A Practical Guide to what is cross site tracking

This guide explains what is cross site tracking in practical terms, with a focus on privacy-first analytics decisions.

Cross-site tracking is the practice of linking a person's activity across different websites or apps. It is what lets an ad platform know that the same browser clicked an ad, read an article, visited a pricing page, abandoned a cart, and later bought something elsewhere.

Some cross-site tracking uses cookies. Some uses pixels. Some uses browser or device fingerprints. Some uses link decoration: extra parameters added to URLs so a platform can recognize the click later.

Apple's iOS 17 Link Tracking Protection targeted that last category.

This is not a niche Apple feature. It reflects a broader privacy direction: browsers and operating systems are trying to reduce passive tracking that happens without a clear user choice.

What Apple's Link Tracking Protection Does

Apple announced that iOS 17, iPadOS 17, and macOS Sonoma would remove some tracking parameters from links shared in Messages and Mail, and from links opened in Safari Private Browsing. Apple's iOS 17 preview described the feature as removing extra URL information used to track users across websites while keeping links functional.

In plain English: the page still opens, but known tracking parameters may be stripped.

Link Tracking vs UTM Tracking

Not every URL parameter is the same.

Cross-site tracking parameters often identify a click or user for an advertising platform:

• fbclid for Meta
• gclid for Google Ads
• msclkid for Microsoft Ads
• other platform-specific click IDs

UTM parameters describe the campaign:

• utm_source=linkedin
• utm_medium=social
• utm_campaign=launch
• utm_content=video_ad

Apple's feature focuses on parameters associated with cross-site tracking. Standard UTMs are generally designed for aggregate campaign reporting and are less invasive when used properly.

Why Apple Targets Link Decoration

Browsers have restricted third-party cookies for years. Link decoration became one workaround: attach an identifier to the URL, pass it to the destination site, then store or sync it.

This can be useful for ad attribution, but it can also allow tracking across contexts where the user did not expect it. If a friend shares a link in Messages, the recipient does not need the sender's ad click ID.

What Marketers Should Expect

You may see:

• fewer ad click IDs arriving on Apple private contexts
• differences between ad platform and site analytics reports
• more modeled conversions inside ad platforms
• cleaner shared URLs
• continued UTM attribution where UTMs remain intact

Do not panic if platform dashboards and privacy-first analytics disagree. They measure different things with different access to identifiers.

The healthiest response is to separate ad platform optimization from business reporting. Let ad platforms optimize within the consent and browser limits they have, but use your own analytics for source-level trends and onsite conversions.

How to Adapt

Use UTMs consistently. They are the most durable campaign attribution method because they describe the campaign rather than the individual click.

Keep ad click IDs out of your core reporting assumptions. If gclid or fbclid disappears in some contexts, your own analytics should still know that the visit came from utm_source=google and utm_medium=cpc.

Measure onsite outcomes yourself:

• landing page visits
• signup starts
• signup completions
• demo requests
• purchases
• activation events

Then compare aggregate performance by campaign.

Privacy-Friendly UTM Rules

UTMs should never contain personal data. Do not put emails, names, customer IDs, wallet addresses, invoice numbers, or private terms in campaign parameters. URLs are copied, logged, and shared.

Good:

utm_source=newsletter&utm_medium=email&utm_campaign=privacy_guide

Bad:

utm_source=newsletter&utm_campaign=jane.doe@example.com

Broader Browser Trend

Link Tracking Protection is part of a wider shift. Browsers and operating systems are limiting cross-site tracking through cookie restrictions, referrer-policy defaults, storage partitioning, private browsing protections, and tracker blocking.

The EDPB's Article 5(3) guidance also reinforces that tracking technology is broader than cookies. Marketers should plan for a web where individual-level cross-site attribution keeps getting weaker.

On Apple platforms, remember the browser-engine caveat. Most iOS browsers have historically shared WebKit behavior, but Apple now allows eligible alternative browser engines in the EU under specific conditions (Apple alternative browser engines). Test the browsers your audience actually uses instead of assuming every iOS browser will behave exactly like Safari forever.

Cross-Site Tracking Audit

Review the signals you send and receive:

• Keep UTMs that describe campaigns.
• Drop click IDs from internal reports once campaign context is captured.
• Strip personal data, subscriber IDs, and lead IDs from URLs.
• Test Safari, Messages, Mail, Private Browsing, Chrome, Firefox, and major ad redirects.
• Reconcile aggregate onsite conversions with backend outcomes.

If a parameter identifies a person, device, household, or ad-platform profile, it is not just "campaign tracking." Treat it as cross-site tracking risk.

The Bottom Line

Cross-site tracking tries to follow people across contexts. UTM tagging labels campaigns. That difference matters.

Build reporting around privacy-friendly campaign labels and aggregate conversions, not fragile identifiers that browsers are increasingly designed to remove.

Audit Your Links

Review marketing links before browser protections remove or rewrite the signals you rely on. Keep campaign parameters that describe the campaign itself, such as utm_source, utm_medium, utm_campaign, and utm_content. Avoid parameters that identify a person, household, device, subscriber, lead, or ad-platform profile. Apple's Link Tracking Protection notes are a reminder that browsers increasingly distinguish useful attribution labels from tracking parameters designed to follow people.

The same audit should cover redirects. Some email, ad, affiliate, and social tools wrap outbound links through tracking domains, adding click IDs along the way. Those IDs can leak through referrers, server logs, support screenshots, and analytics tools. If you need campaign reporting, preserve the campaign label on the landing page and drop the user-level identifier as early as possible. Then measure aggregate conversions by source and content. This gives marketing enough signal to compare campaigns without building a cross-site identity trail that browsers, users, and regulators are actively pushing back against.