Understanding Cookies, Trackers, and Online Profiling

Every time you browse the web, invisible technologies track your movements and behaviors. Cookies store data on your device to remember logins and shopping carts, while third-party trackers follow you across websites to build interest profiles. When you search for running shoes on one site and see shoe ads on different websites, that’s third-party tracking at work. Beyond cookies, browser fingerprinting identifies your device through screen resolution, fonts, and browser version—tracking you even with cookies blocked. Online profiling combines this data for targeted advertising, price discrimination, and personalization. While GDPR and CCPA require consent, understanding tracking mechanisms and implementing browser protections remains essential for digital privacy in 2025.

What Are Cookies and How Do They Work?

Cookies are small text files that websites store on your device when you visit them. These files contain data that helps websites remember information about your visit, making your browsing experience more convenient and personalized. When you return to a website, it reads the cookie to recognize you and recall your preferences.

The technology originated in 1994 when Lou Montulli created cookies to solve the problem of maintaining state in the stateless HTTP protocol.

Common Uses of Cookies:

• Authentication: Keep you logged into accounts like Gmail, Facebook, or online banking without requiring re-login every time you visit
• Shopping carts: Remember items you’ve added while browsing an e-commerce site like Amazon or eBay
• Personalization: Store language preferences, currency settings, and display options for sites like news portals or streaming services
• Form auto-fill: Remember information you’ve previously entered to speed up checkout processes or form submissions
• Analytics: Track how users navigate websites to improve design and functionality
• Behavioral tracking: Monitor your browsing habits across multiple sessions to build interest profiles

However, not all cookies serve benign purposes. While some are essential for website operation, others track your behavior across the internet to build detailed profiles of your interests, demographics, and online activities. According to Cookiebot, cookies can be categorized by their lifespan (session vs. persistent) and their origin (first-party vs. third-party), with each type having different implications for privacy.

Cookie Types by Lifespan:

• Session cookies: Temporary cookies that expire when you close your browser—used for shopping carts and form data
• Persistent cookies: Remain on your device for a set period (days, months, or years)—used for login persistence and long-term tracking

First-Party vs. Third-Party Cookies: Understanding the Difference

The distinction between first-party and third-party cookies is crucial for understanding online tracking and privacy implications.

First-Party Cookies

First-party cookies are created and stored by the website you’re actively visiting. These cookies are generally considered more privacy-friendly because they only function on that specific domain.

Real-world examples of first-party cookie use:

• Banking websites: When you log into Chase.com, a first-party cookie remembers your authentication so you don’t need to log in again during your session
• E-commerce sites: Target.com uses first-party cookies to keep items in your cart as you browse different product categories
• News websites: The New York Times stores your subscription status and article preferences using first-party cookies
• Streaming services: Netflix uses first-party cookies to remember your playback position and viewing preferences

Third-Party Cookies

Third-party cookies, conversely, are created by domains other than the one you’re visiting—typically by advertising networks, analytics companies, and social media platforms. As noted by Termly, these cookies can track users across multiple websites, creating cross-site profiles of browsing behavior.

Real-world examples of third-party tracking:

• Remarketing campaigns: You browse hiking boots on REI.com, then see ads for those exact boots on weather.com, CNN.com, and your Facebook feed—this is third-party cookie tracking by advertising networks like Google Ads
• Social media widgets: When you visit a blog with Facebook “Like” buttons or Twitter share widgets, those platforms drop third-party cookies that track which sites you visit, even if you never click the buttons
• Analytics tracking: Google Analytics cookies on thousands of websites track your browsing patterns across the entire web, creating a comprehensive profile of your interests
• Advertising networks: DoubleClick (owned by Google) places cookies on millions of websites, following you from travel sites to news portals to shopping platforms
• Cross-site profiling: You research symptoms on WebMD, then visit insurance comparison sites—health insurance companies may use third-party tracking data to adjust your quotes based on perceived health risks

The tracking capability of third-party cookies enables advertisers to serve remarketing ads—those eerily relevant advertisements that follow you around the internet after you’ve shown interest in a product. This cross-site tracking has raised significant privacy concerns, leading major browsers to implement restrictions. As of 2024, Google began testing Tracking Protection features to restrict third-party cookies in Chrome, though complete phase-out has been repeatedly delayed due to industry pushback.

Beyond Cookies: Advanced Tracking Technologies

As browsers have implemented cookie restrictions, tracking companies have developed more sophisticated techniques that don’t rely on cookies at all.

