Your Digital Footprint: What Companies Actually Know About You

Every time you browse a website, search for information, check social media, or shop online, you leave behind traces of data. This is your digital footprint - the comprehensive trail of information created by your online activity. Most people dramatically underestimate what companies know about them. It's not just the posts you share or the purchases you make; it's the websites you visit without logging in, the products you browse but don't buy, the location data your phone constantly broadcasts and the patterns in how you move your mouse across a screen. Companies, data brokers, advertisers and platforms collect, aggregate and analyse this information to build detailed profiles that reveal your interests, habits, financial situation, health concerns, political views and even predictions about your future behaviour. Understanding your digital footprint means recognising both the active data you intentionally share and the passive data collected automatically in the background - and knowing who's collecting it, how they're using it and what you can realistically do to protect yourself.

What Is a Digital Footprint? (Active vs Passive)

Your digital footprint is the trail of data you leave behind through every online interaction. It exists in two distinct forms: active and passive. Understanding this distinction is crucial because most people dramatically underestimate the volume of information collected without their knowledge.

Active footprints consist of data you intentionally share. When you post a photo on Instagram, fill out a contact form, create an account, write a product review, or enter your address at checkout, you're consciously providing information. These actions feel transparent because you're aware you're sharing something.

Passive footprints, by contrast, are created automatically without any deliberate action on your part. Every website you visit logs your IP address. Cookies track which pages you view and how long you stay. Your device broadcasts its operating system, screen resolution, browser version and installed fonts - details that combine to create a unique identifier. Location data is captured through GPS, Wi-Fi networks and cell towers. These traces accumulate silently in the background.

The passive footprint is vastly larger than the active one. While you might post on social media a few times a week, your browser makes dozens of background requests every time you load a webpage, each one potentially tracked by advertisers, analytics platforms and data brokers. A single visit to a news website can trigger data collection by 30 or more third parties you've never heard of.

Both types of footprints are aggregated by companies to build comprehensive profiles. Your active contributions provide demographic details, preferences and explicit interests. Your passive traces reveal browsing patterns, shopping behaviour, location history and device usage - often painting a more accurate picture of your habits than anything you'd voluntarily disclose.

Who Collects Your Data?

The data economy involves a complex network of collectors, each with different access points and motivations. Knowing who's gathering information helps you understand where your digital footprint actually goes.

Big Tech Companies

Google operates the world's dominant search engine, the Android mobile operating system, YouTube, Gmail, Chrome browser and Google Maps. This ecosystem provides visibility into search queries, video watching habits, email content, browsing history and real-world movements. Even if you don't use Google products directly, the company's analytics and advertising code appears on millions of websites, tracking visitors across the internet.

Meta (formerly Facebook) owns Facebook, Instagram, WhatsApp and Messenger. Beyond what you post and like, Meta tracks which external websites you visit through embedded Like buttons and the Facebook Pixel - a tracking script installed on millions of e-commerce sites. Meta can collect data about non-users through embedded tracking tools such as the Meta Pixel and social plugins, which may contribute to aggregated advertising datasets.

Amazon sees your purchase history, product searches, Alexa voice commands, Prime Video viewing and Kindle reading habits. The company also operates a massive advertising business that tracks shoppers across the web and Amazon Web Services hosts a large portion of the internet’s infrastructure, though AWS itself typically cannot access the data flowing through customer applications.

Apple, despite positioning itself as privacy-focused, still collects substantial data through iPhones, iPads, Macs, the App Store, Apple Pay and services like iCloud and Apple Maps. The difference lies more in how data is used (primarily to improve services rather than for advertising) than whether collection occurs.

Internet Service Providers

Your ISP - whether that's BT, Virgin Media, Sky, or another provider - can see every website you visit unless you're using encryption. They know which services you use, when you're online and can build detailed profiles of household internet usage. Some ISPs analyse or aggregate network data for operational, security, or marketing purposes, though direct sale of identifiable browsing histories is restricted in many jurisdictions. In the UK, ISPs are also required to retain certain browsing records for potential law enforcement access.

