What Is Web Tracking?
Web tracking is the practice of collecting, storing, and analyzing data about a user's browsing behavior across one or more websites. When you load a page, your browser transmits dozens of data points to the site and to third-party services embedded within it - your IP address, browser type, operating system, screen resolution, referring page, language settings, and more. These data points are collected and combined to build a profile of your interests, habits, and identity.
The scale of web tracking is difficult to overstate. A 2024 study by Mozilla found that the median news website loads over 30 third-party trackers per page. A single page view on a major site can trigger data collection by dozens of separate companies before the content even finishes rendering. The tracking ecosystem operates largely invisible to the user - no pop-up announces that a demand-side platform just recorded your visit, or that a data broker added your session to a behavioral profile.
Not all web tracking is malicious. First-party analytics help site owners understand what content resonates with their audience and identify technical issues. Conversion tracking lets e-commerce sites measure whether their advertising spend is generating sales. But the same infrastructure that powers legitimate analytics also powers mass surveillance of browsing habits for advertising, insurance profiling, and political microtargeting.
First-Party vs Third-Party Cookies
Cookies remain the most widespread tracking mechanism on the web. A cookie is a small text file that a website stores in your browser. On subsequent visits, the browser sends the cookie back to the server, allowing the site to recognize you. This is how shopping carts remember your items, how login sessions persist across pages, and how sites remember your language preference.
A first-party cookie is set by the domain you are actively visiting. If you visit example.com and it sets a cookie, that is a first-party cookie. These are generally considered benign and are essential for basic web functionality.
A third-party cookie is set by a domain different from the one you are visiting. If you visit example.com and a script from doubleclick.net (a Google advertising domain) sets a cookie in your browser, that is a third-party cookie. The critical difference is that when you navigate to another site that also embeds a DoubleClick script, that third-party cookie is sent along, allowing DoubleClick to connect your visit to example.com with your visit to the next site. Over time, this builds a cross-site profile of your browsing history.
Major browsers have been phasing out third-party cookies. Safari began blocking them by default in 2020, Firefox followed with Enhanced Tracking Protection, and Chrome's Privacy Sandbox initiative, which began deprecating third-party cookies in early 2026, aims to eliminate them entirely. But the tracking industry has responded by developing alternative methods that do not rely on cookies at all.
Browser Fingerprinting
Browser fingerprinting is a stateless tracking technique that does not require storing anything on your device. Instead, it collects a set of characteristics about your browser and system configuration that, when combined, form a unique identifier - a fingerprint. The Electronic Frontier Foundation's Cover Your Tracks project demonstrated that 81 percent of browsers have a unique fingerprint when tested with common identifying attributes.
The attributes used for fingerprinting include: installed fonts, screen resolution and color depth, timezone, language, installed browser plugins, canvas rendering output, WebGL renderer, audio context processing, device memory, CPU cores, touch support, and HTTP header characteristics. A fingerprinting script typically collects 15 to 30 of these attributes and hashes them into an identifier that remains consistent across browsing sessions on the same device.
Canvas fingerprinting is among the most persistent techniques. The browser is instructed to render an invisible text string using WebGL or Canvas 2D APIs. The exact pixel output depends on subtle hardware and driver differences - the graphics card, the anti-aliasing implementation, the display driver version. Two different computers rendering the exact same text in the exact same font will produce slightly different pixel patterns. This difference can be measured and used as a stable identifier that resists clearing cookies or browsing in incognito mode.
Tracking Pixels and Web Beacons
A tracking pixel is a 1x1 transparent image embedded in a web page or email. When the browser loads the image, it makes an HTTP request to the tracking server, which records the event. Pixels are extremely simple - just an <img> tag with a special URL - but they carry rich data through query parameters embedded in the URL itself.
Email tracking pixels are one of the most common applications. When you open an email, the pixel request tells the sender your IP address, the timestamp of the open, your email client, and whether your device is mobile or desktop. Marketing automation platforms like Mailchimp and HubSpot enable this by default for every campaign. Email clients that block image loading by default, such as Apple Mail with privacy protection enabled, prevent pixel firing at the moment of open.
On websites, tracking pixels are used for conversion measurement, retargeting, and audience segmentation. Facebook's pixel, Google Ads conversion tracking, and LinkedIn's Insight Tag are all examples. These pixels fire on specific pages - a "Thank You" page after a purchase, a signup confirmation page - and report the event back to the advertising platform, linking the conversion back to the ad that drove it.
