypasses ITP restrictions by shifting the cookie generation from the browser's JavaScript engine to the server layer using **First-Party App Proxy Tunneling**:
- When a visitor arrives at your store, GotTracked intercepts the request via a first-party subdomain/app proxy (e.g.,
yourstore.com/apps/adtracker). - Since the request goes through your primary domain, our server issues an HTTP response containing a
Set-Cookieheader. - The cookie containing the click ID (
fbclid/gclid) is written as a **server-set HTTPOnly cookie**. - Because client-side scripts cannot access or modify HTTPOnly cookies, and because they are set at the server level, Apple's ITP treats them as structural site cookies and allows them to persist for the **full 30-day lifespan**.
The Bottom Line
If you rely purely on browser pixels, you are losing up to 35% of your attribution data simply because Safari users are completing purchases 2 to 14 days after their initial click. Shifting your attribution setup to a server-side proxy is no longer an optional growth hack — it is a structural necessity to keep ad platforms targeting the right buyers.
Frequently Asked Questions
What is Safari ITP and how does it affect ad tracking?
Safari's Intelligent Tracking Prevention (ITP) is Apple's anti-tracking technology built into Safari. It limits third-party cookie lifetimes to 24 hours, caps JavaScript-set first-party cookies at 7 days, and blocks cross-site tracking requests — all of which reduce the accuracy of ad attribution for Shopify stores.
How long do first-party cookies last in Safari after ITP?
Cookies set by JavaScript (like the Meta Pixel's _fbp cookie) are limited to 7 days in Safari under ITP 2.3+. Cookies set server-side via HTTP response headers on your own domain are not subject to this cap.
Does Safari ITP affect Shopify checkout tracking?
Yes. Shopify's checkout runs on mystore.myshopify.com — a different subdomain from your storefront. Safari ITP treats these as cross-site and applies stricter restrictions, which can break click ID (fbclid, gclid) persistence between browsing and checkout.
What percentage of e-commerce traffic uses Safari?
Safari accounts for roughly 25–35% of global e-commerce traffic, with higher shares on mobile (iPhone Safari is the default iOS browser). This makes ITP one of the most impactful browser restrictions for online retailers.
Can first-party cookies fully bypass Safari ITP?
Partially. Server-set first-party cookies avoid the 7-day JavaScript cookie cap, but Safari still enforces cross-site tracking restrictions. The most reliable solution combines server-set cookies with server-side CAPI event delivery, so conversion data never depends on cookie persistence.
Start Recovering Your
Lost Attribution Today
GotTracked sets up in under 15 minutes and is free for the first 2,000 pioneer merchants.
Join 450+ marketers already scaling.
100% Data Privacy Standards