What is online tracking?

Online advertising is big business. According to industry groups, revenues for online ads exceeded $150 billion USD in 2021 and continue to grow every year. Those ads are powered by online tracking, profiling, and targeting: a vast corporate surveillance network that harvests and analyzes our every click, query, and more. The average web page shares data with dozens of third parties. The average mobile app does the same, and many apps collect highly sensitive information like location, even when they’re not in use. Digital tracking also reaches into the physical world: shopping centers use automatic license-plate readers to track traffic through their parking lots; businesses, concert organizers, and political campaigns use Bluetooth and WiFi beacons to perform passive monitoring of people in their area; and retail stores use face recognition to identify customers, screen for theft, and deliver targeted ads.

In order to target ads to users based on their online behaviors, the ad-tech industry relies on sophisticated tracking techniques that collect information about users as they browse the web and interact with apps on their mobile devices. Users are tagged with unique identifiers to pinpoint them and categorize their consumer behaviors into cohorts and micro-audiences: users from a certain neighborhood who are interested in used Audi cars, for instance. On mobile devices, advertisers can use an identifier provided by the phone itself, in the form of a unique advertising identifier. Advertisers also use cross-device tracking to link a users’ mobile devices to their workstation and other devices they may have in the home, forming an overall picture of their usage of all the different devices they interact with.

Princeton researchers found that the vast majority of online tracking comes from large tech firms such as Google and Facebook, and is disproportionately on sites that rely heavily on advertising revenue like news and arts websites.

How does tracking happen on the web?

On the web, tracking is most often performed with cookies—specifically third-party cookies, which come from sites that the user doesn’t even directly visit, but are instead loaded by the “first-party” site the user is on. For instance, a news site may include an advertisement or interactive game from an advertiser server that is able to set cookies on a user’s browser. If this advertiser is loaded on multiple sites a user visits, the advertiser will be able to track that user across multiple sites via the cookie they set previously.

One way to evade these trackers is to “clear cookies” on your browser. But this won’t always protect from other forms of web tracking. For example, browser fingerprinting uses different characteristics of a person’s browser (such as language, time zone, and fonts) that are not on their own unique, but when combined will uniquely identify a specific browser.

What is Do Not Track?

A number of initiatives have attempted to limit the scope of online tracking. Originally proposed in 2009, the Do Not Track (DNT) web header sent a signal from a user’s browser to all sites they visited stating that user’s preference not to be tracked. The DNT header initiative suffered from lackluster adoption by browsers and a lack of mechanisms to enforce the user's preference.

To give the preference some teeth, EFF introduced our own DNT Policy, which sites could incorporate into their own privacy policies, and thus promise not to track browsers that opted out using the DNT header. In return, tracker blockers such as our own Privacy Badger would not block sites which abided by this policy.

Eventually, DNT was superseded by individual browser initiatives to block or limit trackers, and was abandoned by standards bodies such as the W3C.

What is Global Privacy Control?

In 2020, a new specification titled Global Privacy Control (GPC) was introduced at the W3C. It picks up momentum where DNT began to lag. It also pairs with the newly passed California Consumer Privacy Act (CCPA) and the now well-known GDPR. At its core, it works like DNT: a user’s browser sends a distinct signal to websites it visits that invokes the GPC. But now, the signal is legally binding to companies in places with applicable privacy laws. In California, for example, it allows users to opt out of having their data shared or sold. This automated, “one and done” opt-out tool is far easier for people to use than manually opting-out, one at a time, at all the sites that a person visits. 

Tools such as Privacy Badger have incorporated this functionality, coupled with the DNT controls that are already in place. This new specification is tailored to requirements of new laws like CCPA. However, it doesn’t completely protect users from the dangerous advertising and tracking industry, given gaps in current law.

How do I prevent myself from being tracked?

EFF’s own Privacy Badger is a browser extension that automatically learns to block invisible trackers. It identifies the third-party resources you encounter across the web, determines which are trackers, and prevents those trackers from being loaded. In this way, it allows the useful third-party resources that are needed to display a webpage and help it function properly, while blocking the unnecessary and invasive trackers.

Other browser extensions such as uBlock Origin and Disconnect can be used in combination with Privacy Badger to provide a defense in-depth approach, layering different protections against trackers in your browser.

Browsers themselves have introduced various protections against web tracking as well. Apple’s Safari browser and iOS use Intelligent Tracking Prevention to protect against the latest tracking technologies. Enhanced Tracking Protection in Firefox uses the Disconnect block list as well as a number of Mozilla’s own techniques to block trackers. Brave is a privacy-focused browser employing a unique set of protections of its own, including protection against browser fingerprinting technologies. Users who wish to protect themselves against not only online trackers but also more advanced threats may consider Tor Browser, which puts an anonymous web-browsing experience above all else.

Note: this is an updated page. View the original archived version.

Protect digital privacy and free expression. EFF's public interest legal work, activism, and software development preserve fundamental rights.
Protect digital privacy and free expression. EFF's public interest legal work, activism, and software development preserve fundamental rights. DONATE TO EFF