Cookie Tracking vs Device Tracking: How Online Surveillance Evolved
Table of Contents
How Cookies Work
HTTP cookies are small pieces of data that a website sends to your browser, which the browser stores and sends back to the website with subsequent requests. Cookies were invented by Lou Montulli at Netscape in 1994 to solve a practical problem: HTTP is stateless, meaning each request is independent. Without cookies, a website has no way to know that two requests came from the same user. You could not stay logged in, maintain a shopping cart, or preserve preferences.
A cookie is just a name-value pair with metadata. When you visit a website, the server can include a Set-Cookie header in its response. Your browser stores this cookie and attaches it to every subsequent request to the same domain. The cookie can include an expiration date (persistent cookie) or exist only until the browser is closed (session cookie). It can be restricted to HTTPS connections (Secure flag) and made inaccessible to JavaScript (HttpOnly flag).
First-party cookies (set by the website you are visiting) are essential for basic web functionality. Without them, you would have to log in on every page load. The privacy issues arise with third-party cookies - cookies set by a domain other than the one you are visiting.
Third-Party Cookies and Cross-Site Tracking
Third-party cookies are the foundation of the online advertising industry's cross-site tracking infrastructure. The mechanism is straightforward: when a web page loads, it includes resources (scripts, images, iframes) from third-party domains. These third-party domains set cookies in your browser. Because the same third-party domain is embedded across thousands of websites, it can track your movement across all of them.
sequenceDiagram
participant User as Your Browser
participant SiteA as news-site.com
participant SiteB as shopping-site.com
participant Tracker as ad-network.com
User->>SiteA: Visit news-site.com
SiteA->>User: Page with ad-network.com script
User->>Tracker: Load ad-network.com/tracker.js
Tracker->>User: Set-Cookie: id=abc123
Note over Tracker: Logs: abc123 visited news-site.com
User->>SiteB: Visit shopping-site.com
SiteB->>User: Page with ad-network.com script
User->>Tracker: Load tracker.js (sends Cookie: id=abc123)
Note over Tracker: Logs: abc123 now on shopping-site.com
Note over Tracker: Builds cross-site browsing profile
Third-party cookies allow an advertising network to track a single user across every website that includes their script
The major advertising networks (Google's DoubleClick, Facebook's Pixel, and dozens of smaller networks) use this mechanism to build browsing profiles that span the entire web. When you read a news article about hiking boots and then see hiking boot ads on an unrelated website, third-party cookies are typically the technology connecting those two visits.
The scale of this tracking is enormous. A 2020 study by the University of Iowa found that 87% of the top 10,000 websites loaded third-party resources from Google-owned domains. The average web page loads resources from more than 20 third-party domains. Each of these domains can potentially set tracking cookies.
Cookie syncing amplifies the problem further. When two advertising networks want to share data about users, they exchange their cookie identifiers. Network A redirects to Network B's domain with Network A's user ID as a parameter. Network B matches this ID to its own cookie and creates a mapping. Through cascading syncs across the advertising ecosystem, a single website visit can result in dozens of companies learning about it.
The Death of Third-Party Cookies
Third-party cookies have been dying a slow death driven by a combination of regulation, browser vendor decisions, and user awareness.
Safari blocked third-party cookies by default in 2017 through Intelligent Tracking Prevention (ITP). Firefox followed in 2019 with Enhanced Tracking Protection. These browsers collectively represent roughly 25% of the desktop browser market, but their impact on the advertising industry was significant because they demonstrated that blocking third-party cookies was technically feasible without breaking the web.
Google Chrome, which holds approximately 65% of the browser market, announced plans to deprecate third-party cookies in 2020. After multiple delays (originally scheduled for 2022, then 2024, then 2025), Google has gone back and forth on the timeline. Regardless of Chrome's specific timeline, the industry has already begun adapting because Safari and Firefox's blocks are already in effect.
GDPR and ePrivacy regulations in Europe require consent for setting non-essential cookies. Cookie consent banners are a visible result of this requirement. While many implementations are questionable (dark patterns that make it easier to accept than reject), the regulatory pressure has accelerated the industry's move away from cookie-dependent tracking.
Device Fingerprinting as a Replacement
As cookies become unreliable, the advertising industry has increasingly turned to device fingerprinting as an alternative tracking mechanism. Fingerprinting has a key advantage over cookies: users cannot delete a fingerprint the way they can delete a cookie, because the fingerprint is computed from the device's configuration rather than stored on the device.
