Guest blog by Joe Purnell, web designer & WordPress consultant
This has been big news recently – I’m not talking “news at ten” or anything like that, but if you work in the social media or paid ads world, it’s likely you have heard about increased privacy options as a result of iOS 14. On the surface, this seems like a good move for consumers; after all, you should be able to control how your data is used and transparency is a step in the right direction. But, this will have an impact on small businesses running ads, and there are some things you need to do.
This increased control over how websites and apps track your activity, introduced by iOS 14, will affect the performance of Facebook Ads, because tracking online conversions relies on the Pixel, and the Pixel relies on your device to send data to Facebook. We’re being given greater control over how our devices share data so we’re being given greater control over just what actions we take that ad networks can track.
These upcoming changes to Apple's operating system have highlighted the limitations of a cookie and script based conversion attribution approach. Keep reading to find out what’s happening as far as iOS 14 is concerned, and how else Facebook is making conversion tracking possible.
Disclaimer: the information provided is based on my own conclusions from sources currently available to us. I cannot guarantee 100% accuracy due to regularly changing information and accept no liability for any damages incurred as a result of acting solely using this advice.
What exactly is happening with iOS 14 and what do we know so far?
At this moment in time, we don’t have all the answers. We know that iOS 14 will cause users to start being explicitly asked for their consent as far as cross-site tracking is concerned and that there have been reports of these prompts already starting to appear.
Users will start to be asked whether or not they are happy for specific allow apps to track their activity across third-party apps and websites. This isn’t just tapping “Okay” with a vague notion that you can change your settings in-app, this is a standardised framework that app developers must adopt and comply with. And this includes Facebook.
This is a big change for ad providers because cross-site and cross-app tracking is how events can not only be recorded but assigned to a user and made available for retargeting too.
A sample prompt reported by 9to5mac.com
When is this all happening?
A screenshot posted on the MacRumours forum in December 2020 shows a prompt appearing in the beta of iOS 14.4, due for release in the first quarter of 2021. This prompt is part of Apple’s new AppTrackingTransparency framework.
However, while this leads to speculation that the release of this update may be the “deadline” for app developers to ensure they are compliant with the new explicit “opt-in” system, apps have been able to offer this greater control of privacy since the release of iOS 14 in September. It just hasn’t been a requirement yet.
Facebook will have to become compliant with these “opt-in” prompts, meaning that it is highly likely the Facebook Pixel will not be able to execute on devices running iOS 14 if users do not consent.
To understand the limitations of the Pixel, let’s take a look at how it works
The Facebook Pixel is a browser-side tracking tag that allows your device to send data to Facebook.
When the Pixel executes on a web page, Facebook is able to create and access cookies stored on your device. These cookies are used as an identifier so that Facebook knows it is *you* that is triggering events on a website. When it was first introduced, the Pixel worked using just third-party cookies but now uses a combination of both third-party and first-party cookies to attribute conversion events a Facebook user.
Safari on iOS has actually been blocking third-party cookies (a traditional way of tracking users across the internet) for a couple of years now. Facebook was forced to adapt to more and more browsers blocking this method of tracking, and they rolled out an update to the Pixel adding first-party cookies too. Instead of third-party cookies which are set by a site different to the one you are browsing, first-party cookies in this case are set by the website you are on – as long as the Pixel is installed, and if the Pixel is allowed to run.
How do these first-party cookies work?
When you first visit a website that uses the Pixel, the website sets a first-party cookie on your device containing a unique identifier used to identify you as a user. This is the “fbp” cookie.
When you click on a Facebook Ad and the website you are sent to uses the Pixel, the website also sets another first-party cookie on your device containing a click ID. This cookie, the “fbc” cookie, is used to attribute conversion events to a specific ad.
Are there any limitations with using this approach, even if the cookies used are set by the website you are browsing?
Even though most browsers do not block first-party cookies by default (because they can power essential elements of a website), the setting of these cookies depends entirely on your browser allowing the Pixel code to run – and this can be an issue.
It is estimated that, in the US, currently 27% of internet users have an AdBlocker installed in their browser. Many popular ad blockers will stop the Pixel code from executing, meaning that events and conversion data cannot be sent back to Facebook.
Looking at how exactly iOS 14, in particular, will make an impact, it isn’t completely clear how the use of the explicit “opt-in” prompt, and AppTrackingTransparency, will prevent browser-side tracking. It may be that Facebook simply prevents the Pixel from executing for those that opt-out or Apple may implement a block at device level if consent is not given.
Without the Pixel being able to execute, it cannot create cookies or send event data back to Facebook. This means that users that opt-out will not be available for use in a Custom Audience (because the events they trigger can not be shared), but also that events triggered by these users cannot be attributed as they are never recorded by Facebook.
Is there a workaround to the Pixel being blocked? Introducing the Conversions API…
Yes, there is another way to send events. But there is a potential limitation too that you need to be aware of.
In 2020, Facebook relaunched their Server-To-Server API as the new Conversions API. Put simply, the Conversions API allows your web server to send data from your website about conversions directly to Facebook, without involving the user’s browser.
Conversions API (CAPI for short) is described by Facebook as allowing you to:
- Measure customer actions in more ways. For example, you can share delayed values, user scores or lead scores and use them for optimisation in our other business tools. This gives you visibility into your customer's full journey.
- Improve accuracy of events sent for measurement and optimisation when used along with the pixel. When you use Conversions API, you don't have to worry about events getting lost because of problems such as a browser crash or an ad blocker.
- Control the data you share. Conversions API gives you control over what to share and when to share it.
One of the key messages from that is “you don't have to worry about events getting lost because of problems such as a browser crash or an ad blocker”. Because CAPI sends events server-side, and not from a user’s web browser, conversion data sent to Facebook is not affected by ad blockers and cookie blockers.
