Cookieless tracking: How you’re tracked without cookies

Major web browsers are phasing out third-party cookies, the technology that has long enabled companies to track users across the internet. While this sounds like a win for privacy, it doesn’t mean online tracking has stopped. Instead, it has evolved. A new array of methods allow for the tracking of users without the use of cookies.

This article explains what cookieless tracking is and how it works. It also covers the privacy implications and offers tips on how you can protect yourself against such tracking methods.

What is cookieless tracking?

Cookieless tracking is the name for a range of methods used to gather user data without relying on traditional third-party browser cookies. Instead, these methods monitor your activity through alternative means like browser fingerprinting, device fingerprinting, or server-side tracking.

How online tracking worked with cookies

Cookies are small text files that a website places on your browser to remember information about your visit. There are two main types of cookies: first-party and third-party.

First-party cookies are created and used by the website you’re visiting. They help the site remember your login details, shopping cart items, and preferences to improve your experience on that specific site.

Third-party cookies, on the other hand, gather a broader range of user data. These cookies give every user a unique identifier, which enables cross-site tracking. This means that your activity is followed across different websites to build a detailed profile of your interests for targeted advertising. Third-party cookies can collect information like your search history, past purchases, browser type, ad interactions, behaviors on websites, and more.

What changed: Why cookies are fading

The main reason for the decline of third-party cookies is a significant shift in the privacy landscape. Concerns about the vast amount of personal data collected by cookies, often without clear knowledge or consent, have grown among internet users and governments, leading to an increased demand for online privacy.

Privacy laws like the EU’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) now classify cookies as personal data, meaning websites must obtain explicit user consent before tracking begins.

In response to these privacy concerns, major web browsers took action. Apple’s Safari and Mozilla Firefox have been blocking third-party cookies by default for years. Google has also started phasing them out in its Chrome browser. Since Google Chrome represents over 70% of the browser market share, this is considered by many to be the end of third-party cookies.

The rise of cookie alternatives

The decline of third-party cookies didn’t end tracking. Instead, it’s pushed the development of new alternatives for tracking and user data collection. Methods like device fingerprinting are often invisible and operate without your direct knowledge, making them harder to detect, block, and regulate.

How cookieless tracking works

Cookieless tracking methods work by analyzing your device’s unique characteristics, using statistical guesswork to link your activities, or moving the tracking process from your browser to a remote server. Here are the main methods to be aware of.

Device fingerprinting

Device fingerprinting is a method that collects information about your device’s unique hardware and software configuration to create a persistent digital identifier. This "fingerprint" allows companies to recognize your device across different websites and browsing sessions.

Data points used to create a fingerprint include your operating system, browser type and version, screen resolution, installed fonts, and even language settings. When combined, these details create a profile that is often unique enough to single you out.

Unlike cookies that are stored on your device, your fingerprint is held on a company’s server, making it impossible for you to delete. A noteworthy fingerprinting technique is canvas fingerprinting, which instructs your browser to draw a hidden image using HTML5’s canvas feature. Subtle variations in how your specific hardware and software render the image create a unique identifier that can be used to track you.

Fingerprinting has become harder as many browsers strengthen privacy protections, but some analytics systems use softer versions of the same idea. For example, Google Analytics 4 (GA4) can operate without cookies by gathering limited device and browser information, then using machine learning to guess which visits belong to the same user.

Probabilistic tracking

Probabilistic tracking is a cookieless technique that focuses on overall ad performance instead of tracking individual users. It uses statistical models and machine learning to analyze behavioral patterns and determine their correlations with ad performance and revenue.

This method analyzes a variety of non-personal data points like device type, operating system, and browsing patterns.

Meta is a noteworthy company that uses probabilistic methods in its ad platform to predict the likelihood of users taking desired actions, like adding something to a cart, after seeing an ad.

First-party vs. zero-party data

First-party data is information that a company collects directly from you through your interactions with its services. This includes your purchase history, the pages you visit on a website, or the contact information you provide.