Browser Fingerprinting

Browser fingerprinting is the most prominent cookieless tracking method. This technique collects information about your device and browser configuration to create a unique “fingerprint” that can identify you across websites. According to BitSight, digital fingerprinting captures dozens of data points to create a unique identifier.

Data points collected for fingerprinting:

• Screen resolution and color depth: Your monitor’s pixel dimensions (e.g., 1920×1080) and bit depth
• Installed fonts: The specific set of fonts available on your system creates a unique signature
• Browser version and type: Chrome 120.0.6099.71 vs. Firefox 121.0 vs. Safari 17.2
• Operating system: Windows 11, macOS Sonoma, Linux Ubuntu, Android, iOS
• Language and timezone settings: English (US), UTC-5, keyboard layout
• Installed plugins and extensions: Flash, PDF viewers, ad blockers visible to sites
• Graphics card information: WebGL renderer details that are unique to your GPU
• Audio and video codecs: Which media formats your browser can play
• Hardware concurrency: Number of CPU cores available to the browser
• Canvas rendering: How your specific hardware renders graphics elements

Research from Texas A&M University provided the first comprehensive evidence of widespread browser fingerprinting for online tracking in 2025. The study found that many websites now employ fingerprinting as their primary tracking method, rendering traditional cookie-blocking tools less effective.

Other Advanced Tracking Techniques:

• Canvas fingerprinting: Uses HTML5 canvas elements to detect tiny rendering differences between devices—trackers ask your browser to draw invisible images and measure pixel-level variations caused by your specific hardware and software combination
• WebRTC leaks: Exposes your real IP address even when using VPNs by exploiting browser communication protocols—websites can discover your location and ISP despite VPN protection
• Supercookies and zombie cookies: Stored in browser cache, Flash storage, or HTML5 local storage; these are harder to delete than regular cookies and can automatically recreate themselves after deletion
• ETags (Entity Tags): Web servers assign unique identifiers to cached files, turning normal browser caching into a tracking mechanism
• Behavioral biometrics: Tracks how you type (keystroke dynamics), move your mouse, scroll pages, and interact with interfaces—your unique patterns of behavior create an identifiable signature
• Battery status tracking: Some websites access your device’s battery level and charging status to create tracking identifiers
• Ultrasonic cross-device tracking: Mobile apps emit inaudible ultrasonic beacons that can be picked up by other devices to link your smartphone, laptop, and tablet together

Real-world fingerprinting examples:

• Fraud detection: Banks use fingerprinting to detect if someone is logging into your account from an unfamiliar device
• Ad networks: Companies like Oracle’s BlueKai use fingerprinting to continue tracking users who have deleted cookies
• Paywall circumvention detection: News sites like The Wall Street Journal use fingerprinting to detect when users open articles in incognito mode to bypass article limits

The Electronic Frontier Foundation’s Cover Your Tracks tool allows you to test how unique and identifiable your browser fingerprint is, revealing how easily you can be tracked even without cookies.

Online Profiling and Behavioral Targeting

Online profiling combines data from cookies, trackers, and fingerprinting to create comprehensive behavioral profiles. These profiles go far beyond simple demographic information to include your interests, purchasing intent, political views, health concerns, financial status, and even emotional vulnerabilities.

How Online Profiling Works:

The profiling process works through continuous data collection:

• Websites visited: Every page view is logged, from news articles to product pages
• Search queries: Your Google searches, Amazon product searches, and site-specific searches build interest profiles
• Content engagement: Which articles you read, videos you watch, and how long you engage with content
• Shopping behavior: Products browsed, items added to cart, abandoned purchases, completed transactions
• Social interactions: Likes, shares, comments, and connections on social platforms
• Location data: IP addresses, GPS coordinates, and location-tagged content reveal where you live, work, and travel
• Time patterns: When you’re online, how long you stay, and your browsing rhythms

Third-party data brokers aggregate this information across hundreds or thousands of websites, creating detailed dossiers that are bought and sold in real-time advertising auctions. Cyber Protection Magazine notes that online trackers can easily link historical browsing data to real identities using various methods including email addresses, social media logins, and cross-device tracking.