Data Brokers

Data brokers are companies most people have never heard of, yet they hold some of the most comprehensive profiles. Firms like Acxiom, Experian, Equifax, Oracle and dozens of smaller players collect information from public records, loyalty card programmes, online tracking, credit applications, warranty registrations and purchases from other data brokers. They aggregate these fragments into detailed consumer profiles that include estimated income, education level, political leanings, health interests, purchasing power and lifestyle categories.

These profiles are sold primarily to marketers, financial services companies and analytics platforms. You've likely never interacted with these brokers directly, yet they may hold hundreds of data points about you, compiled from sources you've long forgotten.

Advertisers and Third-Party Trackers

When you visit most websites, you're not just connecting to that site's server. Advertising networks, analytics platforms, social media widgets and marketing tools all load in the background. Google Analytics alone appears on over half of all websites globally. Facebook Pixel, DoubleClick, Criteo and countless other tracking services monitor your journey across the web, building profiles used for targeted advertising and audience segmentation.

The Websites and Apps You Use Directly

Every online retailer, news site, streaming service, banking app and social platform collects first-party data about how you use their service. This includes purchase history, content preferences, time spent on different sections, search queries within their site and interaction patterns. Many share this data with partners or subsidiaries and most reserve the right to use it for advertising purposes even if that's not their primary business.

How Do Companies Track You? (Mechanisms of Data Collection)

Understanding the technical methods behind tracking reveals why common privacy measures often fall short and why you might still see personalised ads even after taking protective steps.

Tracking Cookies

Cookies are small text files stored by your browser. First-party cookies are set by the website you're visiting and help with legitimate functions like keeping you logged in or remembering items in your shopping basket. Third-party cookies are set by external advertisers and analytics platforms embedded in the site. These follow you across different websites, building a profile of your browsing history.

When you visit a news article, third-party cookies from advertising networks note your visit. When you later browse a shopping site using the same ad network, those cookies recognise you and can serve ads related to articles you read earlier. This cross-site tracking is why products seem to "follow" you around the internet.

Blocking third-party cookies helps, but it's not comprehensive. Many trackers have developed workarounds and first-party cookies can still reveal substantial information about your behaviour on individual sites.

IP Addresses

Your IP address is assigned by your internet provider and reveals your approximate location (usually city-level), your ISP and sometimes your organisation if you're on a corporate or university network. Websites log IP addresses automatically with every connection. While IP addresses change periodically for most home users, they're stable enough to link activity over days or weeks and they can be combined with other data to identify individuals.

Browser Fingerprinting

Even without cookies, your browser reveals a surprising amount of identifying information. The combination of your browser version, operating system, screen resolution, installed fonts, language settings, timezone, graphics card and enabled plugins creates a unique "fingerprint" that can identify you across websites. Studies have shown that combinations of browser and device characteristics can uniquely identify many users, although the accuracy varies depending on browser protections and privacy tools.

This technique works even in private browsing mode and persists after clearing cookies. It's particularly difficult to defend against because the information is necessary for websites to display correctly - blocking these signals breaks functionality.

Tracking Pixels and Scripts

Tracking pixels are invisible 1x1 pixel images embedded in webpages and emails. When your browser loads the pixel, it sends information back to the tracking server, including when you opened an email, which device you used and your approximate location. Marketing emails are filled with these pixels to measure engagement.

Tracking scripts are snippets of code that run in your browser, collecting far more data than simple pixels. Some analytics and behavioural tools can record interaction patterns such as scrolling, clicks, or cursor movement to understand how users interact with pages. This behavioural data helps companies optimise their sites and target advertising.

Mobile Device IDs

Smartphones use advertising identifiers - IDFA (Identifier for Advertisers) on iOS and AAID (Google Advertising ID) on Android. These unique codes allow apps to track your behaviour across different applications and link it to your web browsing. When you use a retailer's app, play a mobile game, or check social media, these IDs enable cross-app tracking similar to third-party cookies on the web.

