Every iOS update since 14.5 has chipped away at ad tracking. iOS 17 added Link Tracking Protection (LTP), which strips tracking parameters from URLs when users share links or click them in Mail, Messages, and Safari Private Browsing.
The headlines were alarming. The reality is more nuanced. Here’s what actually changed, what it means for your campaigns, and what to do about it.
What iOS 17 Actually Does
Link Tracking Protection (LTP)
When a user in Safari Private Browsing, Mail, or Messages clicks a URL containing known tracking parameters, iOS strips them:
Removed parameters:
fbclid(Meta click ID)gclid(Google click ID)twclid(Twitter/X click ID)msclkid(Microsoft click ID)- Various other ad platform click IDs
NOT removed:
utm_source,utm_medium,utm_campaign(UTM parameters survive)- Custom query parameters
- Product IDs, session tokens, non-tracking parameters
Important distinction: LTP only activates in Private Browsing, Mail, and Messages. Regular Safari browsing does NOT strip these parameters. This matters because only ~15% of Safari sessions are private browsing.
Stricter ITP (Intelligent Tracking Prevention)
ITP continues to tighten:
- First-party cookies from JavaScript (
document.cookie) now expire in 7 days (some contexts 24 hours) - Third-party cookies remain fully blocked
- CNAME cloaking detection improved (server-side cookie workarounds are detected)
What This Means for Ad Platforms
| Platform | Impact | Severity |
|---|---|---|
| Meta | fbclid stripped in Private Browsing → pixel can’t match click to conversion | Medium |
| Google Ads | gclid stripped in Private Browsing → enhanced conversions needed | Medium |
| TikTok | ttclid stripped → Events API needed for matching | Medium |
| GA4 | UTMs survive → attribution mostly unaffected | Low |
| Email campaigns | Links in Apple Mail stripped → email attribution affected | High |
The Real Impact (By the Numbers)
- Safari market share: ~20% of web traffic (higher on mobile)
- Private Browsing usage: ~15% of Safari sessions
- LTP-affected traffic: ~3% of total web traffic (20% × 15%)
- Click ID loss: Only for that 3%, and only for parameters Apple recognizes
Bottom line: LTP affects about 3% of your traffic. It’s not the apocalypse the headlines suggested. The bigger problem remains ITP’s 7-day cookie expiry, which affects 100% of Safari users.
What To Do
Fix 1: Server-Side Tracking (Highest Impact)
Server-side tracking bypasses all client-side restrictions:
Customer clicks ad → lands on your site → your server captures:
- IP address (from the HTTP request)
- User agent (from the HTTP request)
- Email (if they log in or checkout)
- Phone (if provided at checkout)
Your server sends this data directly to:
- Meta CAPI
- Google Ads Enhanced Conversions API
- TikTok Events APIThe click ID (gclid, fbclid) isn’t needed when you’re matching by hashed email and phone. Server-side matching is actually more reliable than click-based matching because it doesn’t depend on cookies or URL parameters at all.
Fix 2: Enhanced Conversions (Google Ads)
Enhanced conversions hash customer data (email, phone, address) and send it to Google alongside the conversion. Google matches the hashed data to signed-in Google users:
- Works without
gclid - Works without cookies
- Works across devices (customer clicked on phone, bought on desktop)
This is the single most effective fix for Google Ads tracking on iOS. Enable it in Google Ads → Tools → Conversions → Enhanced conversions.
Fix 3: Meta Advanced Matching
Similar to Google’s enhanced conversions. Meta matches conversions using hashed customer data instead of cookie-based fbclid:
- Enable in Meta Events Manager → Settings → Advanced Matching
- Or implement via CAPI (more reliable)
- Supports: email, phone, first/last name, city, state, zip, country
Fix 4: First-Party Data Strategy
Instead of relying on ad platform cookies (which iOS keeps degrading), build your own first-party data:
- Email capture: Get emails before the purchase (exit intent, newsletter, account creation)
- Login prompts: Logged-in users can be matched across sessions without cookies
- Customer accounts: Shopify customer accounts, WooCommerce accounts persist identity
First-party data survives every iOS update because it’s your data, stored on your server, not dependent on browser behavior.
Fix 5: UTM Hygiene
Since UTMs survive LTP, make sure every ad has proper UTM parameters. Use our UTM builder tool and be careful that redirects don’t strip your UTMs:
?utm_source=meta&utm_medium=cpc&utm_campaign=spring-sale&utm_content=video-adEven when fbclid is stripped, GA4 still sees the UTM parameters and attributes the traffic correctly. This doesn’t help Meta’s algorithm (which needs fbclid or CAPI data), but it keeps your GA4 reports accurate.
What NOT To Do
- Don’t disable Safari tracking entirely. 20% of your traffic still converts, just harder to measure.
- Don’t rely solely on modeled conversions. Platform modeling is getting better but isn’t ground truth.
- Don’t panic about every iOS update. The trend is clear — build server-side infrastructure once and you’re future-proof.
- Don’t try to circumvent Apple’s privacy features. CNAME cloaking, fingerprinting, and other workarounds get detected and blocked. Build with the grain, not against it.
Future-Proofing Your Tracking
The iOS trajectory is clear: every update will restrict client-side tracking further. The playbook is simple:
- Server-side tracking for conversion data (Meta CAPI, Measurement Protocol, Events API)
- Enhanced conversions for identity matching (hashed PII)
- First-party data for customer identification (email, accounts)
- UTM parameters for channel attribution in GA4
- Consent management for compliance (GDPR, CCPA, ePrivacy)
If you build these five things, you’re immune to whatever iOS 18, 19, or 20 does to the browser.
Not sure what you’re missing? Scan your site for free — we check your server-side tracking, enhanced conversions, and consent setup against current iOS requirements.