Real-World Implications and Examples:

• Dynamic pricing (price discrimination): Airlines like Orbitz were found showing Mac users more expensive hotel options than PC users, assuming higher income levels. Online retailers adjust prices based on your browsing history, location, and perceived willingness to pay
• Filter bubbles and echo chambers: Facebook’s algorithm shows you content matching your existing views while hiding opposing perspectives, reinforcing political polarization. YouTube’s recommendation algorithm can radicalize users by progressively suggesting more extreme content
• Discriminatory targeting: ProPublica revealed that Facebook allowed advertisers to exclude certain races from seeing housing ads, violating fair housing laws. Job ads for high-paying positions were shown predominantly to men rather than women
• Insurance risk assessment: Life insurance companies purchase data about your online behavior—frequent visits to health websites or searches for symptoms could raise premiums or lead to coverage denial
• Political manipulation: The Cambridge Analytica scandal revealed how profiles of 87 million Facebook users were used to target voters with personalized political messaging during the 2016 US presidential election
• Credit and lending decisions: Some lenders use browsing behavior and social media activity to assess creditworthiness—even if you’ve never visited their website
• Employment screening: Employers and recruiters purchase consumer profiles that include your interests, purchasing patterns, and online behavior to screen job candidates
• Targeted scams: Fraudsters buy profiles of vulnerable populations (elderly, financially stressed, lonely) to target them with specific scams matching their interests and circumstances

The sophistication of modern profiling means that advertisers often know more about you than your close friends do, creating significant power imbalances between corporations and individuals.

Privacy Regulations: GDPR, CCPA, and Cookie Consent

Growing privacy concerns have led to landmark regulations requiring transparency and consent for tracking technologies.

The General Data Protection Regulation (GDPR)

The GDPR, implemented in the European Union in 2018, established strict requirements for cookie consent. According to GDPR.eu, consent must be freely given, specific, informed, and unambiguous.

GDPR requirements:

• Explicit opt-in consent: Users must actively agree before non-essential cookies are set—pre-checked boxes don’t qualify as valid consent
• Granular control: Users must be able to accept or reject different categories of cookies separately (necessary, functional, analytics, marketing)
• Easy withdrawal: Refusing or withdrawing consent must be as easy as giving it—no penalties for rejecting cookies
• Clear information: Cookie notices must explain what data is collected, why, and who will access it
• Cookie walls prohibited: Generally cannot deny service for refusing non-essential cookies
• Substantial fines: Violations can result in fines up to €20 million or 4% of global annual revenue, whichever is higher

Real-world GDPR examples:

• Google fined €50 million by France in 2019 for insufficient transparency and invalid consent mechanisms
• Amazon fined €746 million in 2021 for targeted advertising without proper consent
• Meta (Facebook) fined €390 million in 2023 for forcing users to accept tracking as a condition of service

The California Consumer Privacy Act (CCPA) and CPRA

The CCPA and its successor, the California Privacy Rights Act (CPRA), take a different approach from GDPR. Rather than requiring opt-in consent, CCPA focuses on enabling opt-out rights.

CCPA/CPRA requirements:

• Opt-out mechanism: Websites must provide a clear “Do Not Sell My Personal Information” link
• Default collection allowed: Unlike GDPR, sites can collect data by default until users object
• Right to know: Consumers can request disclosure of what personal data is collected, sold, or shared
• Right to deletion: Consumers can request deletion of their personal data
• No discrimination: Cannot charge different prices or provide different service levels for opting out (with some exceptions)
• Limited cookie walls: Can offer financial incentives for data sharing in some circumstances

Key Differences Between GDPR and CCPA:

• Consent model: GDPR requires opt-in consent before tracking; CCPA allows opt-out after tracking begins
• Geographic scope: GDPR applies to any organization processing EU residents’ data worldwide; CCPA applies to larger businesses ($25M+ revenue, 50K+ consumers, or 50%+ revenue from data sales) handling California residents’ data
• Cookie walls: GDPR generally prohibits refusing service for declining cookies; CCPA allows financial incentives and some conditional access
• Enforcement: GDPR has substantial regulatory fines imposed by data protection authorities; CCPA emphasizes consumer legal action with $100-$750 per incident in data breaches
• Sensitive data: CPRA (CCPA 2.0) introduced special protections for sensitive information like precise geolocation, race, health data

As detailed by Transcend, cookie consent requirements continue evolving in 2025, with additional U.S. states implementing privacy laws and the European Union strengthening enforcement.

Other emerging privacy laws:

• Virginia Consumer Data Protection Act (VCDPA)
• Colorado Privacy Act (CPA)
• Connecticut Data Privacy Act (CTDPA)
• Utah Consumer Privacy Act (UCPA)
• Brazil’s LGPD (Lei Geral de Proteção de Dados)
• Canada’s PIPEDA amendments

These regulations have led to ubiquitous cookie consent banners, though many employ “dark patterns”—design tricks that manipulate users into accepting all cookies by making rejection difficult or confusing.

