How Companies Track You Across the Internet
In short
Companies track you through a layered system: cookies on websites, invisible pixels in emails, fingerprinting techniques that need no cookie at all, code embedded inside mobile apps, and offline data from loyalty schemes. All of these data streams tend to flow toward a relatively small number of advertising technology firms who build profiles used to target adverts. The good news is that a handful of practical habits, combined with a few browser settings, genuinely reduce how much of this happens.What tracking actually means, and what it does not
The word "tracking" gets used to mean everything from a supermarket remembering your postcode to a shadowy file that knows your deepest secrets. Neither picture is quite right. In practice, tracking is the process of linking your behaviour across time and across different websites or apps, so that a company can build a profile of who you are and what you are likely to do next.
That profile is almost always built for advertising purposes. The goal is not to spy on you for its own sake. It is to predict which advert you are most likely to respond to, and to charge a higher price for showing it to you. Understanding that commercial logic matters, because it shapes every decision about which data gets collected and how long it gets kept.
What tracking does not usually mean: a human being reading your messages, a government agency watching your screen, or a permanent record that can never be altered. Most tracking data is probabilistic and decays in usefulness fairly quickly. That does not make it harmless, but it does mean the reality is less cinematic than the headlines suggest.
UK law gives you some rights here. Under UK GDPR, organisations must have a lawful basis for processing your personal data, and the Information Commissioner's Office (ICO) is the regulator that enforces those rules. Tracking that identifies you, or that can be linked back to you, counts as personal data processing. That is why cookie banners exist at all.
Today's habit: Next time a cookie banner appears, take ten seconds to find the "manage preferences" or "reject all" option rather than clicking accept. It is usually there, even if it is less prominent.
Cookies: first party, third party, and what the banner really changes
A cookie is a small text file that a website saves to your browser. That is genuinely all it is. The file contains a string of characters, often just a unique ID, and your browser sends it back to the website on your next visit so the site can recognise you. Cookies are why your shopping basket does not empty when you close a tab.
The distinction that matters is between first-party cookies and third-party cookies.
A first-party cookie is set by the website you are actually visiting. The BBC sets one so it remembers your region. Your bank sets one so you stay logged in. These are largely functional and most people are comfortable with them.
A third-party cookie is set by a different domain, one that is not the site you are on. When a news site loads an advert from an ad network, that network's code runs in your browser and sets its own cookie. You visit a recipe site, a fashion site, a sports site, and the same ad network is embedded in all three. It sees all three visits, links them to your cookie ID, and builds a picture of your interests without any of those sites ever sharing your data directly with each other.
This is the mechanism that makes adverts "follow" you around the web.
So what does the cookie banner actually change? Quite a lot, in principle. The ICO's guidance on cookies is clear that non-essential cookies, including advertising and analytics cookies, require your prior consent. Clicking "reject all" should prevent those third-party cookies from being set at all. In practice, some banners are designed to make rejection harder than acceptance, a pattern the ICO has specifically called out as non-compliant.
Major browsers are also moving away from third-party cookies. Firefox and Safari block them by default. Chrome has been slower, but the direction of travel is clear. That said, the advertising industry has been developing replacements, so third-party cookies disappearing does not mean third-party tracking disappears.
Today's habit: In your browser settings, find the privacy or cookies section and set it to block third-party cookies if that option exists. On Firefox and Safari this is already the default. On Chrome, look under Settings, then Privacy and Security, then Cookies and other site data.
Tracking pixels and why a 1x1 image knows you opened an email
A tracking pixel is an image so small you cannot see it. One pixel by one pixel, usually transparent. It is embedded in a webpage or, more commonly, in a marketing email.
Here is the mechanism. When your email client loads the images in a message, it makes a request to the server that hosts each image. That request includes your IP address, the time of the request, what email client you are using, and sometimes your rough location. The sender's server logs all of that. The result: they know you opened the email, roughly when, and on what kind of device, without you doing anything beyond opening the message.
On websites, pixels work similarly. A retailer's site might include a Facebook pixel. When you visit a product page, that pixel fires and tells Facebook's servers that someone with your browser visited that page. If you are logged into Facebook (or if Facebook can match your browser fingerprint), that visit gets added to your profile. This is how you see an advert on Instagram for something you looked at on a completely different website.
The pixel itself carries no data. It is the request to load it that carries the data, which is why blocking image loading stops it.
Email tracking pixels are covered by the same UK GDPR and PECR rules as cookies, but enforcement in email is less visible to most people. Some email providers, notably Apple Mail since its 2021 privacy update, now pre-load images through their own servers, which masks your real IP address and makes open-tracking far less reliable.
Today's habit: In your email client settings, look for an option to block remote images or load images manually. Gmail, Outlook and most mobile mail apps all have this. It breaks some email formatting, but it stops pixel tracking entirely.
