Full Answer

The distinction Apple draws is between individual tracking and campaign tracking. Click identifiers like gclid connect a specific ad click to a specific user profile inside the ad platform — Google can match that click to your browsing history, your Google account, and your subsequent purchases. Apple considers this cross-site user tracking and strips it.

UTM parameters carry no individual identity. utm_source=facebook tells your analytics that the visitor came from Facebook. It does not tell Facebook which specific user clicked. Apple has confirmed in WebKit documentation that campaign-level parameters are excluded from Link Tracking Protection because they operate at the aggregate measurement level.

The practical nuance is timing and scope. In Safari 17 and 18, click identifier stripping was limited to Private Browsing mode and links clicked inside Mail and Messages. Safari 26 expands this to all standard browsing sessions — every Safari user will have gclid, fbclid, and msclkid stripped automatically during page navigation. UTM parameters remain unaffected by this expansion.

However, other privacy tools do strip UTMs. DuckDuckGo's browser and extension purposefully remove UTM parameters. Firefox in Strict mode with uBlock Origin can strip them. The Chrome UTM Stripper extension targets all utm_ prefixed parameters. Safari does not strip UTMs, but 30–40% of UTM data is still lost to other privacy tools and ad blockers before reaching your analytics. Coded UTM parameters — which use randomised parameter names instead of the recognisable utm_ prefix — bypass all pattern-matching filters including those that Safari does not apply.