While both Apple and Google now offer ways to limit this tracking, many users don't know these settings exist and even with restrictions enabled, apps can still collect substantial data through other means.

Login-Based Tracking

When you use "Sign in with Google" or "Continue with Facebook" on external websites, you're granting those platforms visibility into your activity on that site. This is far more reliable than cookie-based tracking because it's tied to your authenticated identity. Google and Facebook can see which sites you log into, when you visit and often what you do there, creating a detailed map of your online activity.

Location Tracking

Your smartphone constantly collects location data through GPS, nearby Wi-Fi networks (even if you're not connected) and cell tower triangulation. Apps request location permission for various reasons - navigation, weather, local search - but once granted, they can track your movements continuously. This data reveals where you live and work, which shops you visit, how long you stay and patterns in your daily routine.

Location data is particularly valuable because it connects your digital footprint to the physical world, enabling targeted advertising based on real-world behaviour and allowing companies to infer demographics from the neighbourhoods you frequent.

What Specific Data Do Companies Actually Collect?

The breadth and granularity of data collection often surprises people who assume companies only know what they've explicitly shared. Here's what's actually captured:

Browsing and Search History

Every search query, every website visited, every link clicked, how long you stayed on each page, which articles you read completely versus which you abandoned, what time of day you browse and which device you used. Search engines and ISPs have the most complete view, but advertising networks and analytics platforms see substantial portions of your browsing across the sites where they're installed.

Location and Movement Data

Current location, location history over time, frequently visited places, home and work addresses (inferred from patterns), travel routes, how long you stayed at various locations, which shops and businesses you visit and how often you return. This data comes from smartphones, connected cars, fitness trackers and any app or service that requests location permission.

Device and Technical Information

Device type and model, operating system version, browser type and version, screen resolution, installed apps, installed fonts, language and timezone settings, battery level, storage capacity, network connection type (Wi-Fi vs mobile data), IP address and unique device identifiers. This information helps create browser fingerprints and enables cross-device tracking.

Personal Identifiers and Demographics

Name, email address, phone number, postal address, date of birth, gender, profile photos and often inferred characteristics like estimated income, education level, homeownership status, marital status and presence of children. Some of this you provide directly when creating accounts; the rest is inferred from your behaviour and purchased from data brokers.

Social Media Activity

Everything you post, like, share, or comment on, but also who you're connected to, whose profiles you view, which posts you read even without engaging, how long you watch videos, which ads you interact with, groups you join, events you respond to and private messages (which platforms claim they don't read for advertising but do analyse for other purposes like content moderation).

Purchase and Financial Behaviour

What you buy, how much you spend, how often you shop, which brands you prefer, whether you use coupons or wait for sales, your price sensitivity, abandoned shopping carts, saved items, browsing-to-purchase conversion rates, payment methods used and creditworthiness (from data brokers and credit reference agencies). Financial apps and buy-now-pay-later services see detailed transaction histories that reveal lifestyle patterns.

Content Consumption Patterns

Which shows and films you watch, which articles and books you read, which podcasts you listen to, how much of each piece of content you consume, when you pause or rewind, what you search for within streaming services and which recommendations you follow. Streaming platforms use this to refine algorithms, but they also create detailed taste profiles that have commercial value.

Communication Metadata

Who you contact, how often, when, through which platforms and the length of conversations - even if the content itself isn't analysed for advertising. Email providers may analyse message content or metadata to power features such as spam detection, smart replies, or automated calendar events.

Health and Fitness Data

Step counts, exercise routines, heart rate, sleep patterns, menstrual cycles, weight, calorie intake and health conditions disclosed to apps or inferred from searches and purchases. This data is particularly sensitive but increasingly collected by fitness trackers, health apps and even inferred by data brokers from pharmacy purchases and insurance applications.

What Companies Do With Your Data (And Why They Want It)

Data collection serves multiple business purposes, ranging from genuinely useful services to practices many users would consider invasive if they fully understood them.

