The short version

No single company is following you around the internet. What's actually happening is a shared infrastructure: thousands of unrelated sites all load the same handful of advertising and analytics scripts, and those scripts recognize you as the same person across every one of them, then sell access to that recognition to whoever wants to show you an ad. The methods for doing that recognition have changed a lot as browsers closed off the old ones, and the current picture is genuinely different from what most privacy explainers still describe.

Cookies and fingerprinting: the old guard

Third-party cookies were the original mechanism, and they still work in a default Chrome window, though Safari and Firefox block them outright and Chrome itself walked back its plan to do the same — we cover that history in our cookies guide. Browser fingerprinting fills the gap where cookies get blocked, identifying your device from characteristics like your fonts, GPU, and screen configuration rather than anything stored on your device at all, which is why it keeps working in browsers that have eliminated third-party cookies entirely; the mechanics are in our browser data guide, and you can see your own device's exposure with our fingerprint test. Both of these are old news to anyone who's read up on this topic before. What's changed is what's replaced them as the primary tools.

Identity resolution: matching you by hashed email

The advertising industry's response to losing cookies wasn't to find a cookie replacement, it was to stop needing one.

How hashed-email matching works

When you enter your email address on any site — creating an account, subscribing to a newsletter, checking out as a guest — that email can be run through a one-way hash function and matched against the same hashed email collected by other companies, without any of them ever sharing your actual email address with each other. Two sites can confirm "this is the same person" purely by comparing hashes, which is exactly the kind of cross-site matching cookies used to provide, except it survives cookie blocking, private browsing, and even switching devices entirely, since your email is the same everywhere you type it.

Why it defeats the usual privacy fixes

This is the technical foundation behind what the industry calls "identity resolution," and it's a large part of why deleting cookies and using a VPN can still leave you seeing eerily specific ads: none of that touches an identifier built from something you typed into a form.

Real-time bidding: the leak nobody talks about

This is the mechanism most privacy content skips entirely, and it's arguably the biggest one. Nearly every ad you see on the web was placed through a real-time auction that runs in the milliseconds between a page starting to load and the ad actually appearing. To run that auction, the ad exchange packages up what it knows about you into something called a bid request, and broadcasts it to every company that might want to bid on showing you an ad — not just the one that eventually wins.

What's actually in a bid request

Investigated by UK and Irish regulators

Investigations by the UK's Information Commissioner's Office and the Irish Council for Civil Liberties found bid requests routinely carrying your IP address, precise GPS location, device identifiers, and inferred interest and demographic categories — sent to hundreds of companies per auction, whether or not they end up winning the bid. The FTC's 2024 case against data broker Mobilewalla centered on exactly this: the company was accused of harvesting and retaining data from auctions it lost, despite exchange rules explicitly prohibiting that.

The losing-bidder problem

The privacy problem isn't really the winning bidder, who at least has a documented reason to have your data. It's the hundreds of losing bidders who received the same profile anyway, with essentially no technical mechanism stopping them from keeping it. Regulators have flagged this for years without a resolution that actually reduces how much gets broadcast — the IAB's own real-time bidding standard has historically allowed hundreds of distinct data fields in a single bid request.

Why one product follows you everywhere

Retargeting is the specific, visible symptom people usually mean when they ask how this works: you look at a pair of shoes once, and then that exact pair follows you across news sites and social feeds for a week. The mechanism is simple once you see the rest of the picture. The retailer's site fires a small tracking pixel when you view the product, tagging your identifier (whether that's a cookie, a fingerprint, or a hashed email match) with "viewed product #4471." That tag gets picked up by the same ad exchange infrastructure described above, and any site running ads from that exchange can now win an auction to show you an ad for product #4471 specifically, because the exchange already knows you looked at it.

Mobile is a different game

Apps don't have cookies, so mobile tracking historically relied on a device-level advertising identifier — IDFA on iOS, GAID on Android — that apps could read and share with each other freely. Apple's App Tracking Transparency, introduced in 2021, changed that by requiring an explicit permission prompt before an app can access the IDFA at all, and most people, when actually asked, said no. That single interface change did more to disrupt mobile ad tracking than any browser cookie policy has managed on the web, precisely because it required a real opt-in rather than defaulting to on. Android has moved more slowly toward the same model, and cross-app tracking there still leans more heavily on the device identifier by default. We cover how apps read your location specifically in our app location tracking guide.

Server-side tracking: the newest workaround

This is the current frontier, and it's a direct response to browsers and ad blockers getting better at stopping client-side tracking. Instead of a tracking pixel running in your browser, where it can be blocked by an extension or restricted by the browser itself, a growing number of sites now send the same conversion event — "this visitor made a purchase" — directly from their own server to the advertiser's server, with your browser never involved in that specific transmission at all. Meta's Conversions API and Google's Enhanced Conversions both work this way. A tracker blocker can't stop a request it never sees, which is exactly the point: server-side tracking exists specifically to be invisible to the privacy tools built to catch the client-side version.

What actually helps

Given how much of this has moved server-side or off cookies entirely, the most effective steps aren't purely technical anymore.

  • Run a tracker-blocking extension — still stops a real portion of client-side tracking and fingerprinting scripts, and remains worth using. Check what your current browser exposes with our browser fingerprint test.
  • Turn off ad personalization in your Google and Meta account settings — does something a browser tool can't: it tells those companies not to use the profile they already have, which matters more now that so much of the profile-building has moved outside the browser's reach.
  • Use a unique or aliased email address for accounts you don't fully trust — breaks the specific hashed-email matching described above, since a different email hash can't be linked back to your main identity.

None of these fully closes the gap on their own, which is really the honest state of this problem in 2026: no single setting fixes it, because no single mechanism is doing the tracking anymore.

Frequently asked questions

If I clear my cookies and use a VPN, am I no longer trackable?

No, not for cross-site ad tracking specifically. Clearing cookies and hiding your IP addresses the two oldest tracking methods, but doesn't touch:

  • Browser fingerprinting, which doesn't rely on cookies or your IP
  • Hashed-email matching, which follows you across devices the moment you type the same email into a new site
  • Server-side conversion tracking, which your browser isn't even involved in
Is real-time bidding actually legal?

It operates in a genuinely contested legal space. Regulators including the UK's ICO and Ireland's Data Protection Commission have investigated it specifically over consent and data-broadcast concerns, and a 2026 proposed settlement involving Google's RTB system points toward more oversight, but no wholesale ban or redesign of the system has been enforced as of this writing.

Why do I still see targeted ads even with a strict ad blocker?

Server-side tracking is the most likely reason. If a site sends your purchase or signup directly from its own server to an advertiser's server, a browser-based ad blocker never sees that request and has nothing to block.

Sources

PrivacyTestLab logo

Written by PrivacyTestLab

This guide draws on regulatory findings from the ICO and FTC on real-time bidding, Apple's own App Tracking Transparency documentation, and current vendor documentation for server-side conversion tracking, rather than repeating the cookie-centric explanations most tracking guides stop at.