Browser fingerprinting: tracking with no cookies at all
This one surprises people. You can clear every cookie, use a private window, and still be tracked. Browser fingerprinting does not store anything on your device. Instead, it reads information your browser reveals automatically: your screen resolution, installed fonts, the graphics card your device uses to render images, your time zone, your browser version, the plugins you have installed, and dozens of other signals.
Individually, none of these is identifying. Lots of people have a 1920x1080 screen. But combined, these attributes create a profile that is often unique enough to identify a single browser among millions. Researchers at the Electronic Frontier Foundation documented this through their Cover Your Tracks project, which lets you test your own browser's uniqueness.
Because fingerprinting requires no storage and leaves no trace you can delete, it is harder to block than cookies. It also tends to be more persistent: a new browser session does not change your screen resolution.
The technique is used both for tracking and for fraud detection. Banks and payment processors use fingerprinting to spot when someone is using an unusual device, which is a legitimate security use. Advertising networks use it to track you even after you have opted out of cookies, which is considerably less legitimate and arguably inconsistent with UK GDPR's requirement for a lawful basis.
What actually reduces fingerprinting? This is where the honest answer gets a bit uncomfortable. The most effective countermeasure is making your browser look like many other browsers: using a common browser on a common operating system, without unusual plugins, at a standard window size. Privacy-focused browsers like Firefox with the right settings, or the Tor Browser, work to standardise the fingerprint they expose. A VPN changes your IP address but does nothing about fingerprinting. Ad blockers that block fingerprinting scripts (uBlock Origin is a well-documented example) help by preventing the scripts from running at all.
Today's habit: Visit coveryourtracks.eff.org to see how unique your current browser looks. If it shows as "unique", consider whether you have unusual extensions or fonts installed that you could remove.
Inside your apps: SDKs, advertising IDs and location
Mobile apps track you differently from websites, and in some ways more thoroughly. The mechanism is the SDK, a software development kit. When a developer builds an app, they often include pre-built code packages from third parties: analytics providers, advertising networks, crash-reporting tools. Each SDK can collect data independently, and a single app might contain several.
The key identifier in the mobile world is the advertising ID: a unique code assigned to your device by Apple (where it is called the IDFA) or Google (the GAID). Unlike a cookie, this ID persists across all apps on your device. An advertising network whose SDK appears in a fitness app, a weather app, and a recipe app sees your behaviour across all three, linked by the same advertising ID.
Location data deserves special attention. Apps that request location permission can, if you grant it, log where you are continuously. This data is commercially valuable well beyond the app's stated purpose. Researchers and journalists have repeatedly documented cases where location data collected by apps was sold to data brokers, who then sold it further. The ICO's guidance on lawful basis requires that apps collecting location data have a genuine, specific reason, but enforcement relies partly on users understanding what they are granting.
Apple made a significant change with iOS 14 by requiring apps to ask explicitly before accessing the advertising ID, a prompt known as App Tracking Transparency. Many users decline. Android has introduced similar controls, though the rollout has been more gradual. Neither system eliminates SDK-based tracking entirely, but they meaningfully reduce the advertising ID component.
For social media apps in particular, the SDK picture is especially layered: the platform's own app collects data, but the platform's advertising SDK also appears inside many other apps, feeding data back to the same profile.
Today's habit: On iPhone, go to Settings, Privacy and Security, then Tracking, and turn off "Allow Apps to Request to Track". On Android, go to Settings, Privacy, then Ads, and opt out of ads personalisation. Then review which apps have location access and change any set to "always" down to "while using" or off entirely.
The offline layer: loyalty cards, receipts and purchase data
Online tracking gets most of the attention, but some of the richest data about you comes from the physical world. Loyalty cards are the clearest example. When you scan your Tesco Clubcard, Boots Advantage card, or Nectar card, every item in your basket is logged against your account. Over months and years, a supermarket builds a detailed picture of your diet, your household size, whether you have a baby, whether you are dieting, whether you drink.
This data is not just used to send you vouchers. Loyalty card data is shared with and sold to third parties, including consumer insight firms and, in some cases, pharmaceutical companies and insurers. The ICO has published guidance on this, and the major schemes are required to disclose it in their privacy notices, but those notices are rarely read.
Receipts add another layer. Some retailers offer digital receipts through apps or email. Those receipts can be parsed automatically to extract purchase data. There are also third-party apps that ask you to forward your email receipts to them in exchange for cashback or rewards. The business model of those apps is typically the purchase data itself.
Credit and debit card transaction data is another offline source. Card networks and banks hold detailed purchase histories. In aggregate, anonymised form this data is sold to market research firms. Whether it is truly anonymised in practice is a question researchers continue to examine.
The link between offline and online data is the email address. When you give your email to a retailer, they can match your purchase history to your online profile through a process called customer list matching. You upload your email to Facebook or Google, and they check whether that address appears in their own database. If it does, they can target you with adverts based on your offline behaviour. To understand more about where all this data eventually flows, the piece on how your data is collected and sold covers the broker ecosystem in detail.
