Online Security Basics

Cookies and Tracking: Understanding Web Privacy Risks

By AntiPhishers Published

Cookies and Tracking: Understanding Web Privacy Risks

Every website you visit drops cookies on your browser, and the vast majority of them exist not to improve your experience but to track your behavior across the internet. The average website loads 15 to 50 third-party trackers, building a detailed profile of your interests, habits, location, and identity. Understanding how tracking works is essential to making informed decisions about your online privacy.

How Cookies Work

Cookies are small text files stored by your browser at a website’s request. First-party cookies come from the site you are visiting and serve legitimate purposes: keeping you logged in, remembering your shopping cart, and storing your language preferences. Without these, every page load would require a fresh login.

Third-party cookies come from domains other than the one you are visiting. When a page loads an ad from doubleclick.net or a tracking pixel from facebook.com, those domains set cookies in your browser. As you visit other sites that also load resources from these same domains, the tracker correlates your visits, building a comprehensive browsing profile across the entire web.

Beyond Cookies: Advanced Tracking

The industry has developed tracking methods that persist even when you block or clear cookies.

Browser fingerprinting collects your browser version, installed fonts, screen resolution, graphics card, timezone, language settings, and dozens of other characteristics. Combined, these create a nearly unique identifier. The Electronic Frontier Foundation’s Panopticlick project found that 83.6 percent of browsers have a unique fingerprint, allowing tracking without any cookies at all.

Tracking pixels are invisible 1x1 pixel images embedded in emails and web pages. When loaded, they transmit your IP address, device type, time of access, and location to the tracker’s server. Email tracking pixels reveal when you open messages, how many times, and from which devices.

ETags and cache-based tracking store identifiers in your browser’s cache rather than in cookies. Clearing cookies does not remove these identifiers. They persist until you clear your entire browser cache.

CNAME cloaking disguises third-party trackers as first-party resources by creating a subdomain on the website’s own domain that redirects to the tracker. This bypasses most third-party cookie blocking.

The Business of Tracking

Data brokers aggregate tracking data from thousands of sources to build profiles containing your name, email, phone number, physical address, browsing history, purchase history, income estimate, political affiliation, health conditions, and social connections. Companies like Acxiom, Oracle Data Cloud, and LexisNexis maintain profiles on hundreds of millions of individuals. These profiles are sold to advertisers, insurance companies, landlords, and employers.

Protecting Yourself

Block third-party cookies in your browser settings. Chrome, Firefox, and Edge all support this. Chrome is transitioning to the Privacy Sandbox as a replacement for third-party cookies, but this still enables interest-based tracking by Google.

Install uBlock Origin to block tracking scripts, ads, and tracking pixels before they load. It is more effective than cookie-blocking alone because it prevents fingerprinting scripts and pixel trackers from executing.

Use Firefox with Enhanced Tracking Protection set to Strict for the most comprehensive built-in anti-tracking. Firefox also blocks known fingerprinting scripts.

Use a privacy-focused email provider or disable image loading in email to prevent tracking pixel execution. Hey.com, ProtonMail, and Tutanota block tracking pixels by default.

Clear cookies regularly and consider using browser containers (Firefox Multi-Account Containers) to isolate different browsing activities. This prevents Facebook from tracking your browsing on other sites, for example.

For a complete toolkit of privacy-protecting software, see our privacy tools for everyday use guide. To take the next step in eliminating your data from brokers, read our data broker removal guide.

The EU’s ePrivacy Directive requires websites to obtain informed consent before setting non-essential cookies. GDPR strengthened this by requiring that consent be specific, informed, and freely given. The result is the ubiquitous cookie banner that greets you on virtually every website. However, many implementations violate the spirit of the law through dark patterns: making “Accept All” prominent while hiding the reject option behind multiple clicks.

When you encounter a cookie banner, take the two seconds to click “Manage Preferences” and disable advertising and analytics cookies. Only accept strictly necessary and functional cookies. Browser extensions like “I don’t care about cookies” can auto-reject non-essential cookies, but verify the extension’s privacy practices themselves.

The Post-Cookie Future

Google Chrome’s planned deprecation of third-party cookies is forcing the advertising industry to develop alternative tracking methods. Google’s Privacy Sandbox and Topics API propose to replace individual tracking with cohort-based targeting, but privacy advocates argue these still enable significant tracking. The shift away from cookies does not mean the end of tracking; it means tracking will evolve into forms that may be harder to block. Staying informed about these developments and adapting your privacy tools accordingly remains essential.

More in Online Security Basics

Password Reuse Dangers: Why One Breach Compromises Everything Email Encryption Guide: Sending Confidential Messages Secure Online Banking: Protecting Your Financial Accounts Ad Blockers and Privacy Extensions: Browsing Protection Tools

View all Online Security Basics articles →