Tracking iOS users after ATT: what actually works in 2026

At least once a month, someone asks me if there’s a way to get full user-level tracking back on iOS. The answer is no. It’s been no since April 2021 when Apple rolled out App Tracking Transparency, and it’s going to keep being no. If a vendor is telling you otherwise, they’re selling you either fingerprinting (which is illegal under most privacy frameworks) or wishful thinking.

But “no” isn’t a strategy. So let’s talk about what actually works, what doesn’t, and what realistic measurement looks like in 2026 when roughly 30% of your website visitors are on Safari with ITP and about 75-80% of iOS app users have opted out of tracking.

What ATT actually broke

There’s a lot of confusion about this, so let me be specific.

ATT requires apps to ask permission before accessing the IDFA (Identifier for Advertisers). That’s the device-level ID that let platforms like Meta, Google, and TikTok follow a user from an ad click to an in-app purchase, or from one app to another. Most users said no. Apple’s own data from 2023 showed opt-in rates around 25% globally, and that number has drifted lower since.

On the web side, the situation is related but different. Safari’s Intelligent Tracking Prevention (ITP) has been restricting third-party cookies since 2017 and first-party cookies set by JavaScript since 2019. ATT made it worse by removing the IDFA as a fallback identifier for web-to-app attribution, but ITP was already causing problems long before ATT launched.

Here’s what many people get wrong: ATT didn’t break your Google Analytics data. GA4 uses first-party cookies for session and user identification on the web. ITP caps those cookies at 7 days (or 24 hours if the user arrived via a decorated cross-site link), which means returning user identification degrades, but basic session tracking still works. Your pageview counts are fine. Your session counts are mostly fine. Your user counts are inflated because Safari users look like “new” users more often than they actually are.

What ATT broke specifically is cross-platform attribution. The ability to say “this person saw an ad in Instagram, clicked through to the website, and purchased.” That chain of identity is gone for most iOS users. And that’s the chain that performance marketers cared about most.

What actually works

SKAN 4.0 (for app install campaigns)

If you’re running app install campaigns, SKAdNetwork is Apple’s privacy-preserving attribution framework. Version 4.0, which has been stable since late 2023, added hierarchical conversion values, multiple postbacks (up to three at different time windows), and source identifiers with up to four digits of granularity depending on crowd anonymity.

SKAN is genuinely useful but you need to calibrate your expectations. You get campaign-level attribution, not user-level. The data arrives with random delays (24-48 hours for the first postback, days or weeks for subsequent ones). You can’t get real-time reporting. And the conversion value space is limited, so you need to design your conversion value schema carefully to encode the information that matters most.

For most of my clients running app campaigns, I set up the coarse conversion values to capture three tiers: install-only, low-value engagement (like completing registration), and high-value engagement (like first purchase). That’s not the same granularity you had in 2020, but it’s enough to tell which campaigns are driving quality installs and which are driving garbage.

The practical problem with SKAN isn’t the framework itself, it’s that many advertisers haven’t invested in implementing it properly. Their MMP handles the basics, but the conversion value mapping is either default or poorly thought out. If you haven’t reviewed your SKAN conversion value schema in the past year, it’s probably leaving data on the table.

Server-side event tracking (Conversions API)

This is the biggest practical win for most businesses doing web advertising. Instead of relying on a browser pixel to fire when someone converts, you send conversion events from your server directly to the ad platform’s API. This is one of the strongest arguments for server-side tagging.

Meta’s Conversions API (CAPI), Google’s enhanced conversions, TikTok’s Events API, and LinkedIn’s Conversions API all work on the same principle. Your server knows that a purchase happened because it processed the order. It sends that event, along with whatever identifiable information the user provided (email, phone number, etc.), directly to the platform. The platform matches that data against its user base using hashed identifiers.

This sidesteps browser restrictions entirely. No cookies involved. No JavaScript to block. No ITP to contend with. I go deeper on the full setup in my Meta CAPI guide.

The match rate varies. For Meta CAPI, I typically see event match quality scores between 6 and 8 out of 10, depending on how much customer data you’re passing. Email is the strongest match key. Phone number helps. First name and last name add marginal improvement. City and state are nearly useless on their own but help disambiguate common names.

Here’s the thing about CAPI that people miss: it works best in combination with the browser pixel, not as a replacement. You want both. The browser pixel catches the events that happen in the browser session (page views, add to cart, initiate checkout), while CAPI catches the definitive conversion events (purchase, lead submission). Meta deduplicates using event IDs, so you don’t get double counting as long as you set up deduplication properly. And that “properly” is where most implementations fall apart.

