Whenever the butterflies at Apple WebKit flap their wings, “Ad Tech Island” feels the aftershocks.
Last week, a small change to Apple’s on-device tech to patrol third-party data collectors sent some mobile and online advertising practitioners into a tizzy over the loss of another sliver of data transparency.
They also fret because Apple continues to stake its claim over more of the territory that tech companies thought would be safely under the control of app and website publishers.
So, what happened?
Long story short, the Apple WebKit team, which operates the codebase for the Safari browser, adopted a change (first suggested late last year) to treat A/AAA records as a potential third-party data collection vehicle, in addition to CNAME records.
Oh, that didn’t explain anything?
To clarify, a CNAME record is used when one business routes different servers and domains it controls to a host name. The A record maps a domain to the host IP address.
Say ExampleBrand.com has an IP address 123.456.7.8. The A record maps to the IP number, while the CNAME maps to “ExampleBrand,” (aka, the host name) which implies first-party control but also authorization.
ExampleBrand’s signup process may route someone to ExampleBrand.com/emailauth to confirm an account. For that purpose ExampleBrand could work with an email data vendor that operates behind a CNAME record. Lots of enterprise IT tech and financial tech sits behind a CNAME.
WebKit’s privacy tech scrutinizes CNAME records to determine if the true host IP address is used and, if not, Safari caps the first-party cookie to a seven-day window. This delineates the true host brand from its vendor businesses.
Now, WebKit will do the same with A/AAA records, which otherwise might be used “to cloak third-party requests as first party and subsequently store cookies in the first-party context,” according to the WebKit update doc on GitHub submitted last October by Apple engineer Wenson Hsieh.
The fallout
This latest Webkit tweak will primarily affect server-side data and analytics businesses, which act as proxies.
In other words, companies like Adobe, Segment and Amplitude are being downgraded to third parties, according to Jonathan Mendez, an ad tech and martech veteran who spotted the update.
This type of vendor will have a mere seven-day window, not just for advertising attribution but for basic functions, such as accurately tracking monthly visitors and recognizing logged-in users.
Big advertising and analytics platforms are expanding their offerings to offer full-funnel solutions, to avoid including other vendors. With WebKit’s new update, those platforms must own the web-hosting service, too, or data will be restricted for Safari users.
“Each thinks they are the real first party and are most likely building their own ID architectures that will compete and dominate advertising over the next five years,” Mendez told AdExchanger in an email.
But it’s not difficult for Apple to justify its change.
After all, Adobe, Segment, Google, et al. are third parties, so being treated as third-party data collectors is hardly draconian.
The recent change is a good one as an Apple shareholder, said Mark Donatelli, co-founder of the marketing and analytics consultancy Cimply. Although, it makes life more difficult as a marketing and measurement consultant.
Apple’s privacy policies were a knockdown blow to Facebook in 2021 and 2022. Apple then started to invest more in its advertising and mobile attribution.
This WebKit update goes to straight to the heart of Google Tag Manager and Google Analytics (GA), Donatelli said.
And so, if the pattern holds, we should expect the launch of “Apple Analytics” in the next year or two.
Need more proof? Apple bought Beats, then an outlier Bluetooth-only headphone maker, in 2014. Eighteen months later, Apple began removing the headphone jack from new devices.
The reality, Donatelli said, is that the number of “surface areas” for outside tech to understand audiences or even their own clients’ customers are shrinking as Apple and Google bake privacy tech into their devices.
“We’re moving to a world where there are proprietary boxes you hold in your hand that are tied to a cloud account identity,” Donatelli said. “You’re either team Apple or you’re team Google in terms of who manages your digital self.”
Privacy means no transparency
Still, why all the fuss, considering that the A/AAA change is a relatively minor update to a rule Apple has had for years? Which is that no third parties can be cloaked behind a first-party IP host account.
Because, although the change “isn’t that huge,” CafeMedia Chief Strategy Officer Paul Bannister told AdExchanger in a written exchange, the overall policy is a setback for user experience development on the web. “It really restricts the capabilities of any sort of client-side analytics like GA, which severely limits sites’ ability to actually improve their services.”
The frustration by vendor practitioners is that Apple is wading into first-party data territory and making important changes to the ecosystem with no concern, foresight or seeming awareness that its policies are picking winners and loser.
Cloudflare, for instance, is a beneficiary here, Mendez said. If Cloudflare launches ad analytics, it would be cloaked as a first-party web hosting service.
Shopify, too, is a beneficiary, since it operates the servers, the site hosting and other services, which will be effectively cloaked. A merchant that doesn’t go all-in in Shopify, but uses Adobe Commerce (formerly Magento), for example, would have a seven-day window to recognize customers on Safari.
Apple’s silence also rankles.
When Google’s Chromium team changes the Chrome source code, it happens under intense scrutiny and amid debate. Why? If a sudden change to Chrome’s data collection policies will have far-reaching effects for martech or ad tech companies, it could set off antitrust alarm bells based on nothing more than the fact that Google caught vendors by surprise.
But with Apple, it’s a very different dynamic. There was no heads up or feedback requested during the testing process. There is no blog post about the WebKit update or mechanism to propose valid first-party data and customer experience use cases.
Makes you wonder what other changes are quietly percolating.
“It was interesting that a change of this magnitude happened so under the radar,” Mendez said. “There are probably changes we’re not even aware of.”