CAPI allows for the full suite of conversion events to be sent, and Facebook is able to detect duplicate events (those sent via both the traditional Pixel and the Conversions API) and “de-duplicate” them to stop overreporting.
CAPI can be integrated easily with e-commerce platforms such as WooCommerce and Shopify to act as a fallback for when browser events do not fire. Additional parameters (such a purchase values and items purchased) can also be sent via CAPI.
There is definitely potential with the Conversions API, but the main issue lies with attribution because it is harder to match an event to a Facebook user without cookies having a part to play. And Apple do have the power to request Facebook disable support for the Conversions API for those that have opted out via AppTrackingTransparency, but it is not clear yet whether or not this is something that Facebook will be forced to do. Either way, setting up CAPI can be beneficial to your business because it allows you to capture some of the missing event data that is lost by browser-based cookie and ad blockers, which can be used for better ad targeting – and it’s not just iOS14 that has an effect on the Pixel as I’ve said, it’s up to 27% of people whose browsers block cookies and tracking tags.
So how else can CAPI attribute events if cookies can’t be used?
The Facebook Conversions API can match events to users by sending the below User Data Keys. These Keys are likely to be stored against a user’s profile by Facebook to allow them to be matched.
- Email – hashed,
- Phone – hashed,
- Last Name – hashed,
- First Name – hashed,
- Town/City – hashed,
- County/Region – hashed,
- Postcode – hashed,
- Country – hashed,
- Browser ID – this is the “fbp” cookie mentioned above – harder for CAPI to send this data as it would likely have needed to have been created by a Pixel in the first place,
- Click ID – this is the “fbc” cookie mentioned above – harder for CAPI to send this data as it would likely have needed to have been created by a Pixel in the first place,
- IP Address,
- User Agent – a piece of data about the browser you are using, the technologies used to power it and the version number of these included software libraries
What does “hashing” mean?
A hashed User Data Key means that this piece of data has been encrypted (using SHA-256) before being sent. This effectively scrambles the data into something that cannot be decoded, instead it can only be used to match against an identical value already held by Facebook, if one exists.
Once sent via CAPI, this hashed value is then received by Facebook, and they attempt to match it with an existing hashed value in their database which would be linked to a user.
This way, Facebook can identify users that triggered certain events and can attribute these to them without “seeing” raw pieces of personal information. Facebook says: “After matching, we promptly discard the hashed information.”
Is this data always available for CAPI to use?
Not all conversion events will be able to send Facebook these User Data keys for matching because the website simply doesn’t have the data available. Some of these Keys are also more powerful than others because they are more likely to return a unique user match.
For example, while your IP address could be used to match your events on a website and your use of Facebook, you may have many different people in your household using the internet who would all report the same IP address.
CAPI is definitely part of the future of conversion tracking, but it is only as good as the data you have available.
If you have CAPI enabled, you can see the “Event Match Quality” in Events Manager. This gives you a score out of 10 highlighting how effectively events sent by CAPI can be matchd to Facebook users, based on the User Event Keys your website is sending.
Some Pixel events will be limited in terms of the data that is available to be sent, due to the nature of that specific action (e.g. PageView for a first-time visitor), and some will have a large amount of data available for matching for the same reason (e.g. Purchase as the user has just submitted a checkout form).
Here’s a breakdown of how the Facebook standard events can potentially be matched via CAPI, and how effective this can be:
It’s important to note that, while the example User Event Keys below will likely be received by the website at the point of triggering an event, it may not always be possible for your website to send this data via CAPI, due to how the data is captured and stored. Every website is configured differently, so I would recommend speaking to your developer to see what could be available for your specific scenario.
Scroll side-to-side to see the full table!
So where does that leave us?
Well, as you can see, CAPI and Facebook’s “advanced matching” technology can certainly be powerful *if* the right data is available. Attributing Purchase, Lead, CompleteRegistration, Contact and other similar events will be much easier as data that is more likely to be unique is collected at the point of the event being triggered (providing your website can be configured to send this data via CAPI).
However, the events that will not perform as well as far as matching and attribution is concerned are: PageView, ViewContent, AddToCart, AddToWishlist and InitiateCheckout – unless the user is logged in to an account at the point of triggering these events.
Retargeting things such as abandoned baskets are going to be harder if users opt-out of tracking and only the Conversions API is available to send data. However, looking at the example of iOS 14, it is not clear yet how the Pixel will be affected when events are triggered on a page this has been loaded in Facebook’s “in-app” browser – these events could potentially be affected less (as Facebook is not tracking them “outside of the app”), but it has not be confirmed that this will be the case either.
Apart from the issues surrounding the Pixel, what else do I need to know about the iOS14 changes?
Facebook are altering things such as the ad attribution window (decreasing to 7 days), the number of events you can track (to be limited to 8) and when events are actually being attributed (the day the event is triggered, not the day you click on an ad).
What should I do then as far as iOS 14 is concerned?
- Verify your domain with Facebook – as far as we are aware, verifying your domain will be crucial when it comes to allowing you to perform certain operations in the future such as choosing the 8 priority events you want to track.
- …sit back and wait! It’s not ideal but, while there are certain actions you can take that are likely to help reduce the effect of the iOS 14 changes, it is a matter of waiting to see just how much (or little) of an effect this has on Facebook.
If you’ve got this far, congratulations! There is a lot to understand about how the Conversions API works, but it is important to recognise its advantages while also being aware of its limitations.
Looking for help with your Facebook Pixel, Catalogue or setting up the Conversions API?
Hi, I’m Joe – a WordPress consultant and web designer. If you are looking for someone to handle the finer techy details, click below to drop me a line and see how we can work together.