Full Answer

The fix has three layers, each recovering a different part of the attribution chain. The first is server-side event delivery. When a WooCommerce purchase completes, the server sends the conversion to Google Ads via Enhanced Conversions, to Meta via CAPI, and to other platforms via their respective server APIs. The event includes SHA256-hashed email and phone for identity matching. No browser cookie is involved in the delivery — the conversion reaches the platform even if Safari deleted every cookie on the page.

The second layer is first-party cookie infrastructure. JavaScript-set cookies face ITP's strictest restrictions, but cookies set via HTTP response headers from a server that shares your site's IP range receive longer lifetimes. This matters for session identification and return-visitor recognition between the ad click and the eventual purchase. The technical requirement is specific: your tracking server must resolve to the same IP range as your main domain, or Safari 16.4's IP-matching rule re-caps the cookie to 7 days regardless of the Set-Cookie header.

The third layer is early email capture. Cookies expire; customer email addresses do not. Capturing an email address early in the browsing journey — via newsletter signup, account creation, or checkout entry — gives you a durable identifier that works across all browsers and sessions. Ad platforms accept hashed email as a matching signal, making attribution independent of cookie survival.

Combined, these three layers recover most of the attribution that Safari's ITP restrictions strip from browser-only tracking setups.