Today's habit: Read the privacy notice for any loyalty scheme you use. Look specifically for the section on third-party sharing. Most allow you to opt out of data sharing for marketing purposes, separately from opting out of the loyalty scheme itself.
Who ends up with all this, and what they use it for
The various tracking mechanisms described above do not operate in isolation. They feed into a connected ecosystem dominated by a relatively small number of large players and a larger number of specialist firms called data brokers or ad tech companies.
At the centre are the major platforms: Google, Meta, Amazon, and a handful of others. Each runs its own advertising network, its own identity system, and its own data collection infrastructure. Google's advertising technology appears on a significant proportion of websites globally. Meta's pixel is embedded across a large share of e-commerce sites. These companies do not need to track you across the whole web because the web largely comes to them.
Around them sits a layer of specialist ad tech firms: demand-side platforms, data management platforms, supply-side platforms. These are the companies most people have never heard of but whose code runs on sites they visit every day. When you load a webpage with advertising, a real-time auction can take place in milliseconds: your profile (or a probabilistic version of it) is shared with dozens of potential advertisers who bid to show you their advert. This process is called real-time bidding, and the ICO has expressed serious concerns about whether it is compatible with UK GDPR, particularly around the breadth of data shared in each bid request.
Then there are data brokers: companies whose entire business is buying, combining, and reselling personal data. They aggregate loyalty card data, public records, social media data, location data from apps, and online behavioural data into profiles that can be bought by anyone from a political campaign to an insurance company.
What is all this used for? Primarily, targeted advertising. But also: credit risk assessment, insurance pricing, employment screening, political campaigning, and fraud detection. The same data infrastructure serves all of these purposes, which is part of why privacy advocates argue the stakes are higher than just seeing relevant adverts.
What actually works: an honest ranking of countermeasures
There is no single action that eliminates tracking. Anyone who tells you otherwise is selling something. What exists is a spectrum of measures, each reducing a different part of the tracking picture by a different amount. Here is an honest assessment.
High impact, low effort
- Reject non-essential cookies on every site that asks. This stops third-party cookie tracking for that session. Takes ten seconds.
- Block third-party cookies in your browser. Firefox and Safari do this by default. Chrome requires a manual setting change.
- Revoke unnecessary app permissions. Location set to "always" for apps that have no reason to need it is one of the highest-value changes you can make on a phone.
- Opt out of your advertising ID. Both Apple and Google provide this. It does not eliminate SDK tracking but removes the persistent cross-app identifier.
- Block remote images in email. Stops pixel tracking entirely with one setting change.
Medium impact, moderate effort
- Use a content-blocking browser extension. Extensions that block tracking scripts (not just adverts) prevent fingerprinting scripts, pixels, and third-party code from loading. The Mozilla Firefox extension library documents well-regarded options. Look for extensions with a clear, public privacy policy and open-source code.
- Switch to a privacy-respecting browser. Firefox with Enhanced Tracking Protection set to "Strict" is a well-documented choice. The Mozilla support page explains exactly what it blocks.
- Use a privacy-focused search engine. Your search queries are behavioural data. Search engines that do not build profiles exist and work adequately for most queries.
- Opt out of loyalty card data sharing. Read the privacy notice and use the opt-out. You usually keep the points.
Lower impact than people assume
- Private or incognito browsing. This clears cookies when you close the window and prevents local history storage. It does not hide your IP address, does not prevent fingerprinting, and does not stop your internet provider from seeing which sites you visit.
- A VPN. A VPN hides your IP address from the websites you visit and encrypts traffic from your internet provider. It does not prevent cookie tracking, fingerprinting, or pixel tracking. It shifts trust from your internet provider to the VPN provider. For privacy from your ISP or on public Wi-Fi, it is useful. For reducing ad tracking, its impact is limited.
- Deleting your cookies. Useful as a reset, but you will accumulate new ones immediately. Fingerprinting and other cookieless methods are unaffected.
High impact, high effort
- Using the Tor Browser. Tor routes traffic through multiple servers and standardises the browser fingerprint it presents, making tracking very difficult. It is slower than a normal browser and breaks some sites. For everyday use it is impractical for most people, but it is the most technically robust option for specific sensitive browsing.
- Exercising your data rights. Under UK GDPR, you have the right to request access to data held about you, and in some cases the right to have it deleted. Sending subject access requests to data brokers is time-consuming but legally enforceable. The ICO's public guidance explains how to do this and what to do if a company does not comply.
The most important thing to take from this is that you do not need to do everything. Blocking third-party cookies, reviewing app permissions, and rejecting non-essential cookies will remove a substantial portion of the tracking most people experience. Everything beyond that is incremental. Start with what is easy, build from there, and do not let the complexity of the full picture stop you from doing the simple things.