Common dark patterns in cookie banners:

• Accept highlighted, reject hidden: Large green “Accept All” button vs. tiny gray “Manage Preferences” link
• Multiple clicks required: Rejecting requires navigating through several screens while accepting is one click
• Confusing language: Using terms like “legitimate interest” without clear explanation
• Pre-selected options: All tracking categories enabled by default requiring users to uncheck dozens of boxes
• Nagging persistence: Banner reappears repeatedly until you accept

Protecting Yourself from Trackers

While complete anonymity online is nearly impossible, several strategies can significantly reduce tracking and profiling.

Browser Privacy Settings

Modern browsers offer built-in tracking protection. Browser privacy settings provide your first line of defense:

• Firefox: Enables “Enhanced Tracking Protection” by default, blocking third-party cookies and known trackers.
  How to enable Strict mode:
  1. Click the menu button (three horizontal lines) in the top right
  2. Select “Settings”
  3. Click “Privacy & Security” in the left sidebar
  4. Under “Enhanced Tracking Protection,” select “Strict”
  5. Optional: Click “Manage Exceptions” to whitelist trusted sites
  6. Scroll down to “Cookies and Site Data” and check “Delete cookies and site data when Firefox is closed” for automatic cleanup
• Safari: Uses Intelligent Tracking Prevention (ITP) to limit cross-site tracking and automatically blocks third-party cookies.
  How to enable (macOS):
  1. Open Safari and click “Safari” in the menu bar
  2. Select “Preferences” (or Settings on newer versions)
  3. Click the “Privacy” tab
  4. Check “Prevent cross-site tracking”
  5. Check “Block all cookies” for maximum protection (may break some sites)
  6. Click “Manage Website Data” to review and remove stored data
  How to enable (iOS):
  1. Open the Settings app
  2. Scroll down and tap “Safari”
  3. Under Privacy & Security, enable “Prevent Cross-Site Tracking”
  4. Enable “Block All Cookies” for stricter protection
• Chrome: Offers limited tracking protection with plans for Privacy Sandbox alternatives.
  How to enable:
  1. Click the three dots menu in the top right
  2. Select “Settings”
  3. Click “Privacy and security” in the left sidebar
  4. Click “Third-party cookies”
  5. Select “Block third-party cookies” (recommended)
  6. Go back and click “Send a ‘Do Not Track’ request with your browsing traffic” and toggle it on
  7. Under “Privacy and security,” click “Ad privacy” and review settings to limit ad tracking
• Brave: Blocks trackers and ads by default with aggressive privacy protections including fingerprint randomization and built-in Tor browsing.
  How to customize settings:
  1. Click the menu button (three horizontal lines) in the top right
  2. Select “Settings”
  3. Click “Shields” in the left sidebar
  4. Set “Trackers & ads blocking” to “Aggressive” for maximum protection
  5. Enable “Block scripts” (may break some sites)
  6. Enable “Block fingerprinting” and set to “Strict”
  7. Under “Social media blocking,” enable all options
• Edge: Microsoft’s tracking prevention with three levels (Basic, Balanced, Strict) that block varying amounts of third-party trackers.
  How to enable:
  1. Click the three dots menu in the top right
  2. Select “Settings”
  3. Click “Privacy, search, and services” in the left sidebar
  4. Under “Tracking prevention,” select “Strict”
  5. Enable “Send ‘Do Not Track’ requests”
  6. Scroll down to “Clear browsing data” and click “Choose what to clear every time you close the browser”
  7. Enable options like “Cookies and other site data” for automatic cleanup

According to Network Advertising Initiative, properly configuring your browser’s privacy settings can eliminate most cookie-based tracking without requiring additional software.