Zero-party data is information that you intentionally and proactively share with a company. Examples include your preferences in a settings menu, answers to a survey, or items you add to a wishlist.

Both data types are central to cookieless marketing because they are collected through a direct relationship with the user. This makes them a privacy-compliant alternative to third-party data for personalizing experiences and ads.

Server-side tracking techniques

Server-side tracking is a data collection method that routes user data through a website's own server before forwarding it to third-party tools like GA4. This is different from traditional client-side tracking, where your browser sends data directly to third-party servers.

By acting as an intermediary, the website owner gains more control over the data. This method can bypass ad blockers and browser privacy settings, leading to more accurate data collection.

It’s worth noting that server-side tracking does offer privacy benefits. This is because it allows a website to filter, modify, or anonymize sensitive information before sharing it with external platforms. This process is known as data minimization.

Privacy implications of cookieless tracking

The move to a cookieless web addresses the specific issues of third-party cookies, but newer tracking methods introduce their own complex privacy challenges.

Is it really more private without cookies?

The answer is complicated. The decline of third-party cookies is a positive development, as it limits the ability of unknown companies to track you across the web without your consent.

However, some of the replacement technologies are arguably more problematic. Fingerprinting, for example, can be said to be more invasive than cookie tracking because users may be unable to easily prevent it; you can’t delete fingerprint data like you can delete cookies from your browser. Users are also often unaware it’s happening in the first place.

What data is still being collected?

The specific information collected depends on the technique being used.

• Server-side tracking: Collects event data such as links clicked, forms filled, or purchases made.
• Device fingerprinting: Gathers your IP address, time zone, screen resolution, operating system, language, fonts, and other hardware and software details.
• Probabilistic tracking: Analyzes information like your IP address, location data, browser type and version, operating system, and behavioral patterns.
• First-party data: Includes any information you provide directly to a site, such as your email address, purchase history, and stated preferences.

Can you opt out of cookieless tracking?

It depends on where you live and the privacy regulations that are applicable to you. The GDPR requires companies to obtain your consent to begin tracking (including with cookieless methods). Others can let companies track you through cookieless methods by default, but may require them to offer you the ability to opt out.

Even under strong privacy regulations, companies may still be able to track you with these methods without explicit consent. Under the GDPR for example, a company can process data that falls under the grounds of legitimate interest (data that is required to carry out legal obligations or fulfill contracts) without the need for user consent, but only if this doesn’t override users’ rights and freedoms and meets specific conditions.

Cookieless tracking vs. traditional cookies

While both cookieless tracking and traditional cookies are used to monitor users online, they differ in how they work, their level of invasiveness, and how easy they are to control.

What’s still the same

The fundamental goal of tracking hasn’t changed. Both systems aim to identify users and analyze their behavior for analytics, ad targeting, and website personalization.

First-party cookies also remain a crucial part of the web. They’re still used for essential website functions like keeping you logged in or remembering your shopping cart, and their use is largely unaffected by the phase-out of third-party cookies.

Also, the need for companies to comply with privacy regulations like the GDPR and CPPA continues. In the case of these examples, any data that can be linked to an identifiable individual person is considered to be personal data, regardless of the technology used to collect it. As such, new methods of acquiring personal data still fall under these regulatory frameworks.

Which is easier to detect or block?

Cookies are far easier for users to manage. You can view, delete, and block them directly through your web browser’s settings. Many browser extensions are also highly effective at blocking the third-party cookies used for tracking.

Cookieless methods are much harder to stop. Blocking fingerprinting requires you to have a browser like Firefox that actively prevents it, or extensions that actively spoof your device’s data. Disabling JavaScript is another potential defense, but this would break the functionality of most modern websites.

Server-side tracking is nearly impossible for a user to block directly. Since the data collection process is moved from your browser to the website's server, standard ad blockers and privacy settings on your device have no effect.

How to protect yourself from cookieless tracking

Completely stopping all forms of online tracking isn’t a realistic goal, but you can take several steps to significantly reduce your digital footprint.

