Safari’s ITP has gone through 6+ major versions since 2017. Each version added stricter restrictions. iOS 17’s Advanced Tracking Protection can now completely block Google Tag Manager and Google Analytics. If you’re waiting for browser privacy restrictions to be rolled back, you’re building your marketing strategy on sand.
Apple has explicitly stated in its Safari Privacy White Paper that “the role of the web browser is to act as an agent on behalf of the user” and that Safari “will continue to evolve to prevent tracking.” This isn’t corporate hedging—it’s a public commitment. The restrictions will only get tighter.
The Privacy Timeline That Only Goes One Direction
Safari’s Intelligent Tracking Prevention launched in 2017. Since then, Apple has released version after version, each closing loopholes marketers discovered in the previous one.
ITP 1.0 (2017): Introduced machine learning to identify cross-site trackers. ITP 2.0 (2018): Blocked third-party cookies immediately. ITP 2.1-2.3 (2019): Added the 7-day limit on JavaScript-set first-party cookies. ITP 3.0+ (2020-2024): Progressively tighter restrictions on fingerprinting and link decoration tracking.
Safari now reaches over 1 billion users worldwide and accounts for nearly 18% of global browser market share (Z2A Digital, 2025). That’s not a niche concern—that’s a significant portion of your traffic operating under strict tracking limitations.
And it gets worse. On iOS devices, all browsers—Chrome, Firefox, Brave, Edge—must use Apple’s WebKit engine. This means ITP restrictions apply to every browser on iPhone and iPad, not just Safari. Your iOS visitors face these restrictions regardless of which browser icon they tap.
You may be interested in: Brave Browser Is Killing Your GA4 Data
The iOS 17 Escalation
If you thought ITP was the ceiling, iOS 17’s Advanced Tracking Protection raised it higher. According to McGaw’s 2025 analysis, “The big impact of this change is huge: Google Tag Manager and Google Analytics are completely blocked when Advanced Tracking Protection is enabled.”
Currently, Advanced Tracking Protection is opt-in. But here’s the pattern worth noting: Apple’s App Tracking Transparency (ATT) started as opt-in too. Then it became the default. Roughly 95% of US users now opt out of tracking since ATT launched in 2021 (Z2A Digital, 2025).
McGaw’s analysis puts it directly: “While this feature is now opt-in, it could very well become opt-out in the future, much like Apple’s changes to mobile ad attribution.”
The implication is clear. Features that block tracking start optional and become mandatory. The trajectory only goes one way.
Why These Changes Won’t Reverse
Three factors make browser privacy restrictions permanent:
1. User demand. Privacy has become a competitive differentiator. Apple markets it heavily. Users choose browsers partly on privacy features. No company will reverse course and announce “we’re making tracking easier again.”
2. Regulatory pressure. GDPR, CCPA, and similar legislation worldwide require consent for tracking. Browsers that enable easy tracking without consent face legal risk. Privacy-by-default reduces compliance burden.
3. Technical architecture. These aren’t policy decisions that can be toggled—they’re built into browser engines. WebKit’s tracking prevention is core functionality, not a feature flag. Reverting would require significant engineering effort with no business justification.
Apple isn’t alone. Firefox’s Enhanced Tracking Protection has been default since 2019. Brave blocks trackers by default. Even Chrome is implementing Privacy Sandbox alternatives to third-party cookies. The entire industry is moving toward more restrictions, not fewer.
What Browser Privacy Restrictions Actually Target
Here’s the reality check that should change your strategy: ITP and similar restrictions primarily target cross-site tracking—following users across the internet. Your first-party analytics tracking your own site visitors is different.
ITP’s 7-day cookie limit specifically targets cookies set via JavaScript by scripts that exhibit tracking behavior. It’s designed to break the surveillance advertising model where users get followed across thousands of sites.
Your WooCommerce cart cookie? Not the target. Your login session? Not the target. Server-set cookies for your own domain? Not the target.
The distinction matters. First-party data collection on your own site—when done correctly—survives these restrictions. The key is “done correctly.”
You may be interested in: First-Party Data Strategy: The Marketing Manager Guide
The Architecture That Survives Privacy Restrictions
Two types of tracking survive browser privacy restrictions:
1. Server-set cookies. Cookies set by your server via HTTP headers (like login cookies) aren’t affected by ITP’s 7-day JavaScript cookie limit. They function normally.
2. Server-side event collection. When data is captured on your server rather than in the browser, ad blockers and browser restrictions don’t apply. The event fires from your infrastructure, not from a blocked script.
This is why server-side tracking has become essential—not as a workaround, but as the architecture designed for this permanent reality.
Transmute Engine™ uses exactly this approach. It’s a first-party Node.js server that runs on your subdomain (e.g., data.yourstore.com). The inPIPE WordPress plugin captures events and sends them via API to your Transmute Engine server, which then routes to GA4, Facebook CAPI, and other destinations simultaneously—all from your own domain.
Because it runs first-party on your subdomain, requests bypass ad blockers (they’re going to your domain, not a blocked third-party). Because cookies are set server-side, they’re not subject to JavaScript cookie limitations. The architecture is built for the privacy-first reality, not fighting against it.
Key Takeaways
- Privacy restrictions are permanent. Apple has released 6+ ITP versions, each stricter. The pattern only moves one direction.
- iOS 17 can block GTM entirely. Advanced Tracking Protection currently is opt-in but follows the ATT pattern toward becoming default.
- All iOS browsers use WebKit. ITP applies to Chrome, Firefox, and every browser on iPhone—not just Safari.
- 95% of US users opt out of app tracking. User preference for privacy is clear and won’t reverse.
- Server-side tracking is the permanent solution. First-party servers bypass browser restrictions by design.
No. Apple has explicitly stated in its Safari Privacy White Paper that “the role of the web browser is to act as an agent on behalf of the user” and that Safari “will continue to evolve to prevent tracking.” Each ITP version since 2017 has added stricter restrictions, not removed them. The pattern only moves in one direction.
Safari’s Intelligent Tracking Prevention (ITP) limits first-party cookies set via JavaScript to a maximum 7-day lifespan. This specifically targets tracking scripts like GA4 that set cookies through JavaScript. Server-set cookies via HTTP headers aren’t subject to this limit.
Yes. Apple requires all iOS browsers to use Safari’s WebKit engine. This means ITP restrictions apply to Chrome, Firefox, Brave, and every other browser on iPhone and iPad—not just Safari. If your customer uses any browser on iOS, ITP applies.
Google has already started. Chrome’s Privacy Sandbox is implementing alternatives to third-party cookies. While Chrome’s approach differs from Safari’s, the industry trend is clear: every major browser is adding privacy restrictions, not removing them.
Browser privacy isn’t a temporary inconvenience—it’s the permanent architecture of the modern web. Build your tracking for this reality.
