Most explanations of targeted advertising focus on cookies, and cookies are a real part of the
picture. But the mechanism doing the heaviest lifting, the one that broadcasts your data to the
widest number of companies, the fastest, most continuously, isn't a cookie at all. It's an
auction that runs behind almost every ad-supported page you load, and it's been the subject of
some of the largest privacy litigation in the world for the better part of a decade.
This covers how that auction actually works, what's happened to it legally, and the newer
tracking method built specifically to keep working even when you block everything else.
What is targeted advertising, briefly
Targeted advertising means showing an ad chosen based on something specific about you, your past browsing, your location, your purchase history, rather than a generic ad shown to everyone equally. The appeal to advertisers is straightforward: a more relevant ad is more likely to lead to a sale, which is worth more, which is why an entire industry exists purely to make that targeting as precise as possible.
Retargeting pixels: the part most people already know
The simplest and most familiar mechanism is the retargeting pixel: a small snippet of tracking code (Meta Pixel and Google's remarketing tag are the two most common) that a site embeds, which fires when you visit a page or take an action like adding something to a cart. That event gets tied to your browser through a cookie, and later, on a completely different site, an ad for that same product follows you. It's the mechanism behind the "I looked at one pair of shoes and now I'm followed by them everywhere" experience, and it's genuinely simple compared to what's coming next.
The auction where most of your data actually leaks
Real-time bidding (RTB) is the automated process that decides which specific ad actually appears in an ad slot, run in the fraction of a second between a page starting to load and the ad rendering. To hold that auction, a "bid request" containing data about you, your device, your rough or precise location, the exact page you're on, gets broadcast simultaneously to a long list of ad exchanges and buyers, so each one can decide how much they're willing to pay for the chance to show you an ad.
The part that turned this into one of the largest privacy complaints in Europe's history: every company that receives a bid request gets your data whether or not they win the auction. A single page load can broadcast your information to hundreds or thousands of companies, the vast majority of whom never place a bid and never show you anything, but who received the data anyway.
The scale is difficult to overstate. Research from the Irish Council for Civil Liberties (ICCL), a human rights organization that has spent years documenting the RTB industry, put the annual combined figure for the US and Europe at 178 trillion data broadcasts a year as of its most recent public estimate. A separate 2025 legal filing noted that Google's RTB system alone operates on more than 35 million websites, and roughly three-quarters to over ninety percent of apps on both major mobile platforms.
What regulators and courts have done about it
This isn't a fringe complaint. It's been actively litigated in multiple jurisdictions for years, with real, concrete outcomes.
The 2022 TCF ruling is worth sitting with specifically, since it connects directly back to something almost everyone interacts with daily. If you've ever clicked "Accept" or "Manage Options" on a cookie consent banner, there's a reasonable chance it was built on the exact system a coalition of EU regulators found unlawful. That doesn't retroactively undo anything already collected, but it's a meaningful gap between "you technically clicked accept" and "that consent was legally valid," a distinction covered in more depth in our guide to how cookies actually work.
Server-side tracking: built to survive ad blockers
Everything covered so far happens in your browser, or at least starts there, which means an ad blocker or a strict browser setting has at least a chance of catching it. Server-side tracking doesn't give it that chance.
The shift accelerated sharply after Apple's App Tracking Transparency rollout in 2021 made client-side mobile tracking dramatically harder to do without explicit permission. Meta's response was the Conversions API (CAPI); Google's was Enhanced Conversions. Both work the same way at a conceptual level: when you complete an action on a business's site, a purchase, a signup, that business's own backend server sends a hashed version of your identifying information (typically your email or phone number) directly to the ad platform's servers. No script runs in your browser, no cookie gets set for this specific purpose, and no pixel fires. There's simply no browser-side event for an extension or privacy setting to intercept, because the entire exchange happens server-to-server, after the fact.
How you get matched across sites and devices
A pixel firing on one site and a server-side event on another are only useful to an advertiser if they can be tied to the same person. That's the job of identity resolution, and it happens two main ways. Deterministic matching uses a shared identifier, most often a hashed email address, to directly link activity across different companies with high confidence. Unified ID 2.0, an open industry standard built specifically to work in browsers where third-party cookies are already blocked by default (Safari and Firefox, as covered in our cookies article), is one of the more prominent current versions of this approach. Probabilistic matching works without a shared identifier at all, correlating IP address, device characteristics, and behavioral patterns closely enough to infer, with some confidence level rather than certainty, that two sessions belong to the same person, using signals that overlap heavily with the fingerprinting techniques covered in our browser data exposure guide.
How to actually reduce how much reaches you
No single setting closes every gap described above, since the mechanisms operate at different layers on purpose. A content or ad blocker meaningfully reduces client-side pixels and many RTB calls initiated directly from your browser. Blocking third-party cookies, on by default in Safari and Firefox, weakens deterministic cross-site matching that relies on them. Neither touches server-side tracking, which is a genuinely difficult gap to close from the browser at all; it exists specifically to sit outside what browser-level tools can see. Reducing how much data any single site collects from you in the first place, rather than trying to intercept it in transit, is the more durable strategy against that particular piece.