The shift from cookies to fingerprinting is not a clean replacement. Cookies are explicit, controllable, and transparent (you can inspect your cookies in browser settings). Fingerprinting is implicit, difficult to control, and invisible to most users. From a privacy perspective, fingerprinting is arguably worse than cookies despite being positioned as a response to cookie restrictions.
Commercial fingerprinting services report identification rates comparable to cookies. FingerprintJS claims over 99.5% accuracy for identifying returning visitors. This high accuracy comes from combining dozens of browser and device attributes (screen resolution, GPU model, installed fonts, audio processing characteristics, canvas rendering output) into a composite identifier.
The advertising industry's adoption of fingerprinting has been controversial. Apple and Google have both stated opposition to fingerprinting, and browser vendors continue to develop countermeasures. But the economic incentives for cross-site tracking are enormous, and fingerprinting fills the gap left by cookie deprecation.
Cross-Device Tracking
Cross-device tracking links a single person's activity across their phone, tablet, laptop, desktop, and smart TV. This is valuable to advertisers because the customer journey often spans devices: a person might research a product on their phone, compare options on their laptop, and complete the purchase on their tablet.
Deterministic cross-device tracking uses logged-in sessions to link devices. When you log into Google on your phone and your laptop, Google knows both devices belong to you. Facebook, Amazon, Apple, and Microsoft have similar cross-device graphs based on their login sessions. This is the most accurate form of cross-device tracking, but it requires the user to be logged into the same service on multiple devices.
graph TD
subgraph Deterministic["Deterministic Linking"]
A[Phone: Login to Google] --> D{Same Account = Same Person}
B[Laptop: Login to Google] --> D
C[Tablet: Login to Google] --> D
end
subgraph Probabilistic["Probabilistic Linking"]
E[Phone: IP 73.22.xx.xx at 8pm]
F[Laptop: IP 73.22.xx.xx at 8pm]
G[Same WiFi + Same time = Likely same person]
E --> G
F --> G
end
subgraph Data_Points["Probabilistic Signals"]
H[Shared IP address]
I[Shared WiFi network]
J[Similar browsing patterns]
K[Geographic proximity]
L[Temporal correlation]
end
H --> G
I --> G
J --> G
K --> G
L --> G
subgraph Result["Combined Profile"]
D --> M[Cross-device identity graph]
G --> M
M --> N[Unified advertising profile]
end
Cross-device tracking uses both deterministic (login-based) and probabilistic (behavior-based) methods to link devices to a single person
Probabilistic cross-device tracking does not require logins. Instead, it uses statistical signals to infer which devices belong to the same person. Two devices on the same IP address at the same time of day, with similar browsing patterns, are probably in the same household. If they visit the same niche websites in the same order, they probably belong to the same person.
Companies like Tapad, Drawbridge (acquired by LinkedIn), and Crosswise (acquired by Oracle) built businesses around probabilistic cross-device matching. Their identity graphs link billions of device identifiers to millions of individuals, enabling advertisers to target a person across all their devices based on behavior observed on any one of them.
The First-Party Data Pivot
With third-party cookies declining, the advertising industry is pivoting toward first-party data strategies. First-party data is information that a company collects directly from its customers through its own properties: email addresses from newsletter signups, purchase histories from transactions, and behavioral data from app usage.
The value of first-party data has surged because it does not depend on third-party cookies. An email address is a persistent, cross-device identifier that the user voluntarily provided. Hashed email addresses can be matched across platforms (when users log in with the same email on different services), enabling targeted advertising without cookie-based tracking.
This shift advantages large platforms with extensive first-party data (Google, Facebook, Amazon) at the expense of smaller publishers who relied on third-party cookie data from advertising networks. The consolidation of advertising power among a few platforms is an ironic consequence of privacy-motivated cookie restrictions.
Login walls (requiring users to create an account or log in to access content) are a visible manifestation of this shift. News sites that previously offered free access now increasingly require email registration. The exchange is explicit: access to content in return for a persistent, first-party identifier.
Google's Privacy Sandbox
Google's Privacy Sandbox is a set of proposals designed to replace third-party cookies with privacy-preserving alternatives that still support advertising. The most prominent components include Topics API, Protected Audience API (formerly FLEDGE), and Attribution Reporting.
