Full Answer

Safari 18 does not introduce a single dramatic change. It tightens the cumulative system. Link Tracking Protection, which strips tracking parameters like gclid and fbclid from URLs, expanded from Private Browsing into links clicked inside Apple Mail and Messages. Since iPhones account for over 50% of the US smartphone market, email campaigns relying on click identifiers for attribution now lose those identifiers before the recipient reaches your site.

The existing ITP restrictions from Safari 14 through 17 remain fully active in Safari 18: JavaScript-set cookies capped at 7 days, 24-hour cap when tracking parameters are detected, full third-party cookie blocking, and CNAME-cloaking detection that prevents the common workaround of disguising third-party tracking as first-party. No previous restriction was loosened. Safari 18 also improved ATFP in Private Browsing mode, making it harder for scripts to fingerprint users through canvas, audio, or WebGL APIs as a cookie alternative.

The pattern matters more than any single version. Apple has tightened Safari's tracking restrictions every major release since ITP 1.0 in 2017 — eight years of unbroken escalation. Safari 26, due September 2025, continues the trajectory with Advanced Fingerprinting Protection enabled by default and expanded parameter stripping across all standard browsing. Each update closes another workaround without opening a new one.

For WooCommerce stores, the implication is structural. Any tracking approach that depends on Safari's cooperation — JavaScript cookies, URL parameters, fingerprinting — has an expiry date. Server-side event capture from WooCommerce hooks, delivered via API to ad platforms, operates outside Safari's jurisdiction entirely.