What Is Cross Site Tracking? iOS 17 Link Tracking Protection Explained

What is cross site tracking in practice? iOS 17 helps answer that question by stripping common tracking parameters from links shared in Apple's apps.

LTP removes "tracking parameters" from URLs shared through these apps. Apple implemented this because certain tracking parameters compromise digital privacy by enabling cross-site user identification.

What Is Cross Site Tracking in Apple's Link Protection?

LTP strips specific tracking information appended to the end of URLs. According to Apple's press release:

"Some websites add extra information to their URLs in order to track users across other websites. Now this information will be removed from the links users share in Messages and Mail, and the links will still work as expected. This information will also be removed from links in Safari Private Browsing."

The feature targets URL parameters specifically designed to track individual users across websites, not all URL parameters.

Which Parameters Are Affected?

LTP primarily targets parameters associated with known cross-site tracking systems. The most commonly affected include:

• Facebook Click ID (fbclid) -- used by Meta to track users who click Facebook ads
• Google Click ID (gclid) -- used by Google to connect ad clicks to conversions
• Microsoft Click ID (msclkid) -- used by Microsoft Ads
• Some custom tracking parameters from known data brokers

Which Parameters Are NOT Affected?

Standard UTM parameters (utm_source, utm_medium, utm_campaign, utm_term, utm_content) are generally not stripped by LTP. These parameters identify traffic sources without uniquely identifying individual users, which aligns with Apple's distinction between anonymous campaign tracking and individual user tracking.

Privacy-focused analytics tools that rely on UTM parameters for campaign attribution continue to work normally with LTP enabled.

Impact on Marketers

The practical impact depends on your marketing stack:

1. Facebook ad attribution will be affected. The fbclid parameter that connects ad clicks to user accounts gets stripped in Messages, Mail, and Safari private browsing.
2. Google Ads attribution faces similar issues with gclid removal in the same contexts.
3. Email campaign tracking using individual user IDs in URLs will lose tracking capability when emails are opened in Apple Mail.
4. UTM-based attribution remains largely unaffected, as these parameters track campaign performance rather than individual users.

How to Adapt

Marketers should:

1. Shift to UTM parameters for campaign attribution wherever possible. These provide campaign-level insights without individual tracking and are not targeted by LTP.
2. Use server-side conversion APIs offered by advertising platforms (like Facebook's Conversions API) rather than relying exclusively on URL parameters.
3. Accept reduced individual attribution precision as a long-term trend. Apple, Firefox, and other privacy-focused platforms will continue restricting individual-level tracking.
4. Adopt privacy-focused analytics that work with aggregate data and UTM parameters rather than individual user tracking, ensuring your analytics remain functional as privacy protections expand.

The Bigger Picture

LTP is part of a broader trend toward privacy protection at the operating system level. Safari's Intelligent Tracking Prevention, Firefox's Enhanced Tracking Protection, and now iOS 17's LTP all signal that individual user tracking via URL parameters has a limited future.

Marketers who adapt early -- shifting to privacy-respecting attribution methods and aggregate analytics -- will be better positioned as these protections continue to expand across platforms and devices.