What Marketers Need To Know About iOS 17, LTP, and Privacy Trends

Peter Jakus
Peter Jakus

iOS 17 is now in beta, and the new privacy updates in Apple’s operating system have caused quite a stir in the digital marketing world.

Bloomreach conducted the following research on iOS 17 to better understand the implications this update will have on marketers. In this blog, we’ll cover the technical details of our findings, explain how they impact Bloomreach customers, and point out the high-level privacy trends we’re seeing to help you navigate them with your marketing strategy.

Key Takeaways From iOS 17

  1. iOS 17 introduces Link Tracking Protection (LTP), which works by stripping various URL parameters in Safari (automatically in private mode and as opt-in in default browsing mode) and when opening links from Apple Mail and messages. 
  2. A lot can still change before the release — that’s what developer betas are for. Apple can also continuously improve the LTP settings even after the release. 
  3. We can already confirm that there will be some impact on email click tracking and the ability to tie an anonymous website visit (coming from an email newsletter) to a customer profile. 
  4. The impact is highly dependent on the platform you use (e.g. Bloomreach Engagement won’t be impacted in any way as of now, but point two still applies). 
  5. In most cases, neither UTM parameters or custom user ID parameters get stripped. 
  6. What does get stripped are selected user-level parameters (user-level meaning parameters that can be tied to an individual) from platforms like Google (gclid), Facebook (fbclid), HubSpot (__hssc _hsenc __hstc), MailChimp (mc_eid), and others. The full list as of now is known thanks to the research of Cory Underwood and Jeff Johnson
  7. iOS 17 is likely to be released in late September or early October and adoption will grow over time (it’s expected that 90% of Apple users will adopt iOS 17 by the end of Q1 2024). 
  8. iMessage accounts for about 17% of the market in the United States, Safari is the second most popular browser worldwide, and Apple has the largest market share amongst email clients. 

How iOS 17 Impacts Bloomreach Customers 

Since Apple announced iOS 17 with its enhanced privacy features, marketers have questioned how the update could influence their work, if they should be worried, and what they should do to adapt. 

If you are a Bloomreach customer, you’re in good hands for two reasons: 

  1. We keep our finger on the pulse of developmenting digital technologies including privacy features in iOS, Safari, and Apple Mail. Our team follows all the official announcements along with the backstage discussions in various expert communities, and we run our own tests. We make sure to have a comprehensive understanding of any changes coming your way so you never get caught unprepared. 
  2. Bloomreach Engagement is built on the same general principles that Apple follows: That customers must have control of their privacy and that data should be used to benefit customers. We might disagree with certain technical decisions (mainly because we care about the implications for marketers much more than Apple needs to), but as long as we follow the same principles, there will always be win-win solutions.

While this does not make you immune to changes, Bloomreach customers can rest assured that you have a partner that will help you weather a (potential) storm like this one. 

Why Are Digital Marketers Following Apple’s New Announcements So Closely? 

In recent years, Apple has taken on the role of a brand that fights to protect customer privacy. We can see this present in their communications, new software releases, and the reactions their changes cause

We can debate their motives — are they just taking a stab at Meta and Google so that they can grab a bigger piece of media-selling pie? After all, they are neither the first or the most diligent company when it comes to actually protecting privacy (niche browsers like Brave beats Safari in privacy tests). 

But we have to give it to Apple, it is the privacy leader amongst the major browsers and there has certainly been a lot of buzz around privacy created through their actions (and that’s good!). 

Unfortunately, the bad actors that abuse the tracking powers of digital marketing for unethical objectives (think of Cambridge Analytica) often rely on the same underlying technologies (e.g. cookies, URL parameters) as honest marketers that are just doing their job (using their brand’s budget to reach potential customers in an efficient way). 

This means that when Apple implements new measures to protect user privacy, it often makes marketers’ lives harder. But in the grand scheme of things, that’s a price worth paying. 

Findings From iOS 17 (Developer Beta) Tests 

What Happens With URL Parameters? 

