Full Answer

Safari maintains a classification list of known tracking domains. When a visitor navigates from one of these domains — Facebook, Google, TikTok — with a click identifier appended to the URL, ITP triggers its strictest cookie restriction. The standard 7-day cap on JavaScript-set first-party cookies drops to 24 hours. Every cookie on the page is affected, not just the tracking cookie — login sessions, cart memory, and analytics identifiers all expire the next day.

The mechanism compounds with other Safari restrictions. ITP 2.2 introduced the 24-hour cap in 2019. Safari 16.4 in 2023 added an IP-matching rule that re-caps even server-set cookies to 7 days unless your tracking server shares an IP range with your main website. Safari 26 expanded gclid stripping from Private Browsing to all standard sessions. Each version closes another workaround without opening a new one.

For WooCommerce stores running paid ads, the impact is direct. Google Ads claims a 30-day attribution window, but Safari deletes the gclid cookie after 24 hours. Meta's attribution relies on the fbclid cookie, which faces the same restriction. The ad platforms still report conversions by modelling the gap — estimating rather than measuring. Your ROAS numbers include phantom conversions that Safari prevented from being tracked.

Server-side tracking bypasses the cookie dependency entirely. Events fire from your server via API after a confirmed purchase, using hashed customer data for identity matching instead of browser cookies. The conversion reaches the ad platform regardless of what Safari deleted.