← Back to Blog

Safari 26 Enabled Fingerprinting Protection for Everyone: What Actually Changed

Safari 26 turned Advanced Fingerprinting Protection (AFP) on by default for all browsing, not just Private mode. But the common panic is misplaced: AFP targets known fingerprinting scripts, not properly implemented analytics, and in testing legitimate setups still work. The real attribution erosion is cumulative. Safari’s 7-day cap on script-writable storage wipes returning-visitor identifiers, and link-tracking protection already strips click IDs in private and messaged links, with Apple trending toward all browsing. On a browser that’s roughly a quarter of mobile worldwide, that adds up, and the durable fix is genuine first-party, server-side data.

What actually changed in Safari 26

Apple promoted one privacy layer to default-on for everyone, but it’s narrower than the headlines implied.

With Safari 26 and iOS 26, Apple made a privacy feature that used to be limited to Private Browsing the new default for everyone. Safari 26 activates Advanced Fingerprinting Protection (AFP) by default for all browsing sessions (PPC Land).

Here’s the thing: AFP is more surgical than the early reaction suggested. It blocks known fingerprinting scripts from reading high-entropy device characteristics, setting long-lived script-written storage, and reading URL query parameters or the referrer. Crucially, it targets known fingerprinting scripts rather than legitimate analytics implementations (Billy Grace).

AFP is on by default for all browsing in Safari 26, but it targets known fingerprinting scripts, so a properly implemented analytics setup is largely unaffected by AFP itself.

AFP is not the feature you were warned about

Most of the alarm pointed at the wrong setting, and the distinction decides whether your tags break.

The confusion came from two similar names. AFP, the new default, is not the same as ATFP, the heavier setting people feared was being switched on for everyone.

FeatureDefault in Safari 26What it doesAffects normal analytics?
AFP (Advanced Fingerprinting Protection)On for all browsingBlocks known fingerprinting scripts from device APIs, long-lived storage, and URL parametersLargely no
ATFP (Advanced Tracking and Fingerprinting Protection)On in Private Browsing onlyAdds Link Tracking Protection and blocks known-tracker network loadsYes, if you enable it for all browsing
7-day storage cap (ITP)Always onDeletes script-writable storage after 7 days without interactionYes, erodes returning-visitor attribution

ATFP, which bundles Link Tracking Protection, remains default only in Private Browsing, and users can opt to extend it to all browsing. That’s the setting that would actually block tag managers and strip campaign parameters broadly, and it is not on by default for everyone.

You may be interested in: Self-hosted vs managed: which WooCommerce event pipeline fits your store in 2026

The erosion that’s real, and cumulative

The genuine damage isn’t one dramatic switch, it’s several long-running limits stacking up.

So if AFP isn’t quietly deleting your analytics, what is? The honest answer is a stack of limits that have been tightening for years, with Safari 26 nudging them further.

The biggest is storage lifetime. Safari deletes script-writable storage, including JavaScript cookies, localStorage, and IndexedDB, after 7 days without first-party user interaction (WebKit). For a store with a normal consideration window, that means a visitor who returns on day eight often looks brand new, and the original campaign that earned them is gone.

Then there’s link tracking. Link Tracking Protection strips campaign click IDs such as gclid, fbclid, and msclkid in Private Browsing, Mail, and Messages (WITHIN). On the Safari 26 final release those parameters still pass through in normal browsing, but Apple’s release notes and test builds point toward expanding that stripping to regular browsing.

Safari’s 7-day deletion of script-writable storage erases returning-visitor identifiers, so a shopper who comes back after a week can be miscounted as a brand-new user.

Why it matters on Safari specifically

These limits would be a footnote on a small browser, but Safari isn’t small where it counts.

The reason this is worth your attention isn’t the severity of any single limit. It’s the size of the surface they apply to.

Safari accounts for roughly a quarter of mobile browsing worldwide and over half of US mobile sessions (Statcounter via Backlinko). For a US-focused WooCommerce store, that means the majority of mobile shoppers are on the exact browser where returning-visitor attribution decays fastest. The question isn’t whether Safari’s limits affect you. The question is how much of your mobile attribution is already quietly degraded.

The durable fix

The reliable answer is to stop depending on browser storage that Safari is designed to expire.