Privacy Extensions and Add-ons:

• uBlock Origin: Blocks ads and trackers efficiently with minimal resource usage—one of the most effective privacy tools available
  Install: Firefox | Chrome | Edge
• Privacy Badger: EFF’s tool that learns to block trackers by analyzing their behavior across websites
  Install: Firefox | Chrome | Edge
• Ghostery: Shows which trackers are on each page and allows granular blocking control
  Install: Firefox | Chrome | Edge
• Cookie AutoDelete: Automatically removes cookies when you close a tab, except for sites you whitelist
  Install: Firefox | Chrome | Edge
• HTTPS Everywhere: Forces encrypted connections when available to prevent eavesdropping (Note: Most modern browsers now have this built-in)
  Install: Firefox | Chrome
• Decentraleyes: Blocks tracking via Content Delivery Networks (CDNs) by serving common files locally
  Install: Firefox | Chrome | Edge
• NoScript: Blocks JavaScript, Flash, and other executable content—highly effective but requires manual configuration
  Install: Firefox | Chrome

Additional Protection Strategies:

• Use privacy-focused browsers: Tor Browser for anonymity, Brave for balanced privacy and convenience, or Firefox with privacy extensions for customization
• Regularly clear cookies and browsing data: Delete stored cookies weekly or use automatic deletion tools. Clear cache, cookies, and site data from browser settings
• Enable Do Not Track (DNT): Though not legally binding in most jurisdictions, some websites honor this signal. Enable in browser privacy settings
• Use VPNs (Virtual Private Networks): Hide your IP address and encrypt traffic. Recommended: Mullvad, ProtonVPN, or IVPN (avoid free VPNs that often sell your data)
• Reject cookie consent banners: Decline non-essential cookies when prompted. Use extensions like “I don’t care about cookies” or “Consent-O-Matic” to automate rejection
• Test your fingerprint: Use EFF’s Cover Your Tracks (coveryourtracks.eff.org) to assess how unique and trackable your browser is
• Use multiple browsers for separation: Separate sensitive activities (banking, healthcare) from casual browsing (social media, shopping) using different browsers to limit cross-contamination
• Disable third-party cookies entirely: Available in most browser settings under Privacy or Cookies sections—most effective single protection measure
• Use private/incognito mode: For temporary browsing sessions where you don’t want cookies stored (note: this doesn’t prevent tracking during the session)
• Use privacy-focused search engines: DuckDuckGo, StartPage, or Brave Search instead of Google to prevent search history profiling
• Disable WebRTC: Prevent IP leaks even when using VPNs by disabling WebRTC in browser settings or using extensions
• Use fingerprint-resistant browsers: Tor Browser normalizes fingerprints to make users look identical; Brave randomizes fingerprint characteristics
• Install operating system updates: Keep your OS and browsers updated to get the latest privacy protections and security patches
• Use containerized browsing: Firefox Multi-Account Containers isolate cookies per container, preventing cross-site tracking between different contexts
• Opt out of data broker databases: Submit opt-out requests to major data brokers like Acxiom, Oracle BlueKai, Epsilon, and people search sites

Mobile Device Protection:

• Limit ad tracking: Enable “Limit Ad Tracking” (iOS) or “Opt out of Ads Personalization” (Android) in device settings
• Reset advertising ID: Periodically reset your advertising identifier to break tracking continuity
• Review app permissions: Deny unnecessary permissions for location, contacts, and other sensitive data
• Use Firefox Focus or DuckDuckGo mobile browser: Privacy-focused mobile browsers with automatic tracker blocking

As noted by CookieYes, blocking third-party cookies remains one of the most effective privacy measures, as it prevents most cross-site tracking while maintaining website functionality.

However, remember that browser fingerprinting can track you even with all cookies blocked, so comprehensive protection requires multiple layers of defense including fingerprint randomization tools and privacy-focused browsers designed to resist fingerprinting.

Sources

• Harvard Online – How Google’s 2024 Third-Party Tracking Cookie Removal Impacts Users
• Internet Policy Review – ‘Cookie-less’ identification for/against privacy?
• Cookiebot – What are tracking cookies and how do they work?
• Termly – First-Party vs. Third-Party Cookies: The Differences Explained
• All About Cookies – Types of Computer Cookies: First-Party vs. Third-Party Cookies
• BitSight – Digital Fingerprinting in Cybersecurity
• Texas A&M Engineering – Websites Are Tracking You Via Browser Fingerprinting
• Electronic Frontier Foundation – Cover Your Tracks
• Cyber Protection Magazine – OSINT: Online Tracking and Behavioral Profiling
• GDPR.eu – Cookies, the GDPR, and the ePrivacy Directive
• CookieYes – CCPA vs GDPR: What’s the Difference?
• Transcend – Cookie consent in 2025: The new rules every website owner must know
• Network Advertising Initiative – Web Browser Privacy Settings
• Invoca – Tracking Cookies are Dead: What Marketers Can Do About It
• Fastly – What are cookies? How do they work?