Web Analytics and Session Recording
Web analytics platforms like Google Analytics, Plausible, and Fathom provide website owners with aggregated data about their visitors: page views, bounce rates, traffic sources, popular content, and user geography. Legitimate analytics are essential for running a website effectively. The key distinction is whether the analytics platform respects user privacy by anonymizing data, avoiding cross-site tracking, and providing clear opt-out mechanisms.
A more invasive layer is session recording software like Hotjar, CrazyEgg, and FullStory. These tools record every mouse movement, scroll, click, and keystroke on a page and replay them as a video of the session. When combined with form data capture, they can record text typed into forms before submission - including information that the user ultimately decided not to submit. Session replay recordings are frequently used for UX research and conversion optimization but raise significant privacy concerns, especially when deployed on pages collecting sensitive information.
Heat mapping services overlay aggregate mouse and scroll data onto page designs to show where users look, click, and abandon. While less invasive than full session recording, heat maps still typically require embedding a JavaScript snippet that collects behavioral data from every visitor who loads the page.
Who Is Tracking You?
The web tracking ecosystem includes several categories of actors, each with different goals and data collection practices. Advertising networks and demand-side platforms build behavioral profiles from cross-site tracking to serve targeted ads. Google's advertising business alone collects data from millions of partner sites through Google Ads, Google Analytics, and DV360. Facebook's pixel tracks users across the web to enable ad targeting and retargeting based on actions taken on non-Facebook sites.
Data brokers like Acxiom, Oracle Data Cloud, and Lotame aggregate tracking data from multiple sources to build comprehensive consumer profiles that are sold to marketers, financial services, and insurance companies. These profiles often include inferred demographic data, purchase intent signals, and behavioral segment membership that the tracked individual has no way to review or correct.
Social media widgets - share buttons, embedded tweet timelines, and "Like" buttons - create tracking opportunities even when the user does not interact with them. If a page embeds a Facebook Like button, Facebook receives a request from your browser any time you load that page, regardless of whether you click the button. This is how Facebook tracks browsing activity of non-Facebook users who have never created an account.
Why Web Tracking Matters
The consequences of pervasive web tracking extend beyond receiving targeted advertisements. Behavioral profiles built from browsing data are used in insurance risk assessment, credit scoring, employment screening, and housing opportunity evaluations. A 2023 Federal Trade Commission report found that several data brokers offered marketing lists explicitly based on health conditions, financial distress, and other sensitive attributes inferred from browsing behavior.
Tracking also facilitates price discrimination. Online travel booking sites, retail platforms, and service providers have been shown to present different prices to users based on their device type, browsing history, and inferred willingness to pay. The same hotel room on the same date can appear at different prices to two different users based on their tracked data profiles.
Beyond individual harm, the tracking ecosystem creates structural privacy risk. Large databases of browsing behavior are attractive targets for data breaches, law enforcement requests, and government surveillance programs. When a data broker collects data on millions of users and stores it indefinitely, a single breach exposes the browsing history and inferred characteristics of an entire population.
How to Protect Yourself
Combating web tracking requires a layered approach. No single tool or setting blocks all tracking methods, but combining several strategies can dramatically reduce your exposure. Enabling Do Not Track in your browser sends a signal to websites requesting that they not track you. In practice, most trackers ignore this signal entirely since it is voluntary. A more effective approach is to use browser-level tracking protection like Firefox's Enhanced Tracking Protection, which blocks known trackers, cryptominers, and fingerprinting scripts by default.
Installing tracker-blocking extensions such as uBlock Origin, Privacy Badger, or Ghostery neutralizes a wide range of tracking scripts. These extensions maintain block lists of known tracker domains and prevent those scripts from loading at all. Combined with a dedicated content blocker, this approach blocks the vast majority of third-party tracking requests before the browser makes them.
FocusGuard, while primarily a website blocker and time management tool, contributes to a focused browsing environment by reducing the number of open tabs and background processes that can be exploited by trackers. When you spend less time on sites designed to capture and sell your attention data, you naturally reduce your exposure to the tracking infrastructure embedded in those sites.
Regularly clearing cookies and cached data prevents long-term profile accumulation from cookie-based tracking. However, this does not defeat fingerprinting - that requires more advanced browser protections or a dedicated anti-fingerprinting extension. Using a privacy-focused browser like Brave or Firefox with strict privacy settings provides the strongest baseline, as these browsers actively resist fingerprinting techniques at the rendering engine level.