CNAME, ITP, third-party cookie blockers — there’s a lot of chatter about workarounds to solve for third-party cookie restrictions.
As data laws change to favor consumer privacy, the death of third-party cookies has organizations scrambling to find new ways to track and monitor consumer data while complying with restrictions. But instead of leveraging compliant data capture solutions, many companies are using (or turning to!) workaround “solutions” to mitigate third-party restrictions.
Workarounds are short-term solutions or temporary fixes to unexpected problems. And in this case, they’re attempts made by vendors to cheat regulations and trick third-party cookie blockers. Workarounds aren’t long-term solutions, and they’re not the answer to solving for data privacy compliance. In fact, they’re risky, ineffective, and pose significant privacy risks for users and websites.
Here are facts every CIO, marketer, and data scientist should know about CNAME, ITP, and third-party restrictions — including the solution to take workarounds out of the equation.
CNAME stands for Canonical Name. It’s a type of Domain Name System (DNS) record used to create an alias or nickname for a domain or subdomain. Also known as Canonical Name cloaking (CNAME cloaking for short), it’s a way of masking the identity of a domain by configuring a DNS to resolve and re-route to an alternative domain.
Long story short: CNAME cloaking can be used as a workaround that disguises a third-party domain as a first-party domain. It can trick site crawlers into thinking they’re accessing one domain when they’re actually being directed to another.
Through DNS configuration, the domain is resolved and rerouted to an alternate domain which it represents. CNAME itself isn’t a bad thing, it’s used for many legitimate purposes. The problem is when it’s used as a workaround to mask third-party cookies as first-party, aka fake first-party cookies.
It's common for Customer Data Platforms (CDPs) and Marketing Cloud vendors to set third-party cookies using CNAME to get around (workaround!) cookie-blocking technology. For example, a typical CNAME workaround for a CDP involves them placing code on the client’s page using JavaScript to set a CNAME that masks the JavaScript tag to look like it’s from the client’s domain.
As noted, CNAME itself isn’t the problem. When used under normal circumstances it provides flexibility in managing domains, streamlining a website’s setup, and allowing for easy changes to underlying infrastructure. However, CNAME becomes a problem when it’s abused as a workaround for third-party cookie deprecation.
Intelligent Tracking Prevention. It’s a web privacy feature of Safari’s web browser and a series of Apple initiatives designed to prevent advertisers from tracking consumers who click on their ads or content without their knowledge and consent. Its main purpose is to limit cross-site tracking by blocking third-party cookies.
ITP uses a machine learning (ML) model called Machine Learning Classifier to identify and block cross-site tracking. When the model recognizes a domain with cross-site tracking capabilities, it puts limits on cookies created by those domains. ITP restricts first-party cookies from being set client-side (via JavaScript), capping their life to seven days. This type of cookie is viewed as third party because it communicates with an external server.
ITP enhances privacy protection by blocking third-party cookies and cross-site tracking attempts by advertisers and websites. It also restricts the lifespan of other types of web browser storage used to identify individuals, like first-party cookies and local storage.
ITP targets the advertising industry but also impacts third-party data capture systems including many leading names in the MarTech space who set cookies via JavaScript such as vendors of CDP, marketing analytics, and data capture technology.
When third-party cookies are placed using CNAME workarounds, ITP prevents personalized interactions for anonymous visitors who return to site on Safari browser after seven days. Because of this limitation, all previous browsing data is lost, and vendors are unable to stitch past browsing sessions into a comprehensive profile unless the visitor is logged in to every session. This creates disjointed experiences and skewed analytics.
Its reach is vast! While ITP is an Apple initiative and only affects Safari, many other browsers have followed suit, including Firefox. Brave and DuckDuckGo take ITP a step furth by blocking CNAME requests entirely.
According to recent statistics, Safari is the second most popular browser worldwide with over 19.91% market share across all platforms (desktop, tablet, mobile. It has more than five times the share of Firefox (3.03%) and, being the default browser on iPhone and iPad, Safari also has a large market share on mobile (25.78%) and tablet (34.92%) devices.
CNAME has become a standard practice workaround to solve cookie-inhibiting ITP tech. And many CDPs and Marketing Cloud vendors have advocated this approach to their clients. However, it’s no longer effective because Apple closed the CNAME workaround loophole in 2020 by introducing technology to Safari that detects CNAME requests and applies a seven-day cap on cookies.
CNAME also leaves consumers open to fraud since the subdomains created as part of the CNAME process are vulnerable to attack if not managed properly. Additional risks include full website takeovers and custom cookie hijacking if the CNAME records are neglected.
The crystal ball predicts more rules, regulations, and powerful ITP security features.
According to an IAPP Privacy and Consumer Trust report, nearly 68% of consumers worldwide are concerned about their online privacy — and lawmakers are listening. Over the past decade, digital personal information has become protected through various legislation (GDPR, CPRA), and many more laws are set to take effect in the coming years.
Data privacy regulations are just getting started, and Apple is aware. The company is determined to make ITP watertight, and its goal is to restrict technologies that aren’t first-party.
For complete visibility of customer behavior, companies must transition from third-party tracking to a first-party data capture solution. True first-party is unaffected by ITP or other cookie restrictions because it’s installed within the organization’s controlled environment, never leaving its four walls. It’s the only way to ensure accurate, complete, and compliant data capture.