If the problem is that browser-side identifiers don’t survive, the fix is to not depend on them. That means moving attribution to genuine first-party, server-side data.

One trap to avoid: a CNAME or third-party-CDN “server-side” setup can still be treated as suspicious by Safari and capped at the same 7 days, so it doesn’t actually solve the problem. The durable approach is same-origin first-party collection that doesn’t rely on long-lived browser storage at all.

That’s the model Seresa’s Transmute Engine™ uses: it captures events server-side as same-origin first-party data, so attribution doesn’t hinge on identifiers Safari is built to delete. On a browser this dominant in mobile, that’s the difference between measuring your mobile shoppers and guessing at them.

You may be interested in: The 70% problem: your AI traffic is hiding in GA4 direct

What to do this week

Two checks tell you whether Safari is already eating your attribution.

First, segment your analytics by browser and compare returning-user and conversion rates on Safari against Chrome. If Safari’s returning-visitor numbers look suspiciously low, the 7-day storage cap is the likely culprit, not AFP.

Second, check how your “server-side” tracking is actually implemented. If it runs through a CNAME or third-party CDN, confirm whether Safari is capping it at 7 days anyway, because a setup you believe is durable may not be.

Key takeaways

  • AFP is default-on but narrow: Safari 26 enabled Advanced Fingerprinting Protection for all browsing, but it targets known fingerprinting scripts, not legitimate analytics.
  • Know AFP from ATFP: The heavier setting that adds link-tracking protection is still default only in Private Browsing, not on for everyone.
  • The real erosion is cumulative: Safari’s 7-day storage cap and expanding link-tracking protection quietly degrade returning-visitor attribution.
  • Server-side, done right, is the fix: Same-origin first-party data survives where browser storage doesn’t, but CNAME or CDN setups can still be capped at 7 days.
Did Safari 26 break my analytics by default?

Probably not, if your analytics are implemented properly. Safari 26 turned on Advanced Fingerprinting Protection for all browsing, but it targets known fingerprinting scripts and, in independent testing, legitimate analytics setups still functioned. The bigger risk is cumulative attribution erosion from Safari’s long-standing 7-day storage cap and its expanding link-tracking protection, not AFP itself.

What’s the difference between AFP and ATFP in Safari?

AFP (Advanced Fingerprinting Protection) is the new layer that’s on by default for all browsing in Safari 26; it blocks known fingerprinting scripts from reading device characteristics and URL parameters. ATFP (Advanced Tracking and Fingerprinting Protection) is the existing setting, default only in Private Browsing, that also adds Link Tracking Protection and blocks known-tracker network requests. They’re different, and much of the early panic confused the two.

Does Safari 26 strip gclid and fbclid from my campaign URLs?

In Private Browsing, Mail, and Messages, yes, link-tracking protection strips click IDs like gclid, fbclid, and msclkid. On the Safari 26 final release, those parameters still pass through in normal browsing, but Apple’s release notes and test builds point toward expanding the stripping to regular browsing, so it’s wise to prepare now.

How do I keep attribution working on Safari?

Move attribution off browser storage and onto your own server with genuine first-party, server-side data. Note that CNAME or third-party-CDN setups can still be treated as suspicious and capped at 7 days, so the durable approach is same-origin first-party collection that doesn’t depend on long-lived browser identifiers.

References

  • PPC Land — Safari 26 tracking changes to impact marketing measurement (2026). https://ppc.land/safari-26-tracking-changes-to-impact-marketing-measurement/
  • Billy Grace (Vasco Meerman) — Safari on macOS and iOS 26 tracking changes: what’s really changing (2025). https://medium.com/billy-grace/safari-on-macos-ios-26-tracking-changes-whats-really-changing-31e2d26cb727
  • WebKit — Private Browsing 2.0 and tracking prevention (2025). https://webkit.org/blog/15697/private-browsing-2-0/
  • WITHIN — iOS 26 Link Tracking Protection explained (2026). https://www.within.co/blog/ios-26/
  • Statcounter via Backlinko — Browser market share (2026). https://backlinko.com/browser-market-share

If your Safari numbers look thinner than your Chrome numbers, that gap is attribution decaying on Apple’s terms, a true first-party server-side pipeline is how you stop it.