What iOS 26 changed for your ad campaigns
Apple's iOS 26 expanded Safari Link Tracking Protection — the system that strips tracking parameters from URLs before your landing page loads.
gclid is Google's click ID. fbclid is Meta's. dclid belongs to Display & Video 360. When a user clicks your Google or Meta ad, the platform appends one of these identifiers to the destination URL. Your site reads the ID and passes it back to the platform when a conversion happens. That's how Smart Bidding learns, how ROAS gets calculated, and how attribution gets assigned.
iOS 26 strips these IDs in three scenarios: Private Browsing sessions in Safari, links opened from Apple Mail, and links shared through Messages. These aren't edge cases. A meaningful share of your paid clicks travels through at least one of these channels — anyone checking email on their iPhone and clicking a shopping link is in scope today.
The bigger signal coming from Safari Technology Preview
Apple's development build for Safari — the version that previews what ships to mainstream iOS — is currently stripping gclid and fbclid in standard non-private browsing sessions too.
Safari Technology Preview changes typically land in the stable release within 6 to 12 months. Private Browsing coverage today is the floor, not the ceiling. The pattern matches what happened with Mail Privacy Protection in 2021: tested in preview, shipped in stable, and affected every email marketer who wasn't ready.
Addressing server-side click ID capture now, while impact is partial, costs far less than rebuilding attribution infrastructure after a full rollout.
What your data looks like when IDs disappear
Safari holds roughly 24% of global browser share. On US mobile, that climbs to around 55%. iPhone 15 and 16 are the two most common handsets in most US consumer audiences — both shipped with iOS 26 or have received the update.
When Safari strips the click ID, the ad click arrives at your site with no traceable origin. Google Ads can't match it to a conversion. Meta's pixel fires without an associated fbclid. GA4 can't assign a source or medium, so it falls back to direct / (none).
The visible symptoms: unexplained jumps in direct traffic, conversion gaps you can't explain from campaign data, CPAs that look inflated against what you're actually generating, and Meta's click-based attribution reporting fewer purchases than your Shopify order dashboard. These are the same problem — the ID that would have closed the loop never made it to your server.
UTM parameters are different — and that matters
Apple's Link Tracking Protection targets click IDs specifically. UTM parameters — utm_source, utm_medium, utm_campaign, utm_content — are not classified as privacy-invasive and survive Link Tracking Protection intact.
This means you still get channel-level attribution in GA4 even when the click ID is gone. You lose granular campaign and keyword-level data for Smart Bidding optimization. You keep the ability to identify which channel drove the session.
Running UTMs alongside gclid and fbclid is not optional for campaigns sending paid traffic to your site. If your campaigns are running without UTMs because "the click IDs handle it," fix that today.
The actual fix
Server-side click ID capture. This is the standard solution and it works.
Normally, client-side JavaScript reads the gclid or fbclid from the URL and stores it in a first-party cookie. Safari's Link Tracking Protection strips the parameter before the browser renders the page, so the JavaScript never sees it.
Server-side capture happens at the origin or edge, before the browser is involved. A server-side function reads the raw incoming URL, extracts the click ID, stores it as a first-party cookie or passes it directly to your data layer, and then serves the page. Apple's Link Tracking Protection can't intercept a request that completes before Safari processes it.
The implementation options are: server-side Google Tag Manager, a Cloudflare Worker, Vercel middleware, or a dedicated tracking tool with server-side proxy support. For Shopify merchants, this typically means a Cloudflare Worker on your custom domain or a server-side GTM container on a tracking subdomain.
Pair this with Google Enhanced Conversions and Meta's Conversions API. Both allow you to send hashed first-party data (email, phone) to the platforms for conversion matching. They partially compensate for missing click IDs but work better when the click ID was captured upstream — the two approaches compound rather than substitute.
What to check before anything else
Pull your GA4 Traffic Acquisition report and look at Direct channel share over the last 90 days. Break it by device type. If Direct surged on mobile after June 2026 — when iOS 26 shipped — you're looking at attribution loss in action.
Then verify whether your current setup captures gclid before any client-side scripts run. In most setups without server-side tracking, a Safari Private Browsing session never stores the ID because it never reaches client-side JavaScript. Run a test with a Safari private window and confirm whether a click ID cookie gets set after you land on your paid search destination URL.
The free Gromerce audit maps your current attribution coverage across channels. If your reported ROAS and your backend revenue numbers are diverging, that gap is worth quantifying before you touch any bids.
Apple is not reversing direction here. Each iOS release adds more noise to device signals and removes more third-party tracking infrastructure. The brands building on first-party data collection and server-side measurement are structurally more resilient — not because they're more sophisticated, but because they're not depending on infrastructure Apple has decided to dismantle.
Sources: WebKit Blog, iOS 26 release notes, measuremindsgroup.com, northbeam.io, taggrs.io, within.co, July 2026