I’ll cover the setup in detail below.

Probabilistic modeling and data-driven attribution

Google, Meta, and other platforms have invested heavily in modeled conversions. When they can’t observe a conversion directly, they use statistical models to estimate how many conversions likely occurred based on the patterns they can observe.

GA4’s behavioral modeling fills in gaps for users who declined cookies. Google Ads reports “modeled conversions” for clicks that likely led to purchases but couldn’t be directly measured. Meta’s algorithm has been optimizing toward modeled outcomes for years now.

Is this as good as deterministic tracking? No. Is it better than nothing? Significantly. The models have gotten reasonably accurate for large advertisers with sufficient data volume. If you’re spending $50K+ per month on Meta and have CAPI set up with decent match quality, the modeled results tend to track within 10-15% of what we can verify through back-end revenue data.

For smaller advertisers, the models are less reliable because there’s less data to learn from. If you’re spending $5K a month, the confidence intervals on modeled conversions are wide enough to make optimization decisions risky.

Consent-based first-party data

This is the long game, and it’s the right one. Build a relationship with your customers where they willingly give you their information. Email signups, loyalty programs, logged-in experiences, preference centers. When someone logs into your site and makes a purchase, you have deterministic identity. No cookies needed, no tracking frameworks, no probabilistic guessing.

I worked with a DTC brand that increased their logged-in purchase rate from 40% to 73% over six months by making account creation dead simple (Google/Apple single sign-on, no mandatory password) and offering a genuine benefit (order history, faster checkout, early access to sales). Their attribution accuracy improved dramatically because they could match 73% of purchases to known users.

This isn’t a quick fix. It’s a strategic investment in your own data infrastructure. But it’s the only approach that gets more valuable over time while everything else gets more restricted.

What doesn’t work

Fingerprinting

Device fingerprinting uses combinations of browser characteristics (screen resolution, installed fonts, WebGL renderer, timezone, language settings) to create a pseudo-unique identifier for a device without cookies.

It’s effective. It’s also illegal under GDPR, explicitly called out by data protection authorities in France, Italy, and Austria, and increasingly targeted by browser makers. Apple has been systematically reducing the entropy available for fingerprinting in Safari. Google has committed to doing the same in Chrome. Even if the legal risk doesn’t concern you (and it should), the technical effectiveness is declining every year.

I’ve had vendors pitch me fingerprinting solutions dressed up as “probabilistic ID resolution” or “cookieless identity.” When I ask exactly which signals they’re using, it’s fingerprinting. When I point out the legal issues, they mumble something about “first-party context” and change the subject.

Don’t use it. The risk-reward ratio is terrible. A GDPR fine for fingerprinting without consent can run into millions. The data quality you get in return is mediocre and degrading.

Buying third-party data

Some vendors sell “enriched” audience data that claims to give you the identity information you lost. The quality of this data is, in my experience, awful. I tested two providers last year by matching their data against our known customer lists. Match rates were 30-40%, and of those matches, about 25% had incorrect demographic or interest data.

You’re paying money to make your targeting worse. Hard pass.

Ignoring iOS entirely

I’ve heard this from a few performance marketers, usually in frustration: “Just exclude iOS from our campaigns and focus on Android where we can still track.”

About 55% of smartphone users in the US and 27% globally use iOS. In several European markets, iOS share exceeds 50%. In Australia it’s around 55%. Excluding iOS means excluding a disproportionately high-value audience segment (iOS users tend to have higher average order values across most e-commerce categories).

You can’t ignore half your addressable market because measurement got harder. You adapt your measurement approach instead.

Setting up Meta Conversions API properly

Since this is the single highest-impact thing most advertisers can do right now, here’s how to actually set it up correctly.

Step 1: Choose your implementation method. You have three options. Partner integration (through Shopify, WooCommerce, etc.) is the easiest but gives you the least control. The Meta pixel/CAPI gateway is a server-side intermediary that Meta hosts for you. Direct API integration is the most work but gives you full control over what data you send.

For most clients, I recommend the gateway if you’re spending under $30K/month on Meta and the direct integration if you’re spending more. The gateway handles deduplication automatically, which eliminates the most common implementation error.