Topics API replaces interest-based targeting that previously relied on tracking cookies. The browser observes which websites you visit and classifies them into interest categories ("Sports," "Travel," "Technology"). When a website requests your interests for ad targeting, the browser provides a few recent topics without revealing which specific sites you visited. The taxonomy is coarse (currently about 470 topics) and the browser controls the selection, limiting what advertisers learn.
Protected Audience API moves the ad auction process into the browser. Instead of sending your data to an ad server and letting the server decide which ad to show you, the ad auction happens locally in your browser. Interest groups (remarketing lists, audience segments) are stored in the browser, and competing advertisers submit bids that the browser evaluates without exposing user data to third parties.
Attribution Reporting replaces cookie-based conversion tracking. Instead of a cookie linking the ad click to the purchase, the browser handles the attribution locally and reports aggregate conversion data to the advertiser with added noise and delay to prevent individual identification.
Privacy advocates have criticized the Privacy Sandbox as being designed to preserve Google's advertising dominance while appearing to improve privacy. The European Commission and UK's Competition and Markets Authority have both scrutinized the proposals for antitrust concerns.
Server-Side Tracking
Server-side tracking is another emerging approach that bypasses client-side cookie restrictions entirely. Instead of the user's browser communicating directly with third-party tracking domains (where cookies can be blocked), the website's own server collects behavioral data and forwards it to tracking platforms server-to-server.
From the browser's perspective, all communication is with the first-party domain. The browser cannot distinguish between a first-party API call that serves the website's functionality and one that forwards tracking data to Facebook or Google. Cookie blockers, ad blockers, and browser privacy features are effectively bypassed because they operate at the client level.
Facebook's Conversions API, Google's server-side tagging through Google Tag Manager, and similar platforms enable this approach. The website owner is responsible for ensuring GDPR consent before forwarding data, but the technical enforcement mechanisms that existed with client-side cookies (browser blocking, extension blocking) do not apply to server-side data flows.
Cookie Tracking vs Device Tracking Compared
The practical differences between cookie-based tracking and device fingerprinting/tracking have significant implications for users.
Visibility. Cookies are visible and manageable. You can inspect them, delete them, and configure your browser to block them. Device fingerprints are invisible - there is no browser interface that shows you your fingerprint or lets you modify it.
User control. Cookies can be deleted, blocked by category (first-party vs third-party), or restricted by domain. Fingerprints cannot be "deleted" because they are computed from device configuration. You can change your configuration (different browser, different fonts, different screen resolution), but this is impractical for most users.
Persistence. Cookies expire or can be cleared. Fingerprints persist as long as your device configuration remains stable. A fingerprint survives private browsing mode, cookie deletion, and browser data clearing.
Cross-browser tracking. Cookies are per-browser - a cookie set in Chrome is not visible in Firefox. Some fingerprinting attributes (installed fonts, screen resolution, GPU model) are consistent across browsers on the same device, enabling cross-browser tracking that cookies cannot achieve.
Regulation. GDPR and ePrivacy treat cookies explicitly, requiring consent for non-essential cookies. Fingerprinting falls under GDPR's general rules for processing personal data, but the consent mechanisms designed for cookies (consent banners) are less effective because fingerprinting does not require any storage on the user's device.
What Comes Next
The tracking ecosystem is in a period of active restructuring. Third-party cookies are disappearing, but the economic demand for cross-site tracking and user identification has not diminished. The industry is adapting through a combination of fingerprinting, first-party data strategies, server-side tracking, and new browser-level APIs.
For users, the practical situation is mixed. Browser-level privacy protections are stronger than ever, with all major browsers offering some form of tracking protection. But the shift to fingerprinting and server-side tracking makes some of these protections less effective than they appear.
The most effective individual actions remain using a privacy-focused browser (Brave, Firefox with strict settings, or Tor Browser for maximum protection), using a content blocker that removes tracking scripts (uBlock Origin remains the most effective), avoiding unnecessary logins that create first-party data linkages, and being skeptical of "free" services that monetize user data.
Privacy is a multi-layer challenge. Browser-level tracking is just one layer. Your devices also broadcast identifying signals at the wireless level through WiFi probe requests and BLE advertisements. The BLEShark Nano gives you visibility into this physical-layer tracking, helping you understand the full scope of how your devices can be identified and followed.
Get the BLEShark Nano - $36.99+