Author: David Son

Privacy and security on the web is a big deal to many consumers. They want to know that when they visit a brand’s website or mobile site that their data is used responsibly and protected. While that’s most often the case, there are other ways to protect consumers that don’t rely on faith in the good stewardship of visitor data. In fact, even well-meaning companies make mistakes, so it’s always a good idea to layer on security.

One way that can happen is by placing limitations related to first- and third-party cookies through browsers like Google Chrome and Apple Safari. I give an explanation of what cookies are in a related article that I recently published on Medium. In that article, I discuss how Adobe Target supports Chrome’s SameSite cookie policies, which are designed to protect the consumer’s data privacy. In this article, I want to explain how Apple is similarly providing protections through its ITP 2.1 and ITP 2.2 cookie policies.

What is ITP?

ITP, which stands for Intelligent Tracking Prevention, is Apple’s initiative to protect the privacy of Safari users. The first release of ITP in 2017 targeted the use of third-party cookies. In fact, Apple blocked third-party cookies in their entirety, causing a severe headache for ad tech and mar-tech companies because they often use third-party cookies to track users and collect user data.

Apple is now on the move to place limitations and restrictions on how first-party cookies are used within Safari. They released ITP 2.1 on February 21, 2019, and capped client-side cookies placed on the browser using the document.cookie API to expire in seven days. On April 24, 2019, they released ITP 2.2, which drastically reduced the seven-day expiry cap to an eye-popping one day.

We want you to understand how that affects you as an Adobe Target customer, and how we’re helping you mitigate that impact.

The impacts of ITP 2.1 and 2.2 releases on Adobe Target customers

Adobe Target provides a JavaScript library that you deploy on your pages on which you want to deliver real-time personalization to your visitors with Adobe Target. Target has three JavaScript libraries, Mbox.js, At.js 1.x, and At.js 2.x. These libraries place client-side Target cookies on your visitor’s browser via the document.cookie API. As you might have guessed, that means that Apple’s ITP 2.1 and 2.2 releases impact Target cookies, causing them to expire after 7 days in the case of ITP 2.1, and in 1 day in the case of ITP 2.2.

Here’s how you may potentially experience that impact:

An increase of unique visitor counts. With the shortened cookie expiration window, you may see an increase of unique visitors coming from Safari browsers. If visitors revisit your domain after seven days in the case of ITP 2.1, or one day in the case of ITP 2.2, Adobe Target would be forced to place a new Target cookie on your domain in place of the expired one. The new Target cookie translates to a new unique visitor even though the visitor is the same.

Decreased lookback periods for Adobe Target tests. Visitor profiles for Adobe Target tests may have a decreased lookback period for decisioning. Target cookies are leveraged to identity a visitor and store user profile attributes for personalization. Given that Target cookies may expire in seven days or one, depending on whether ITP 2.1 or 2.2 is in use, the visitor profile data that was tied to the purged Target cookie can’t be used by Adobe Target for decisioning.

Determining if your current implementation of Adobe Target is impacted

But how do you definitively know if your Adobe Target implementation has been impacted by either release of this initiative? It’s actually not too difficult. In a Safari browser, navigate to the website on which you’ve deployed a Target JavaScript library. If you see a Target cookie set in the context of a CNAME like “analytics.company.com,” then you are not impacted by ITP 2.1 and 2.2.

If you are using the Experience Cloud Visitor ID library in addition to the Target JavaScript library, your implementation will be impacted in the ways listed in this article on the Medium website.

Mitigating the impact on Adobe Target of ITP 2.1, 2.2, and future ITP releases

There’s no reason to have current and future ITP releases impact your Adobe Target implementation. Mitigate their impact by following these steps:

Step 1. Deploy the Experience Cloud ID (ECID) library to your pages
The Experience Cloud ID (ECID) library enables the people identification framework for Experience Cloud Core solutions and allows you to identify same site visitors and their data in different Experience Cloud solutions by assigning persistent and unique identifiers. Adobe will update the ECID library continuously to help you mitigate the impact of any ITP-related changes on your implementation. For ITP 2.1 and 2.2, you must use ECID library 4.3.0+ to mitigate any impacts.

Step 2. Leverage CNAME for either Adobe Analytics or Adobe Target. You don’t need to use CNAME for both Adobe Analytics and Adobe Target, but having both is recommended.

2.a Setting up a CNAME for Adobe Analytics
You can leverage the CNAME for Adobe Analytics and its managed certificate program. The certificate program lets you implement a first-party certificate for first-party cookies at no charge. If you are not leveraging the CNAME, talk with your account representative and enroll in the Adobe Managed Certificate Program to start the process.

Once completed, the tracking server name should be supplied to the ECID library when initializing the library using trackingServer or trackingServerSecure. This should match the trackingServer configuration in the Analytics configuration.

2.b Setting up a CNAME for Adobe Target

Follow these instructions to set up a CNAME for Adobe Target. Most importantly, be sure to update the Adobe Target’s JavaScript library’s serverDomain with the CNAME.

Once you set up CNAME for Adobe Target and Adobe Analytics and deploy Adobe Target’s JavaScript library in conjunction with the ECID library v4.3.0+, you will have a robust and long-term mitigation plan for any future ITP-related changes.

Adobe Target supports you and your customers in a more secure web

As strides are made to create a more secure web for consumers, Adobe Target is resolute in its commitment to delivering personalized experiences while meeting and exceeding the privacy expectations of your visitors and customers. Adobe Target has already announced support for Google’s SameSite Chrome Policies in addition to support for Apple’s ITP 2.1 and 2.2. As these policies and others continue to evolve to protect our consumers, Adobe Target will likewise continue to support these initiatives while helping our customers provide best-in-class personalized experiences to their customers.

Originally published: July 22, 2019