How Targeted Advertising Tracks You Across Every Site

Every ad-supported page you load triggers an auction that broadcasts your data to hundreds of companies in milliseconds, whether or not any of them ever actually show you an ad. Here's how that auction works, and what courts have said about it.

Published Jul 2, 2026
Updated Jul 2, 2026
12 min read
Share
Diagram of an ad auction broadcasting user data to multiple ad-tech companies in real time

Most explanations of targeted advertising focus on cookies, and cookies are a real part of the picture. But the mechanism doing the heaviest lifting, the one that broadcasts your data to the widest number of companies, the fastest, most continuously, isn't a cookie at all. It's an auction that runs behind almost every ad-supported page you load, and it's been the subject of some of the largest privacy litigation in the world for the better part of a decade.

This covers how that auction actually works, what's happened to it legally, and the newer tracking method built specifically to keep working even when you block everything else.

What is targeted advertising, briefly

Targeted advertising means showing an ad chosen based on something specific about you, your past browsing, your location, your purchase history, rather than a generic ad shown to everyone equally. The appeal to advertisers is straightforward: a more relevant ad is more likely to lead to a sale, which is worth more, which is why an entire industry exists purely to make that targeting as precise as possible.

Retargeting pixels: the part most people already know

The simplest and most familiar mechanism is the retargeting pixel: a small snippet of tracking code (Meta Pixel and Google's remarketing tag are the two most common) that a site embeds, which fires when you visit a page or take an action like adding something to a cart. That event gets tied to your browser through a cookie, and later, on a completely different site, an ad for that same product follows you. It's the mechanism behind the "I looked at one pair of shoes and now I'm followed by them everywhere" experience, and it's genuinely simple compared to what's coming next.

The auction where most of your data actually leaks

Real-time bidding (RTB) is the automated process that decides which specific ad actually appears in an ad slot, run in the fraction of a second between a page starting to load and the ad rendering. To hold that auction, a "bid request" containing data about you, your device, your rough or precise location, the exact page you're on, gets broadcast simultaneously to a long list of ad exchanges and buyers, so each one can decide how much they're willing to pay for the chance to show you an ad.

The part that turned this into one of the largest privacy complaints in Europe's history: every company that receives a bid request gets your data whether or not they win the auction. A single page load can broadcast your information to hundreds or thousands of companies, the vast majority of whom never place a bid and never show you anything, but who received the data anyway.

The scale is difficult to overstate. Research from the Irish Council for Civil Liberties (ICCL), a human rights organization that has spent years documenting the RTB industry, put the annual combined figure for the US and Europe at 178 trillion data broadcasts a year as of its most recent public estimate. A separate 2025 legal filing noted that Google's RTB system alone operates on more than 35 million websites, and roughly three-quarters to over ninety percent of apps on both major mobile platforms.

35M+
websites running Google's RTB system alone
1,600+
companies one major exchange discloses it may share bid data with
178T
estimated annual RTB data broadcasts across the US and Europe

This isn't a fringe complaint. It's been actively litigated in multiple jurisdictions for years, with real, concrete outcomes.

2017
The industry's own admission
In written correspondence to the European Commission, IAB Europe's own CEO acknowledged that real-time bidding was, in the organization's own assessment, likely "incompatible" with GDPR consent requirements, since users can't realistically be informed about every company involved in a given auction.
2022
28 EU regulators rule the consent system illegal
A coalition of European data protection authorities found that IAB Europe's Transparency and Consent Framework (TCF), the system behind the large majority of cookie consent popups across the web, doesn't meet GDPR's legal standard for consent.
2023
Europe's top court upholds the ruling
The Court of Justice of the European Union affirmed that IAB Europe bears legal responsibility for the TCF system under the GDPR.
2024
Oracle shuts down its advertising business
A class action in Northern California over Oracle's RTB data practices resulted in Oracle discontinuing its Oracle Advertising unit entirely and a $115 million settlement.
2025
The appeal fails, and a US complaint targets national security law
Brussels' Markets Court rejected IAB Europe's further appeal of the 2022 ruling. Separately, ICCL and EPIC filed a US complaint arguing Google's RTB broadcasts violate the Protecting Americans' Data from Foreign Adversaries Act, since bid request data reaches companies in adversarial jurisdictions with no way for a user to opt out.
2026
Ireland's first collective-redress class action reaches court
A class action against Microsoft's Xandr RTB system, Ireland's first under the EU's Collective Redress Directive, had a multi-day preliminary hearing at the Irish Commercial Court in June 2026, with a further hearing scheduled to determine next steps.