Step 2: Pass customer information parameters. At minimum: hashed email address, hashed phone number, client IP address, user agent, and fbc/fbp cookie values (these are Meta’s first-party cookies). Each additional parameter improves match quality. The hashing happens before the data leaves your server, so you’re sending SHA-256 hashes, not plaintext.

Step 3: Set up event deduplication. If you’re running both the browser pixel and CAPI (which you should be), you need to send the same event_id for the same event from both sources. If a purchase happens and the pixel fires with event_id “purchase_12345” and CAPI sends the same event with event_id “purchase_12345,” Meta deduplicates them. If the IDs don’t match, or if you don’t send IDs at all, you get double counting and your reported ROAS becomes fiction.

I see broken deduplication in about 60% of the CAPI implementations I audit. The symptom is easy to spot: your Meta-reported purchases are 1.5-2x higher than your actual purchases. If that’s happening, check your event IDs first.

Step 4: Monitor Event Match Quality. In Events Manager, check your EMQ score. It should be 6.0 or higher. If it’s below that, you’re probably missing customer information parameters. The most common gap I see is phone number, since many checkout forms collect it but the CAPI implementation doesn’t pass it.

Step 5: Validate with test events. Use Meta’s Test Events tool in Events Manager to send test events and verify they’re received, deduplicated, and matched correctly before going live.

Frequently asked questions

Q: Can you still track iOS users after App Tracking Transparency?

You cannot get full user-level tracking on iOS. About 75-80% of iOS app users have opted out of IDFA tracking. However, you can recover significant data using server-side event tracking (Meta CAPI, Google enhanced conversions), Apple’s SKAdNetwork for app install campaigns, and first-party data strategies like logged-in experiences.

Q: What is the Meta Conversions API and does it help with iOS tracking?

Meta CAPI sends conversion events from your server directly to Meta, bypassing browser restrictions entirely. No cookies, no JavaScript to block, no ITP issues. It works best alongside the browser pixel, with event ID deduplication to prevent double-counting. Typical event match quality scores range from 6-8 out of 10.

Q: Is device fingerprinting a legal way to track iOS users?

No. Device fingerprinting is illegal under GDPR and has been explicitly called out by data protection authorities in France, Italy, and Austria. Apple is also systematically reducing the browser entropy available for fingerprinting. The legal risk is severe (fines in the millions) and the technical effectiveness degrades every year.

Q: What conversion tracking accuracy can I expect on iOS in 2026?

Expect roughly 85-90% accuracy for direct and organic traffic, 60-75% for paid campaign attribution (depending on CAPI setup quality), 30-50% for cross-device attribution (limited to logged-in users), and effectively zero for view-through attribution on opted-out iOS users.

Setting realistic expectations

Here’s where I want to be direct with you. The measurement environment of 2019 is not coming back. User-level, cross-platform, deterministic attribution for every conversion across every channel is over. Anyone selling you that is selling you something that technically can’t exist within current privacy frameworks.

What you can have is pretty good measurement. Not perfect. Not complete. But good enough to make informed decisions about where to spend your marketing budget.

Concretely, here’s what I tell clients to expect:

• Direct/organic traffic measurement: 85-90% accuracy (GA4 first-party cookies still work, just with shorter windows for Safari users)
• Paid campaign attribution: 60-75% accuracy depending on channel and CAPI/enhanced conversion setup quality
• Cross-device attribution: 30-50% accuracy (mostly limited to logged-in users)
• View-through attribution: Effectively gone for opted-out iOS users

The gap between what you can measure and what actually happened is real. It’s not going away. Your job is to minimize that gap with proper implementation (CAPI, enhanced conversions, first-party data strategy) and acknowledge the remainder with statistical modeling and incrementality testing.

Run lift tests. Compare geo-holdouts. Use MMM (media mix modeling) for budget allocation at the channel level instead of relying solely on last-click or data-driven attribution. These techniques existed before digital attribution, and they work regardless of what Apple or Google do with their privacy controls or their cookie deprecation plans.

The companies I work with that are doing well in this environment aren’t the ones who found some clever tracking workaround. They’re the ones who accepted the new reality and invested in measurement approaches that don’t depend on following individual users around the internet. It took them a while to get comfortable with less granular data, but their decisions aren’t worse for it. In some cases, they’re better, because they stopped over-optimizing for measurable channels at the expense of unmeasurable ones.

That’s the real lesson of the ATT era. We were over-indexed on precision and under-indexed on accuracy. Now we’re being forced to fix that, and honestly, the marketing isn’t worse for it.