iOS 26 Isn’t Breaking Ad Attribution: What Brands Need to Know
The Bottom Line
In iOS 26 and Safari 26, Apple is making its strongest privacy protections the new default for all users. Tracking codes like gclid and fbclid will be stripped from all browsing sessions, and Advanced Fingerprinting Protection will run automatically, making user-level attribution less precise. In response to these changes, we recommend the following action items:
- Ensure server-side tracking (Conversion API, Google Enhanced Conversions) is set up across all platforms to continue to optimize campaigns
- Continue to use UTM tracking as normal, as this will not be impacted
What’s Going On
At Apple’s 2025 Worldwide Developers Conference, the company announced two major privacy updates coming with iOS 26 and Safari 26: expanded Link Tracking Protection and Advanced Fingerprinting Protection. These updates will start rolling out publicly on September 15, 2025. Some users may not see the changes right away though, as they might wait to update their devices.
Link Tracking Protection automatically removes tracking parameters that advertisers add to links to track user behavior across websites and apps. Until now, this protection only applied in Safari’s Private Browsing mode and when opening links from Mail or Messages. With iOS 26, it will extend to all Safari browsing sessions by default. This means that when a user clicks a link, tracking codes that tie activity back to an ad campaign, such as Google’s gclid, Meta’s fbclid, and Microsoft’s msclkid, will be stripped before the page loads. It’s important to note that this update does not affect standard UTM parameters, such as source, campaign, and medium, because they are not seen as privacy-invasive.
Apple is also making Advanced Fingerprinting Protection a default setting in Safari. Fingerprinting is a tracking method that combines small details about a device (like screen size, installed fonts, or time zone) to create a unique “fingerprint.” With iOS 26, Safari will block or replace these details with standard values, making it much harder for websites and advertisers to identify users based on their devices. Before iOS 26, this protection was only active in Safari’s Private Browsing mode.
Tracking in Safari: Before vs. After iOS 26
| Before iOS 26 | After iOS 26 |
| Link Tracking Protection only applied in Private Browsing, Mail, and Messages. | Link Tracking Protection applies in all Safari browsing sessions by default. |
| Tracking codes like gclid, fbclid, and msclkid were only stripped in limited cases. | These identifiers are stripped before pages load, reducing campaign-level attribution. |
| Standard UTMs (source, medium, campaign) remained intact. | Standard UTMs (source, medium, campaign) remain intact, and still do. |
| Advanced Fingerprinting Protection was limited to Private Browsing. | Advanced Fingerprinting Protection is on by default in all Safari sessions, blocking or standardizing many device signals. |
Considerations For Brands
Below are answers to some of the most common questions we’ve heard from partners since the iOS / Safari announcement.
What should we be doing right now to prepare?
- Ensure that server-side tracking is set up. Tools like Conversions API (CAPI) and Enhanced Conversions allow platforms to pass conversion data reliably, helping campaigns optimize performance.
- Continue using UTMs across your media as normal. These will not get impacted by the iOS 26 release.
Will this update hurt our campaign performance? If so, how?
Click IDs are tags that platforms like Meta and Google attach to ad links. They show exactly which campaign, ad set, ad, or keyword drove a conversion. This level of detail helps platforms optimize performance by training their bidding algorithms on what’s working.
When combined with server-side tracking (like Conversions API or Enhanced Conversions), platforms get the most accurate data possible to improve bidding.
Even if click IDs are missing, server-side tracking still allows platforms to track conversions and tie them back to the person who clicked an ad. The trade-off is less granularity, for example, you may not see which specific keyword led to the conversion.
With iOS 26, Apple’s Link Tracking Protection strips click IDs when links open in a platform’s in-app browser (such as Safari within Instagram). When links are opened in the standard Safari browser (for example, from search or messages), click IDs generally remain intact. The most reliable approach is to pair server-side tracking with UTMs to maintain conversion visibility and campaign optimization.
What will happen to our conversion data? Will we still be able to see which ads led to a sale?
Conversion data remains trackable with server-side tracking and UTM parameters, so advertisers can still see which campaigns, ad sets, and ads drive results. Click IDs will also stay intact for many clicks and will not be removed in all cases.