Targeted Advertising

This is the primary monetisation model for most free online services. Your data enables advertisers to show you products and services based on your demographics, interests, browsing history and predicted likelihood to purchase. A parent searching for children's toys will see different ads than a young professional researching luxury holidays. This targeting dramatically increases advertising effectiveness, which is why your data is so valuable - it transforms generic ads into personalised sales pitches.

Profiling and Segmentation

Companies group users into categories like "affluent suburban families," "budget-conscious millennials," or "health-conscious seniors." These profiles combine your behaviour with data purchased from brokers to predict your income, lifestyle, political views and purchasing power. Retailers use these profiles to decide which promotions to show you, which promotions or offers to display and even which customer service tier you receive.

Personalisation and Recommendations

Streaming services suggest content you might enjoy, e-commerce sites show products related to your interests and news sites highlight articles matching your reading patterns. This personalisation improves user experience when done well, but it also creates filter bubbles where you primarily see content that reinforces existing preferences, limiting exposure to diverse perspectives.

Product Development and Optimisation

Companies analyse how you use their services to identify which features are popular, where users get confused and what improvements might increase engagement or sales. A/B testing shows different versions of a webpage to different users to determine which design converts better. While this can genuinely improve products, it also optimises for company goals (more time spent, more purchases) rather than necessarily what's best for users.

Data Resale

Data brokers and some platforms sell or license data to third parties. This might be "anonymised" aggregate statistics, or it might be detailed individual profiles sold to marketers, insurers, employers, or financial services companies. Once data enters the broker ecosystem, it changes hands multiple times, with each transaction moving it further from your control and often your awareness.

Fraud Prevention and Security

Legitimate uses include detecting unusual account activity, preventing payment fraud, identifying bot traffic and protecting against account takeovers. Banks monitor transaction patterns to flag potential fraud. This surveillance can protect you, but it also means your behaviour is constantly analysed and judged against algorithmic norms.

Customer Service and Support

When you contact support, representatives can see your account history, previous interactions and usage patterns, enabling more personalised help. This improves efficiency but also means companies retain detailed records of every support conversation and complaint.

Privacy Risks: What Can Go Wrong

The accumulation of detailed personal data creates vulnerabilities that extend beyond targeted advertising.

Identity Theft and Financial Fraud

Data breaches regularly expose millions of records containing names, addresses, dates of birth, email addresses, passwords and sometimes payment details or national insurance numbers. Criminals use this information to open fraudulent accounts, apply for credit, or impersonate victims. The more data points available, the easier it becomes to convincingly impersonate someone or answer security questions.

Loss of Anonymity

Even "anonymised" data can often be re-identified by combining it with other datasets. Researchers have repeatedly demonstrated that knowing just a few data points - postcode, birth date and gender, for instance - is enough to uniquely identify most people. Your digital footprint makes true anonymity nearly impossible; someone with access to sufficient data can piece together your identity from supposedly anonymous browsing patterns.

Discrimination and Bias

Algorithms trained on personal data can perpetuate or amplify discrimination. People in certain postcodes might see different prices, job advertisements, or credit offers based on demographic profiling. Insurance companies use data to assess risk, potentially penalising individuals based on correlations rather than their actual behaviour. These systems operate invisibly, making discrimination difficult to detect or challenge.

Manipulation and Exploitation

Detailed psychological profiles enable sophisticated manipulation. Political campaigns use data to identify persuadable voters and target them with tailored messages. Gambling companies identify vulnerable individuals showing addictive patterns. Retailers use urgency tactics ("only 2 left in stock!") most aggressively on users identified as impulsive buyers. The more companies know about your psychology and vulnerabilities, the better they can exploit them.

Permanent Records and Context Collapse

Your digital footprint is persistent. Comments made years ago, photos from different life stages and searches reflecting temporary interests remain in databases indefinitely. Context collapses when information from one sphere (a joke among friends) becomes visible in another (a job application). Old data can resurface to haunt you in contexts you never anticipated.

Unauthorised Sharing and Secondary Use

Data collected for one purpose often gets used for others without explicit consent. A retailer's loyalty card data might be sold to insurance companies assessing health risks based on grocery purchases. App developers share data with dozens of third-party SDKs embedded in their software. Each transfer multiplies privacy risks and moves data further from your control.