The 2022 TCF ruling is worth sitting with specifically, since it connects directly back to something almost everyone interacts with daily. If you've ever clicked "Accept" or "Manage Options" on a cookie consent banner, there's a reasonable chance it was built on the exact system a coalition of EU regulators found unlawful. That doesn't retroactively undo anything already collected, but it's a meaningful gap between "you technically clicked accept" and "that consent was legally valid," a distinction covered in more depth in our guide to how cookies actually work.

Server-side tracking: built to survive ad blockers

Everything covered so far happens in your browser, or at least starts there, which means an ad blocker or a strict browser setting has at least a chance of catching it. Server-side tracking doesn't give it that chance.

The shift accelerated sharply after Apple's App Tracking Transparency rollout in 2021 made client-side mobile tracking dramatically harder to do without explicit permission. Meta's response was the Conversions API (CAPI); Google's was Enhanced Conversions. Both work the same way at a conceptual level: when you complete an action on a business's site, a purchase, a signup, that business's own backend server sends a hashed version of your identifying information (typically your email or phone number) directly to the ad platform's servers. No script runs in your browser, no cookie gets set for this specific purpose, and no pixel fires. There's simply no browser-side event for an extension or privacy setting to intercept, because the entire exchange happens server-to-server, after the fact.

How you get matched across sites and devices

A pixel firing on one site and a server-side event on another are only useful to an advertiser if they can be tied to the same person. That's the job of identity resolution, and it happens two main ways. Deterministic matching uses a shared identifier, most often a hashed email address, to directly link activity across different companies with high confidence. Unified ID 2.0, an open industry standard built specifically to work in browsers where third-party cookies are already blocked by default (Safari and Firefox, as covered in our cookies article), is one of the more prominent current versions of this approach. Probabilistic matching works without a shared identifier at all, correlating IP address, device characteristics, and behavioral patterns closely enough to infer, with some confidence level rather than certainty, that two sessions belong to the same person, using signals that overlap heavily with the fingerprinting techniques covered in our browser data exposure guide.

How to actually reduce how much reaches you

No single setting closes every gap described above, since the mechanisms operate at different layers on purpose. A content or ad blocker meaningfully reduces client-side pixels and many RTB calls initiated directly from your browser. Blocking third-party cookies, on by default in Safari and Firefox, weakens deterministic cross-site matching that relies on them. Neither touches server-side tracking, which is a genuinely difficult gap to close from the browser at all; it exists specifically to sit outside what browser-level tools can see. Reducing how much data any single site collects from you in the first place, rather than trying to intercept it in transit, is the more durable strategy against that particular piece.

Frequently Asked Questions

Not as a category, no. Showing someone an ad based on general interest data isn't inherently unlawful anywhere it's commonly practiced. What has been ruled unlawful, repeatedly, by EU regulators and courts, is the specific mechanism much of today's targeted advertising runs on: broadcasting detailed personal data to a wide, effectively unaccountable list of companies without a legally valid form of consent. That's a narrower target than "advertising" as a whole, but it covers the system underneath most of the ads you actually see.

It stops a meaningful chunk, not all of it. A good ad blocker prevents tracking pixels and many third-party scripts from loading in your browser in the first place, which covers a large share of client-side tracking. It does nothing about server-side tracking, covered below, where a business's own server sends your data directly to an ad platform's servers without any script running in your browser at all. There's simply nothing client-side to block in that case.

It's the automated auction that decides which ad you see on a page, run in the fraction of a second between a page starting to load and the ad actually appearing. To run that auction, information about you, your rough location, device, and often the exact page you're on, gets sent to a wide list of ad companies simultaneously so they can each decide how much to bid for the chance to show you an ad. The catch: every company that receives that broadcast gets the data whether or not they win the auction, which is the part that's drawn the most scrutiny.

Yes, on more than one front. In February 2022, 28 EU data protection authorities found that IAB Europe's TCF consent-popup system, the basis for the large majority of cookie banners across the web, violates the GDPR; the Court of Justice of the EU upheld that finding in 2023, and Brussels' Markets Court rejected IAB Europe's further appeal in May 2025. Separately, a class action in Northern California against Oracle over its RTB data practices resulted in Oracle shutting down its entire advertising business unit and a $115 million settlement. As of mid-2026, Ireland's first class action under the EU's Collective Redress Directive, targeting Microsoft's Xandr RTB system, is actively in front of the Irish Commercial Court.

Server-side tracking is when a business's own backend server sends customer data (usually a hashed email address or phone number) directly to an ad platform's servers, like Meta's Conversions API or Google's Enhanced Conversions, entirely outside your browser. A browser extension can only block things that happen in your browser: scripts, pixels, cookies, requests your browser initiates. If the data transfer happens server-to-server, after you've already submitted a form or completed a purchase, there's no browser-side event for an extension to intercept. It's a direct response to the effectiveness of ad and cookie blockers, and it's a large part of why blocking tools alone stopped being sufficient sometime around 2021.