Privacy protections in browsers continue to evolve, and the Safari 27 update beta seems to introduce another round of changes that can affect conversion tracking and attribution. While Apple's official release notes mainly focus on UX and browser improvements, our experts’ research of WebKit's source code reveals significant changes to Safari's tracking protection mechanisms.
As a result, browser-based tracking is becoming even less reliable, especially since Apple can expand many of these protections without waiting for a new Safari release. So it is crucial to understand both the immediate effect of these changes and the potential impact they may have if extended to other systems.
In this article, we'll explain what's new in the Safari 27 update, how it affects Google Tag Manager, analytics, and advertising platforms, and why server-side tracking with Stape remains one of the most reliable ways to protect your measurement data. Please keep in mind that all of this information should be tested once a stable release is out.
Since Safari 17, LTP has been removing known click identifiers from URLs opened in Private Browsing, Mail, and Messages. For instance, Google's gclid, Meta's fbclid, and Microsoft's msclkid were already filtered.
It looks like the Safari 27 update will expand this list to strip click IDs of other services. Our internal testing confirmed that Twitter’s twclid is getting blocked by Link Tracking Protection in Private mode. It is suggested that this update may also include:
xmtsitwclid, cn, and cxtFor advertisers running campaigns on Threads, YouTube, or X, this means Safari can remove the identifiers used for attribution before your website even loads. Conversions from Safari users become harder to attribute correctly.
At the moment, parameters are removed primarily in Private Browsing. However, Apple has gradually expanded Link Tracking Protection over previous releases, making it likely that these restrictions will continue spreading to standard browsing sessions.
As a reminder of how AFP works: rather than simply blocking tracking scripts, it can selectively remove access to information that conversion tracking depends on. This includes:
The Safari 27 update beta analysis suggests that the Advanced Fingerprinting Protection list has been expanded. One notable addition is the LinkedIn Insight Tag, now classified as a fingerprinting tool. Depending on the restrictions Safari applies, the tag may lose access to the aforementioned information required for accurate attribution, including click identifiers and referrer information.
The updated AFP list also seems to include:
collect.tealiumiq.com in Private mode).This creates an even larger challenge for organizations using Customer Data Platforms (CDPs). If, similar to Tealium or Segment, a CDP is classified as a fingerprinting tool, every tracking tag deployed through that platform inherits the same browser restrictions. So even if the individual advertising or analytics tag isn't directly classified, it may still lose access to critical attribution data because the CDP itself is restricted.
Perhaps the biggest architectural challenge that may emerge from the Safari 27 update is tracking protection moving to the network level, beyond scripts and domains. Previous Safari protections primarily operated at the application level by restricting script execution, cookies, or specific domains.
It looks like Safari 27 introduces another layer by checking the destination IP address of outgoing requests. Instead of asking where this script comes from, Safari can ask where the request is actually going (before the connection even completes). If the destination IP belongs to a known advertising platform, Safari can block the network connection before any tracking data is transmitted.
This would make traditional browser-side workarounds much less effective. Loading scripts from a first-party subdomain, renaming tracking files, or using custom request paths may no longer be enough. As long as the browser ultimately connects directly to an advertising platform's infrastructure, Safari can now throttle it.
Due to how Apple's privacy infrastructure works, it can make any changes to it without shipping an entirely new Safari version (and listing the changes in release notes). Many of Safari's tracking rules are not built directly into the browser itself. Instead, Apple maintains separate tracking rule libraries that can be updated independently.
This means at any moment and without notice, Apple can:
The Safari 27 update seems to continue the industry trend of reducing what browsers allow tracking scripts to do. This further accentuates the importance of Stape’s server-side hosting in keeping your tracking precise and effective. Instead of sending conversion data directly from the browser to advertising platforms, the browser sends it to your own tagging server running on your domain.
On the server, you can use Stape’s features and power-ups to significantly improve the reliability of your tracking despite ongoing browser privacy changes. For instance, Custom Loader to reduce the impact of ad blockers on GTM and GA4 scripts, Own CDN / same-origin custom domain to bypass Safari ITP, Cookie Keeper to extend cookie lifetime, etc.
After that, your server forwards the enhanced, enriched, and customized data to your analytics or marketing platforms (Google Ads, Meta, LinkedIn, Microsoft Ads, etc.) using server-to-server communication.
The Safari 27 update is expected to introduce another major step in Apple's privacy strategy. Expanding LTP to additional platforms, classifying more tracking technologies under AFP, introducing network-level request blocking – any and all of that can happen overnight.
As browser-based tracking continues to lose visibility, server-side tracking provides a much more resilient measurement architecture. With server-side Google Tag Manager hosting, custom domain setup, and power-ups from Stape, you can reduce the impact of Safari's current and future tracking restrictions. Continue collecting reliable conversion data, even as the Safari 27 update and future privacy rule changes reshape browser tracking.
Comments