How Effective Are Common Privacy Protections?

Many recommended privacy tools offer partial protection at best. Understanding their limitations prevents false confidence.

Incognito or Private Browsing Mode

Private browsing prevents your browser from saving history, cookies and form data locally on your device. That's useful if you share a computer, but it doesn't stop websites, advertisers, or your ISP from tracking you. Your IP address is still visible, browser fingerprinting still works and if you log into any account, that platform can track your activity. Private mode makes you invisible to other users of your device - not to the internet.

Clearing Cookies and Cache

This removes tracking cookies stored on your device, forcing trackers to start fresh. However, browser fingerprinting and IP address tracking continue regardless. If you log back into services, your new session gets linked to your account anyway. Clearing cookies regularly provides marginal benefit but isn't comprehensive protection.

VPNs (Virtual Private Networks)

VPNs hide your IP address from websites and encrypt traffic so your ISP can't see which sites you visit. This provides genuine privacy benefits, particularly on public Wi-Fi. However, the VPN provider itself can see your traffic, so you're shifting trust rather than eliminating it. VPNs don't stop browser fingerprinting, social media tracking, or data collection by sites where you have accounts. They're useful as one layer of protection but not a complete solution.

Ad Blockers and Tracking Blockers

These browser extensions block many third-party trackers, advertising scripts and analytics platforms, significantly reducing passive data collection. They're among the most effective tools available. However, they can break website functionality, some sites detect and block users with ad blockers and determined trackers continuously develop workarounds. First-party tracking and data collection by services you actively use continues unimpeded.

Privacy-Focused Browsers and Search Engines

Browsers like Brave or Firefox with strict privacy settings and search engines like DuckDuckGo, reduce tracking compared to Chrome and Google. They block many trackers by default and don't build advertising profiles. This meaningfully improves privacy, but you're still visible to the sites you visit, any services where you have accounts and your ISP (unless you also use a VPN). They're a solid foundation but not complete protection.

Adjusting Privacy Settings on Social Media and Services

Platforms offer settings to limit data sharing with third parties, reduce ad personalisation and control who sees your posts. These help at the margins but don't fundamentally change the platform's data collection. Facebook still tracks your activity across its apps even with privacy settings maximised. The platform's business model requires data collection; settings just adjust some boundaries.

Opting Out of Data Broker Listings

Many data brokers offer opt-out mechanisms where you can request removal from their databases. This works for specific brokers you contact, but there are hundreds of data brokers, new ones emerge constantly and your data reappears as they purchase new datasets. Opting out is worthwhile but requires ongoing effort and never achieves complete removal.

The Reality: Layers, Not Solutions

No single tool eliminates your digital footprint. Effective privacy requires combining multiple approaches - ad blockers, privacy-focused browsers, VPNs, careful account management and regular opt-outs - while accepting that some tracking remains inevitable if you want to use modern internet services. The goal is reducing your footprint to a manageable level, not achieving perfect invisibility.

How to Take Control: Practical Steps to Protect Your Privacy

Reducing your digital footprint requires ongoing effort, but these steps provide meaningful protection without requiring technical expertise.

Step 1: Audit Your Accounts and Delete What You Don't Use

Old accounts you've forgotten about continue collecting data and present security risks if breached. Use a service like JustDeleteMe to find deletion instructions for common platforms. Search your email for account creation confirmations to identify forgotten registrations. Deleting unused accounts eliminates data collection points and reduces your attack surface.

Step 2: Review and Restrict App Permissions

Check which apps have access to your location, contacts, camera, microphone and photos. On iPhone, go to Settings > Privacy & Security. On Android, Settings > Privacy > Permission Manager. Revoke permissions that aren't essential for the app's core function. A weather app doesn't need your contacts; a photo editing app doesn't need constant location access.