We looked at 4 types of parameters: 

  1.  mc_eid, fbclid, _hsenc, and other parameters from this list. Most of them are ubiquitous parameters known to be used for user-level tracking in popular platforms.
  2. Other parameters that are not from the list, but that can also be used for user-level tracking. Among others, we tried wbraid=ohgcu5489ehijt2chdw0w3zhtrn52w, ScCid=7b3a7917-a82a-47e8–9728-e1b3b045abb2, and one that was literally called “user-id”. 
  3. UTM parameters.
  4. Any of the above, but the array of parameters started with “#” instead of “?” 

All Our Tests Used a Redirector 

When executing campaigns, most marketing automation platforms don’t paste the link to the actual landing page being promoted into the body of the email. Instead, they first send users to a redirector (which is typically hosted on a CDN managed by the platform) and that sends the user to the final website. This usually happens so fast that users won’t notice it unless they specifically pay attention. 

The reason why email platforms do this is so they can count the redirects (often tying each to an individual) and use them to report email clicks quite reliably. 

When you use a redirector, an email client like Apple Mail doesn’t even see the URL parameters of the landing page because they are added only after the redirect, which happens in Safari (unless the email client follows the links, which Apple Mail in iOS 17 beta doesn’t do — more on that below).

If your marketing platform doesn’t use a redirector, the following findings won’t apply to you. 

Click on a Link in Apple Mail → Open It in Safari With Private Browsing Mode Turned On

The first type of parameters is stripped, but all the other types remain intact with private browsing turned on. 

Click on a Link in Apple Mail → Open It in Safari Without Private Mode

With private browsing turned off, nothing spectacular happens. All URL parameters survive. 

Click on a SMS Link in Messages → Open It in Safari With Private Browsing Mode Turned On

The same holds true for SMS campaigns. With privacy mode turned on, the first type of parameters is stripped.

Click on a SMS Link in Messages → Open It in Safari Without Private Browsing Mode

Without private browsing, all parameters are accounted for. 

What Happens With Redirect Links 

In the section above, we explained what a redirector is and that they are often used to track email clicks.

Knowing this, the next big question on any marketer’s mind is finding out how Apple Mail treats redirect links. It is just as important as knowing what happens with parameters.

So, what did we find out from testing? 

  • Apple Mail does not “click” on the links in the background (a click event is tracked when the user clicks on the link). 
  • Apple Mail renders the links exactly as the email platform sends them — but only if the user does not use Apple iCloud Private Relay. 
  • Apple iCloud Private Relay is not a well-known feature (compared to Private Browsing Mode in Safari). It’s not even available for free, but it’s part of an iCloud+ subscription, so the barrier to adoption is not high, either. 
  • If Private Relay is on, Apple adds one more step to the process. From the email, a user is sent to https:/ www.google.com/url?q=https:/ cloud-cdn…, quickly redirected to https:/ cloud-cdn…, and redirected again to the final website. There is no impact on URL parameters other than what’s described in the previous section (private Safari stripping fbclid, etc). 

What These Changes Mean and What You Should Do About It

Technical Reactions on the Tactical Level

To navigate these new changes, many brands and vendors will focus on workarounds (e.g. finding ways to avoid LTP and continue doing — albeit in a more sneaky way — the exact thing that Apple is trying to stop). 

There are situations where this can be a working, legal, compliant, and even an ethical reaction. But it will be a shortsighted fix because any new update from Apple might break it. 

A more long-term solution is to solve attribution, reporting, and personalization goals without relying on URL parameters to pass on user identities in the background. 

Apple proposed a solution in the form of Private Click Measurement, which seems like a good approach for evaluating campaign performance (attribution and reporting). But Mozilla has already pointed out why it’s a poor trade-off between user privacy and advertising utility

We will eagerly follow the discourse, and in the meantime we’re focusing on solutions that solve for both personalization and analytics. 

Business Reactions on the Strategic Level 

What does internet banking, Amazon, and Booking.com have in common? 

They don’t care if a user uses an email client or web browser that strips URL parameters that identify them. Because whenever a user visits their site, they always want to be identified. 

With internet banking, it’s the only way to do something, so users always log in. But Amazon and Booking.com achieve the same need for identity validation, purely thanks to the convenience and value that they provide in return for the few clicks that it requires to log in. Individual users want to see their wish lists, browsing history, purchase history, personalized recommendations, and loyalty club discounts. And they know they will get it when they log in. 

