How Your Personal Data Gets Tracked Online (and What You Can Do About It)

Browsing for a product and then seeing ads for it everywhere you go online is not coincidence. A set of tracking mechanisms runs across most of the web, collecting data about where you go, what you look at, and how long you spend looking at it. That data is used to build profiles, serve targeted advertizing, and in some cases is sold to third parties.
This guide explains how the main tracking mechanisms work, what data they collect, and the practical steps that reduce exposure without requiring significant changes to how you browse.
What this covers:
Cookies: first-party vs third-party
Device fingerprinting
Tracking pixels in emails and apps
Social logins and the data they share
How tracked data is used
Practical tools and habits to reduce tracking

1. Cookies: First-Party and Third-Party

A cookie is a small text file a website stores in your browser. First-party cookies are set by the site you are visiting and handle functions you generally want: staying logged in, maintaining a shopping cart, remembering preferences. These are largely benign.

Third-party cookies are set by services other than the site you are on. An advertizing network or analytics platform that has code embedded on many different sites can set a cookie on each one and read it on subsequent visits to any of those sites. Because the same cookie is readable across multiple domains, the advertizing network can observe your behavior across all the sites where its code is present, not just the one you are currently on. This is the mechanism behind ads that follow you between sites.

Most browsers now offer the option to block third-party cookies, and some (Safari, Firefox, Brave) do so by default. Chrome has been slower to make this change but has been moving in the same direction. Enabling third-party cookie blocking in your browser settings is the most straightforward step for reducing this form of tracking.

2. Device Fingerprinting

Fingerprinting identifies a browser or device by combining a set of attributes that, taken together, are likely unique: browser type and version, operating system, screen resolution, installed fonts, time zone, language settings, the presence of specific browser extensions, and several others.

Unlike cookies, fingerprinting does not require storing anything on your device and cannot be cleared. It works as long as the combination of attributes remains consistent, which it typically does unless you change devices or significantly reconfigure your browser.

Fingerprinting is used legitimately for fraud detection (identifying unusual device configurations that might indicate automated bots) but is also used by advertizing and analytics systems to track users across sessions and sites even when cookies have been cleared.

Browser extensions that introduce noize into fingerprinting (Privacy Badger, uBlock Origin) reduce but do not eliminate fingerprinting. Privacy-focused browsers like Brave attempt to standardize certain attributes across users to make individual browsers less distinguishable. Completely defeating fingerprinting while using a conventional browser is not straightforward, but reducing its reliability is achievable.

3. Tracking Pixels in Emails and Apps

An email tracking pixel is a tiny, transparent image embedded in an HTML email. When your email client loads the image, a request is sent to the sender's server. That request logs that the email was opened and can include the timestamp, your general location based on IP address, and the device and email client used.

This happens automatically whenever an email is displayed in HTML format. Disabling automatic image loading in email settings prevents tracking pixels from loading. Most major email clients (Gmail, Outlook, Apple Mail) have this setting. Some clients (Apple Mail on iOS 15 and later) have introduced additional privacy protections that prevent senders from knowing whether you opened the email at all.

Mobile apps present a different tracking surface. Many free apps collect location data, usage patterns, device identifiers, and contact information, which is shared with advertizing networks. Reviewing app permissions and denying location and contact access to apps that have no clear need for it is the most direct control available. On iOS, App Tracking Transparency requires apps to request permission before tracking you across other apps and websites.

4. Social Logins and Connected Apps

"Log in with Google" and "Log in with Facebook" are convenient but not neutral. Using a social login connects the external site to your social account, and depending on the permissions granted, can allow the social platform to know about your activity on that site.

More relevant is the data the social platforms themselves hold: interaction history, posted content, browsing patterns, location data from mobile apps, and the entire social graph of connections and shared content. When third-party apps are connected to these accounts, that data footprint extends further.

Reviewing which apps are connected to your social accounts (found in the security or apps settings on most platforms) and revoking access for apps you no longer use or recognize is a worthwhile housekeeping task. Dedicated email and password logins, though less convenient, do not share data with social platforms.

5. How Tracked Data Is Used

The primary commercial purpose of tracking is targeted advertizing. Behavioural profiles allow advertisers to show ads to specific demographic segments, or to people who have demonstrated interest in particular products, at a significantly higher conversion rate than untargeted advertizing.

The data does not always stay with the original collector. Data brokers aggregate profiles purchased from multiple sources and sell access to them. Buyers include marketers, financial companies running credit assessments, employers conducting background checks, and in some documented cases, political campaigns and law enforcement agencies.

The data sold includes browsing history, purchase history, location history, and inferred attributes (household income bracket, likely age and health status, political affiliation). The individuals whose data is being sold have no visibility into this process and in many jurisdictions have limited legal recourse.

Practical Steps to Reduce Tracking

Block third-party cookies. Enable this in your browser settings if it is not already on. The location varies by browser: in Chrome it is under Privacy and Security > Cookies and other site data; in Firefox it is under Privacy and Security > Enhanced Tracking Protection.

Use a tracker-blocking extension. uBlock Origin is the most widely recommended option: effective, well-maintained, and free. It blocks third-party tracking scripts and advertizing networks in addition to cookie-based tracking.

Switch to a privacy-focused browser for sensitive sessions. Brave blocks fingerprinting and third-party tracking by default. Firefox with default privacy settings is a reasonable choice. Both are practical for everyday use.

Disable automatic image loading in email. This blocks tracking pixels without meaningfully affecting the experience, since most important email content is text.

Audit app permissions. Review location, contacts, and microphone access for mobile apps. Deny access to apps where the permission is not clearly necessary. On iOS, periodically check Privacy settings for App Tracking Transparency status.

Review connected apps on social platforms. Revoke access for apps you no longer use. On most platforms this is found under Settings, Security or Privacy, then Apps or Connected Apps.

Key Takeaways

Third-party cookies are the primary mechanism for cross-site tracking. Blocking them in browser settings or using a privacy-focused browser addresses this directly.
Device fingerprinting tracks users without cookies by combining browser and device attributes into a unique signature. It cannot be cleared but can be disrupted by privacy-focused browsers and extensions.
Email tracking pixels log when and where emails are opened. Disabling automatic image loading in email clients prevents this.
Social logins expand the data shared with the platform behind the login. Dedicated logins avoid this.
Tracked data is used for advertizing but is also sold to data brokers, which aggregates it into profiles used by a wide range of commercial and institutional buyers.
Practical tools: uBlock Origin (extension), Brave or Firefox (browsers), privacy settings in apps and email clients.

Conclusion

Online tracking is pervasive and largely invisible, but the mechanisms are well-understood and the countermeasures are practical. Third-party cookie blocking, a tracker-blocking extension, and reviewing app and social login permissions cover most of the common tracking surfaces.

The goal is not to become untrackable, which is not realistic for most people, but to reduce unnecessary data collection and understand what is being collected and by whom.

Using a specific browser or extension setup that has made a noticeable difference? Share it in the comments.