Step 3: Install a Content Blocker or Privacy-Focused Browser

Use browser extensions like uBlock Origin (blocks ads and trackers) or Privacy Badger (learns to block trackers over time). Alternatively, switch to Firefox with Enhanced Tracking Protection enabled, or Brave, which blocks trackers by default. This single step eliminates a substantial portion of third-party tracking.

Step 4: Switch to a Privacy-Respecting Search Engine

Replace Google with DuckDuckGo or Startpage for searches. These don't track your queries or build advertising profiles. The search quality is comparable for most everyday queries and you can always fall back to Google for specific searches where you need its particular strengths.

Step 5: Adjust Social Media Privacy Settings

On Facebook, go to Settings & Privacy > Settings > Privacy to control who sees your posts and profile information. Check Settings & Privacy > Settings > Your Facebook Information > Off-Facebook Activity to see and limit tracking from external websites. On Instagram, Settings > Privacy. On Google, visit myactivity.google.com to see and delete tracked activity and myaccount.google.com/data-and-privacy to adjust what's collected. These settings don't stop all tracking but reduce unnecessary data sharing.

Step 6: Opt Out of Data Broker Databases

Start with major brokers: Acxiom (acxiom.com/about-acxiom/privacy), Experian (experian.com/privacy), Oracle (oracle.com/legal/privacy/marketing-cloud-data-cloud-privacy-policy.html - look for opt-out links). Services like Privacy.com or DeleteMe automate this process for a fee. Expect this to be ongoing; you'll need to repeat opt-outs periodically.

Step 7: Use a VPN on Public Wi-Fi

Public networks in coffee shops, hotels and airports are particularly vulnerable to snooping. A VPN encrypts your traffic, preventing others on the network from seeing your activity. Choose a reputable provider with a clear no-logging policy, such as Mullvad, ProtonVPN, or IVPN. Avoid free VPNs, which often monetise by selling your data.

Step 8: Enable Two-Factor Authentication

While this doesn't reduce data collection, it protects your accounts from unauthorised access, preventing others from accessing your data or impersonating you. Use authenticator apps (Google Authenticator, Authy) rather than SMS when possible, as text messages can be intercepted.

Step 9: Review and Minimise Location Tracking

On iPhone: Settings > Privacy & Security > Location Services - set most apps to "While Using" or "Never" rather than "Always." On Android: Settings > Location > App permissions. Turn off Google Location History at myactivity.google.com/activitycontrols. Disable location history on your smartphone to prevent the creation of a detailed movement database.

Step 10: Be Selective About What You Share

Before posting, purchasing, or signing up, consider whether the convenience or benefit justifies expanding your digital footprint. Use temporary email addresses (services like SimpleLogin or Firefox Relay) for signups you don't trust. Provide minimal information in forms - many "required" fields aren't actually mandatory. The less you share actively, the less exists to be tracked, breached, or misused.

Your Legal Rights and Regulatory Protections

Privacy regulations provide some control over your data, though effectiveness varies by jurisdiction and enforcement.

UK GDPR and Data Protection Act 2018

If you're in the UK, you have several rights under data protection law. You can request access to personal data a company holds about you (subject access request). You can request deletion of your data in certain circumstances, such as when it's no longer necessary for the purpose it was collected. You can object to processing for direct marketing and companies must stop. You can request correction of inaccurate data. You have the right to data portability - receiving your data in a usable format to transfer to another service.

Companies must have a lawful basis for processing your data (consent, contract, legitimate interest, or legal obligation) and they must explain what they collect and why in privacy policies. The Information Commissioner's Office (ICO) enforces these rules and can fine companies up to £17.5 million or 4% of global turnover for serious violations.

EU GDPR

The EU's General Data Protection Regulation provides similar rights to UK GDPR, often with more aggressive enforcement. Large fines against companies like Meta, Google and Amazon demonstrate that regulators are willing to penalise violations, though critics argue enforcement remains inconsistent and penalties insufficient to change behaviour at large platforms.

California Consumer Privacy Act (CCPA) and Other US State Laws

California residents have rights to know what data is collected, request deletion and opt out of data sales. Several other US states have passed similar laws. However, US privacy protection remains weaker than European standards, with no comprehensive federal privacy law and significant exemptions for many types of data collection.

