Apple’s WWDC25 delivered the usual fanfare — Liquid Glass, subtle AI enhancements, new OS naming semantics, and all the polish you’d expect. But underneath the surface-level sparkle, two important updates caught our attention in the attribution space: one that was expected and thoughtfully detailed (AdAttributionKit), and another that was buried in privacy language but potentially seismic (Safari fingerprinting protections).
Let’s dig in.
The known: AdAttributionKit grows up
AdAttributionKit (AAK), Apple’s SKAdNetwork successor, got a long-awaited set of upgrades that push it closer to being a partial multi-touch attribution (MTA) framework. No, it’s not a full MTA — but it’s starting to look like one in spirit.
Here’s what’s new and why it matters:
- Conversion Tags
Apple now lets advertisers append aconversion-tagto deep links. You pull this into your app and tie it toupdateConversionValue, giving you more control over who gets credit. It’s a clever way of letting the ecosystem influence credit without breaking SKAN’s rules. - Custom Attribution Rules
Finally — configurable attribution windows! Developers can now set these windows per network or globally, directly in the app’sInfo.plist.The default 30d click / 1d view model is no longer forced. You can even exclude view-through altogether. - Attribution Cooldown (Reattribution, Reimagined)
This one’s nuanced. Instead of a reattribution window, Apple now lets devs block overlapping post-install attributions for a set number of hours after a conversion. It’s like saying: “Hold off on awarding new credit just yet.” This is useful for preventing hijacked credit on rapid-fire conversions from reengagement strategies. - Geo in Postbacks
Postbacks now include country code — sourced from device settings. But only for countries with alternative app stores (think EU DMA regions), so don’t expect this to unlock geo-targeting at scale (yet). Still, it’s a notable expansion of the data allowed.
While Apple isn’t offering true MTA, features like Conversion Tags and Attribution Cooldown signal a meaningful shift in that direction. Conversion Tags allow advertisers to decide who gets credit by passing internal context into the updateConversionValue() call — essentially letting brands override last-touch based on known prior engagement. Attribution Cooldown, meanwhile, protects earlier touchpoints by blocking late signals from stealing credit for a defined time window. These tools don’t expose multiple touchpoints or enable fractional credit, but they empower advertisers to apply MTA-like logic within Apple’s sandbox.
The understated: fingerprinting protections get serious
Apple quietly teased a major privacy enhancement in iOS 26:
“Browsing in Safari gets even more private with advanced fingerprinting protection extending to all browsing by default.”
At first glance, this sounds like more of Apple’s usual privacy rhetoric. But under the hood, it’s a continuation — and escalation — of a broader strategy already in motion. Safari 26 builds directly on Advanced Tracking and Fingerprinting Protection (ATFP) and Link Tracking Protection (LTP), pushing both deeper into the browser stack.
According to the latest WebKit update, Safari will now:
- Block known fingerprinting scripts from accessing sensitive APIs (e.g., screen dimensions, canvas, Apple Pay status, web audio)
- Prevent these scripts from using long-lived client-side storage like cookies and localStorage
- Strip access to navigational state like document.referrer and query parameters — the foundation of many click-based measurement flows
Apple isn’t using a catch-all approach — they’re targeting “known” trackers via curated lists. But which list? Apple already maintains a Privacy Impacting SDKs list, as well as one for known tracking query parameters used in LTP. It’s unclear if this is a new list, a consolidation, or an expansion — but it’s clear that Safari is now enforcing privacy on-device with more precision and fewer workarounds.
So what exactly is affected?
Apple appears to be using curated blocklists of “known trackers,” drawing from sources like PrivacyTests.org — which includes identifiers like gclid, fbclid, and others common in paid media. This is an extension of Link Tracking Protection (LTP) and Advanced Tracking & Fingerprinting Protection (ATFP), targeting invasive third-party click-based tracking.
What this could mean
As usual Apple isn’t 100% clear on how these policies will take shape, but given the information available, this is how we think things will shake out:
- Deep linking and owned attribution are safe
Branch deep linking and deferred deep linking are not impacted. Our query parameters are not on Apple’s known-blocked list. That means owned, organic, and non-paid traffic measurement remains fully intact. - Paid media click IDs are vulnerable
If your attribution model depends on click identifiers likegclid, fbclid,or other query-level tracking parameters, those may be scrubbed by ATFP in Safari — especially for paid campaigns. This will likely affect deterministic link-based attribution for browser-based flows. - Modeled attribution is more relevant than ever
While this update sounds dramatic, its real-world impact is softened by the industry’s shift toward probabilistic and modeled attribution. At Branch, we’ve already been investing here. As click IDs become less reliable, modeled attribution will increasingly carry the weight.
Apple’s privacy agenda is marching forward — but not everything is breaking. What we’re seeing is a shift in where deterministic measurement applies, and an acceleration toward smarter, privacy-preserving alternatives.
TL;DR
Apple continues its long game of reshaping attribution — tightening browser-level privacy while offering more flexibility inside its own ecosystem. AdAttributionKit gets more powerful, letting developers define attribution windows, control re-engagement logic, and even influence credit assignment via Conversion Tags.
Meanwhile, Safari’s fingerprinting protections expand — but enforcement remains in early stages.
For Branch and our customers, this reaffirms a few key bets:
- Modeled attribution (like Predictive Aggregate Measurement) — probabilistic, and privacy-safe — is not a fallback, it’s the future.
- Deterministic identity in the browser is getting harder, fast.
- The browser is no longer neutral infrastructure — it’s an opinionated gatekeeper.
Let’s connect if you want to unpack how these shifts might impact your measurement stack, your partners, or your roadmap.