This is the approach we’ve been evangelizing when talking about zero-party data, which in a nutshell requires three key parts: 

  • Give customers the option to share their data with a brand when they want to. For instance, don’t offer site visitors a sign-up when they’re just looking around, but once they add a product to their wish-list that they want to retain for future visits.
  • Give them a reason to want to share their data. Customers want personalization that offers real convenience, and proving the value of sharing will facilitate deeper relationships.
  • Making it as effortless as possible. Fewer barriers between your audience and personalization is paramount.

Bloomreach Engagement helps with all of these crucial points and offers various features and Plug & Play solutions to make them a reality. 

Changes Can’t Be Ignored

Years ago, website tracking codes were implemented without much scrutiny or discretion. Pre-GDPR, everyone that was involved (developers, clients, and even the tracking code provider) primarily cared if the script tracks the data it’s designed to track. 

Questions like “Does the third-party vendor really require all the data for the purpose we will use it for? Should we ask for our customers’ consent first?” were not asked back then. 

Data-hungry scripts, along with careless implementers and the blissful ignorance of business stakeholders, followed the moving fast and breaking things mindset that eventually led to privacy scandals like Cambridge Analytica. 

But that attitude has changed. Now, German courts give a wrist slap to websites that are just downloading fonts from servers located in the US, Data Protection Officers have a seat with the C-suite, and Privacy Engineers play an important role. 

Where Link Tracking Protection fits into the puzzle 

While LTP currently prevents only a limited part of user-level tracking in email and SMS marketing (which isn’t so dangerous in the first place), it’s certainly a step in the right direction to prevent random scripts from following you from site to site (which is the more risky mechanism). 

What’s Next for Bloomreach Engagement Users? 

Do all these regulatory, technical, and organizational changes actually impact the way brands should approach data collection?

The answer is yes, and all signs point to the same thing: the importance of zero-party data. 

When we first started talking about zero-party data use cases, clients were usually somewhere on the spectrum between curious and uninterested. Now prominent brands are actively working with Bloomreach to develop and implement new data collection features that give even more control to their users. 

For example, they recognize that when someone signs up for a newsletter that doesn’t necessarily mean that they gave consent to track when they open emails and what they click on. 

“In order to provide truly personalized customer experiences, there is always going to be a need to collect customer data. This creates a continuous tension between a firm’s need for customer information to personalize experiences and a customer’s need for privacy. In order for personalization to work, the way businesses collect data needs to be regularly addressed and improved in the best interest of their customers,” said Michal Novovesky, General Manager and Head of Product, Bloomreach Engagement.

“The best way to do so is to provide extra value to customers who identify themselves, such as tailored recommendations, wish lists, improved user experience, etc. This gives visitors the option to willingly choose to provide their data for a specific purpose, without worrying about what is being tracked in the background.

“Clear communication and providing extra value in return proves a long-term strategy that helps everyone worry less about the next software update in any operating system or web browser, because they are not dependent on that anymore. Instead, they are building meaningful relationships with their customers, which provides a foundation for long-term success.”

Be a Part of the Change — Innovative Brands Already Are

We work with companies to help them track less data, send smarter emails, and do better for their customers. 

Wondering how you can adopt smarter marketing tactics? Check out our full use case library for inspiration.

Author’s Note: Thanks to Panaxeo and Juraj Frank for supporting me during a thorough testing period and to Cory Underwood, whose findings helped me a lot during the research.


Peter Jakus

Senior Director of Market Insights

Peter is the Senior Director of Market Insights at Bloomreach. He is passionate about the ways businesses can leverage data to create customer love and positive business impact. He is a recognized speaker in the fields of web analytics and ecommerce, an ex-Google Trainer (holding this prestigious title for 3 years in a row), founder of ecommerce accelerator MastersGate, and a co-founder of analytics un-conference MeasureCamp Bratislava.

Table of Contents

Share with Your Community

Recent Posts

Maintain an Edge With These New Posts


Subscribe to get our hot takes on ecommerce topics, trends and innovations delivered to straight your inbox.

Life With Bloomreach

Watch this video to learn what your life could look like when you use Bloomreach.