Marketing Preferences and Opt-Outs

In the UK, you can register with the Telephone Preference Service (TPS) to reduce unsolicited sales calls and the Mail Preference Service (MPS) to reduce junk mail. Marketing emails must include an unsubscribe link. The Your Online Choices website (youronlinechoices.com) provides opt-outs for behavioural advertising from many participating companies.

The Limitations of Legal Protections

While these rights exist on paper, exercising them requires effort. Privacy policies are deliberately complex and vague. Companies often make deletion difficult, requiring multiple steps or ignoring requests. Enforcement is inconsistent and many data brokers and smaller players operate with little regulatory scrutiny. Legal protections provide a foundation, but they're not self-executing - you must actively assert your rights and often persist when companies resist.

Real-World Cases: When Data Collection Goes Wrong

High-profile incidents illustrate the consequences when data collection lacks adequate safeguards.

Cambridge Analytica and Facebook

In 2018, it emerged that political consulting firm Cambridge Analytica had harvested personal data from 87 million Facebook users without explicit consent. The data came from a personality quiz app that collected information not just from quiz-takers but also from their entire friend networks. Cambridge Analytica used this data to build psychological profiles for political targeting during the 2016 US presidential election and the Brexit referendum.

The scandal revealed how third-party apps could access vast amounts of Facebook data, how that data could be repurposed for uses never disclosed to users and how platform policies failed to prevent misuse. Facebook faced widespread criticism, regulatory investigations and a £500,000 fine from the ICO (the maximum possible under pre-GDPR rules). The incident fundamentally shifted public awareness about data collection practices and platform responsibility.

Google Location Tracking Deception

In 2018, an Associated Press investigation revealed that Google continued tracking and storing location data even when users had turned off "Location History" in their settings. A separate setting called "Web & App Activity" also collected location data, but this wasn't clear to users. Google's interface made users believe they had disabled location tracking when they hadn't.

This led to regulatory action in multiple jurisdictions. In 2022, Google agreed to pay $391.5 million to settle with 40 US states over deceptive location tracking practices. The case highlighted how privacy settings can be deliberately confusing, how companies use dark patterns to encourage data sharing and how even explicit user choices are sometimes ignored.

Data Broker Exposures

In 2021, a database containing 3.2 billion records from data broker Experian was found exposed online, including names, addresses, phone numbers and credit scores. Similar breaches have affected other brokers. These incidents reveal the vast scale of data aggregation - billions of detailed records held by companies most people have never heard of - and the security risks inherent in centralising so much personal information.

NHS Data Sharing Controversy

In 2021, NHS England planned to share GP records with third parties for research and planning purposes. The scheme faced backlash over inadequate communication about what data would be shared, with whom and for what purposes. Concerns about data being used by private companies or insurance firms led to the programme being paused. The controversy demonstrated public sensitivity about health data and the importance of transparency and genuine consent for data sharing, even when intended for beneficial purposes.

TikTok and National Security Concerns

TikTok, owned by Chinese company ByteDance, has faced scrutiny over what data it collects and whether the Chinese government could access information about Western users. Investigations revealed the app collected extensive data including location, device identifiers, browsing history and biometric information from face scans. While TikTok maintains that Chinese authorities don't have access, the case illustrates geopolitical dimensions of data collection and concerns about surveillance beyond commercial purposes.

Emerging Tracking Technologies: The Post-Cookie Landscape

As third-party cookies face deprecation, the advertising industry is developing new tracking methods that may prove harder to detect and control.

Server-Side Tracking

Rather than running tracking scripts in your browser where they can be blocked, companies are moving tracking logic to their own servers. Your browser communicates only with the website's server, which then forwards data to advertisers and analytics platforms in the background. This makes tracking invisible to browser-based blockers and gives websites more control over what data is shared and when.