1. Use a VPN

A VPN is an important tool for online privacy. It works by encrypting your internet traffic and masking your real IP address, showing websites only the IP address of the VPN server you are connected to.

This is highly effective against IP-based tracking, which is a key component of many cookieless methods. By hiding your IP address, a VPN makes it much harder for trackers to link your online activity to your physical location.

However, a VPN isn’t a complete solution. While it protects your IP address, it doesn’t stop websites from collecting other data through methods like device fingerprinting.

2. Choose a privacy-focused browser

Some web browsers are specifically designed to combat tracking and fingerprinting. Switching to these privacy-focused browsers can help protect data from being tracked. Below are some of the most noteworthy privacy-first browsers:

• Tor browser: Prevents fingerprinting with its implementation of NoScript, which blocks the JavaScript that runs on websites. Tor also standardizes device and OS information. This includes your screen dimensions, which are rounded to a multiple of 200x100px. These efforts make your fingerprint less unique, hampering tracking efforts.
• Firefox: Blocks fingerprinting by preventing third-party requests from companies known to gather data.
• Safari: Offers Intelligent Tracking Protection to defend against cross-site tracking.

3. Adjust browser-level protections and settings

Adjusting the settings in your current browser is a good way to start retaking control of your privacy. Navigate to the privacy and security section to find options for controlling tracking.

Most browsers allow you to manually block third-party cookies through these menus, which is still a good practice. Some browsers let you block a wider range of trackers; for example, Firefox’s Enhanced Tracking Protection blocks fingerprinting and social media trackers, while Edge includes Tracking Prevention modes that limit cross-site tracking and ad personalization.

4. Use tools that block fingerprinting

Several browser extensions can add another layer of defense against cookieless tracking. These tools work by either blocking tracking scripts or feeding them fake information to disrupt fingerprinting.

Tools like CanvasBlocker and Canvas Fingerprint Defender specifically target canvas fingerprinting. They work by adding random noise to the data that fingerprinting scripts collect, preventing them from generating a consistent and unique ID. Plus, extensions like EFF’s Privacy Badger can block invisible trackers based on behavior.

You can also use free online tools like AmIUnique to see how unique your fingerprint is.

Why “Incognito Mode” isn’t enough

There’s a misconception that Incognito or other private browsing modes can make people more anonymous online, but this isn’t exactly true. This mode only prevents your browser from saving your history, cookies, and form data on your device after you close the window. It doesn’t hide your IP address from websites or your internet service provider (ISP), and it offers no protection against real-time tracking methods like device fingerprinting.

While incognito mode is useful for keeping your activity private from others who use the same computer, it is not an effective tool for preventing online tracking.

Who is using cookieless tracking?

Nearly every entity in the digital ecosystem, from the websites you visit to the advertisers that fund them, has a reason to track users and will likely use cookieless tracking as third-party cookies are phased out.

Advertisers and ad platforms

Advertisers are the primary drivers of tracking technology. They rely on user data to personalize ads, measure the effectiveness of their campaigns, and retarget potential customers.

In the cookieless era, advertisers are shifting their focus to strategies that don’t depend on third-party cookies. This includes a heavy emphasis on first-party data collection and using contextual advertising, in which ads are placed on webpages relevant to your audience.

Publishers

Publishers, such as news websites and blogs, use tracking data to understand their audience and sell advertising space. To prepare for a cookieless world, publishers are focusing on building direct relationships with their readers. By encouraging users to create accounts, subscribe to newsletters, or pay for content, they can collect valuable first-party data. This consented data makes their ad inventory more valuable to advertisers.

Data brokers

Data brokers are companies that specialize in collecting personal data from numerous sources to create detailed profiles on individuals and sell that information. They traditionally relied heavily on third-party cookies to gather information. However, they also purchase first-party data from other companies, and they may start relying on this more as third-party tracking phases out.

Governments and surveillance agencies

While most discussions about tracking focus on advertising, the same technologies can be used for surveillance. Government and law enforcement agencies may use techniques like device fingerprinting to track criminal activity and identify suspects.