Data Strategy — Safari 13.1

On 24 March 2020, Apple announced that WebKit is Intelligent Tracking Prevention (ITP) now blocks all third-party cookies by default in Safari 13.1 on macOS and iOS. The change lands alongside tightened storage limits for script-writable storage and requires updates to cross-site authentication, analytics, and advertising setups.

Why it matters: Third-party cookie blocking can disrupt single sign-on flows that rely on embedded identity providers, legacy marketing pixels, and cross-domain session hand-offs. Data teams must ensure consent and tracking mechanisms respect the new restrictions while maintaining measurement fidelity.

• Audit dependencies: Inventory third-party cookies used for analytics, advertising, and SSO; replace brittle dependencies with first-party storage or server-side integrations.
• Update auth flows: Validate OpenID Connect and SAML flows when initiated from iframes or embedded browsers and enable same-site compatible redirects.
• Measure impact: Adjust web analytics attribution models and configure CNAME-based first-party data collection where compliant with local privacy laws.
• Communicate changes: Inform marketing and product teams about ITP behavior and update consent banners to reflect cookie storage limitations.

Technical Implementation Details

Safari 13.1's ITP blocks all third-party cookies without exception, completing the transition from heuristic-based blocking to complete prohibition. Previously, ITP used machine learning to identify tracking cookies while allowing some cross-site cookies for legitimate purposes. The new approach eliminates this distinction.

Storage Access API provides an escape hatch for legitimate cross-site scenarios. Embedded content can request storage access through user interaction, prompting Safari to display a permission request. Approved sites gain temporary access to their cookies within the embedding context.

Script-writable storage limits accompany cookie blocking. LocalStorage and IndexedDB for third-party contexts face 7-day expiration unless the user interacts with the site in a first-party context. This prevents workarounds that store tracking identifiers in alternative storage mechanisms.

Affected Use Cases

Single sign-on setups using embedded identity providers face significant challenges. Traditional SSO flows that rely on third-party cookies to maintain session state across domains require redesign. Solutions include redirect-based authentication flows and the Storage Access API for explicit user consent.

Analytics and attribution lose cross-site tracking capability. Third-party analytics pixels cannot correlate user journeys across different websites. First-party analytics setups and server-side tracking become necessary for accurate measurement.

Advertising platforms lose retargeting and conversion tracking through traditional cookie-based methods. Privacy-preserving attribution APIs and contextual advertising models replace behavioral targeting for Safari users.

Embedded content including social widgets, video players, and payment forms may lose persistent state. Implement the Storage Access API for content requiring cross-site storage, with appropriate user experience for permission prompts.

Migration Strategies

First-party data collection becomes essential for accurate analytics. Implement server-side tracking that associates events with first-party identifiers. Use CNAME-based subdomain delegation to collect data in a first-party context while respecting privacy regulations.

Authentication flow redesign should favor redirect-based approaches over iframe-embedded login forms. OpenID Connect authorization code flow with PKCE provides secure authentication without third-party cookie dependencies.

Consent-based storage access through the Storage Access API enables legitimate cross-site scenarios. Design user experiences that explain why storage access is needed and make permission prompts contextually appropriate.

Browser environment Context

Safari's full third-party cookie blocking anticipated broader industry trends. Chrome then announced plans for third-party cookie deprecation (though with delayed timelines), and Firefox implemented Enhanced Tracking Protection with similar blocking capabilities.

If you are affected, plan for a cookieless future across all browsers rather than treating Safari as an outlier. Solutions developed for Safari compatibility will apply to other browsers as they implement similar restrictions.

Privacy-focused browsers and extensions already block third-party cookies for privacy-conscious users. The Safari change extends similar protections to mainstream users, but the affected user population has been growing steadily through privacy tool adoption.

Compliance and Privacy Implications

Third-party cookie blocking aligns with privacy regulation objectives. GDPR and CCPA consent requirements become simpler when tracking cookies are technically blocked rather than requiring user consent and honor mechanisms.

If you are affected, view browser privacy changes as complementary to legal compliance rather than obstacles. Technical enforcement of privacy reduces compliance burden and user friction associated with consent management.

Document changes to tracking practices for privacy policy updates. Users should understand what data is collected and how measurement works post-ITP, even when collection methods become more privacy-preserving.

See also

Selected articles on related subjects.

Data Strategy · Credibility 90/100 · January 14, 2020

Chrome sets two-year timeline to phase out third-party cookies

Google just announced the end of third-party cookies in Chrome—within two years. If your business depends on cross-site tracking for ads or analytics, the clock is ticking. Google's pitching 'Privacy Sandbox' APIs as…

Data Strategy · Credibility 73/100 · March 17, 2020

Data Strategy — Data localization

The RBI just dropped a heavy framework for payment aggregators: you need to incorporate in India, store all payment data domestically, and run funds through escrow accounts. If you are a global fintech or merchant…

Data Strategy · Credibility 73/100 · April 3, 2020

Google releases COVID-19 Community Mobility Reports

Google began publishing anonymized COVID-19 Community Mobility Reports on April 3, 2020, aggregating location trends with differential privacy to inform public-health responses while promising strict data minimization…

Data Strategy · Credibility 91/100 · March 9, 2020

CMS finalizes Interoperability and Patient Access rule

CMS finalized rules requiring health plans to give patients FHIR API access to their claims and clinical data. Payers have until January 2021 to comply. If you work with healthcare APIs, FHIR just became mandatory.

Data Strategy · Credibility 76/100 · March 9, 2020

Data Strategy — Healthcare interoperability

ONC dropped the 21st Century Cures Act final rule mandating interoperability and information blocking prohibitions. Healthcare providers, health IT developers, and health information networks now have legal obligations…

Continue in the Data Strategy pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

• Data Strategy Operating Model Guide

  Design a data strategy operating model that satisfies the EU Data Act, EU Data Governance Act, U.S. Evidence Act, and Singapore Digital Government policies with measurable…

• Data Interoperability Engineering Guide

  Engineer interoperable data exchanges that satisfy the EU Data Act, Data Governance Act, European Interoperability Framework, and ISO/IEC 19941 portability requirements.

• Data Stewardship Operating Model Guide

  Establish accountable data stewardship programmes that meet U.S. Evidence Act mandates, Canada’s Directive on Service and Digital, and OECD data governance principles while…

Coverage intelligence

Published

March 24, 2020

Coverage pillar

Data Strategy

Source credibility

73/100 — medium confidence

Topics

Safari 13.1 · Intelligent Tracking Prevention · Third-Party Cookies · WebKit · SameSite

Sources cited

3 sources (ebkit.org, cvedetails.com, iso.org)

Reading time

6 min

Cited sources

1. Full Third-Party Cookie Blocking and More — WebKit
2. CVE Details - Vulnerability Database — CVE Details
3. ISO 8000-2:2022 — Data Quality Management — International Organization for Standardization