First-Party Data Collection and Identity Graphs

Companies are investing heavily in collecting data directly from users through accounts, loyalty programmes and email signups. This "first-party data" isn't affected by cookie restrictions. They then build "identity graphs" linking your email address, phone number and other identifiers across different contexts, creating persistent profiles that don't rely on cookies.

Probabilistic Matching and Fingerprinting

Rather than using persistent identifiers like cookies, probabilistic matching uses patterns in behaviour, device characteristics and timing to infer that multiple anonymous sessions belong to the same person. Machine learning analyses hundreds of signals - browsing patterns, typing speed, mouse movements, screen orientation changes on mobile - to identify individuals with high confidence even without explicit identifiers.

CNAME Cloaking

This technique disguises third-party trackers as first-party by routing their requests through the website's own domain. Your browser thinks it's communicating with the site you're visiting, so it doesn't block the tracker as third-party. While browsers are developing countermeasures, this cat-and-mouse game demonstrates the industry's determination to maintain tracking capabilities.

Cross-Device Tracking and Identity Resolution

Companies link your smartphone, laptop, tablet, smart TV and other devices into a unified profile. This happens through shared login credentials, matching IP addresses and location data, probabilistic analysis of usage patterns and data purchased from brokers who specialise in cross-device identity resolution. The result is that your digital footprint spans all your devices, making it harder to compartmentalise your online activity.

These evolving techniques mean that privacy protection is an ongoing challenge. Methods that work today may become less effective as tracking technology advances, requiring continued attention and adaptation of protective measures.

The Reality Check: What Companies Actually Know About You

Synthesising everything covered, here's an honest assessment of what major companies likely know about a typical internet user who hasn't taken extensive privacy precautions.

Google probably knows your search history going back years, revealing health concerns, financial questions, relationship issues, political interests and shopping intentions. If you use Gmail, it has analysed your emails for context (even if not for ads). If you use Android or Google Maps, it has a detailed location history showing where you live and work, which shops and restaurants you frequent and your travel patterns. YouTube watch history reveals entertainment preferences and how you spend free time. Chrome browsing history (if synced) provides a comprehensive view of your web activity.

Meta knows who your friends and family are, what you post and like, which groups you join, which events you attend and increasingly, what you do outside its platforms through tracking pixels on millions of websites. It can infer your political views, relationship status, major life events and shopping interests. Even if you don't have a Facebook account, the company likely has a "shadow profile" built from contact lists uploaded by others and tracking across external websites.

Amazon has a complete record of what you've purchased, what you've browsed but not bought, which reviews you've read, which products you've compared and your price sensitivity. If you use Alexa, it has voice recordings and transcripts of your commands and conversations. Prime Video reveals viewing preferences. The company can build a detailed profile of your household composition, lifestyle and interests from purchase patterns alone.

Your mobile network and ISP can see which websites you visit (unless encrypted), when you're online, how much data you use and your location whenever your phone is on. They know your home address, payment information and can infer household composition from usage patterns.

Data brokers have aggregated information from public records (property ownership, voter registration, court records), credit applications, loyalty card purchases, online tracking and data purchased from other brokers. They've likely categorised you into demographic and lifestyle segments, estimated your income and net worth and compiled lists of your interests, life events and purchasing patterns. This information is available for purchase by marketers, employers, insurers and others.

Retailers and service providers you use directly know your purchase history, browsing behaviour on their sites, which emails you open, which promotions you respond to and your customer service interactions. Many share this data with advertising partners or parent companies.

Combined, these sources create a remarkably detailed and accurate picture of your life: where you live and work, your income level and financial situation, your political views and values, your health concerns and conditions, your relationship status and family composition, your interests and hobbies, your daily routines and habits, your shopping preferences and price sensitivity, your travel patterns, your entertainment preferences, your social connections and increasingly, predictions about your future behaviour - what you're likely to buy, how you'll vote, whether you're a credit risk and even early indicators of life changes like pregnancy or job loss.

For most people, this profile is more accurate and comprehensive than what they'd willingly disclose to a stranger, yet it's distributed across dozens of companies, many of whom you've never directly interacted with.

Frequently Asked Questions