Tracking Online, What You Need To Know

26 Oct 2023

Post Thumbnail

Are you happy allowing someone to listen in on your private conversations, read your mail, or go through your desk, in order to sell you something?  In all likelihood, we are all allowing it unknowingly every day whilst we are online.

Businesses use different techniques to track our behaviour and send us “targeted” advertising – and to create complete user profiles. All this is performed under the guise of providing us with “personalized” online experiences.

How Do Cookies, Pixels and Tags Make This Possible?


Are small “files” that allow websites to store user information and online activity are broken down into two types;

  1. First-Party

    • These connect you to a single website. They hold on to some personal information to make the website easier to use (for example, remaining logged into the site).
  2. Third-Party

    • These allow someone to track your shopping or other activity across the internet.

Websites in certain countries are required to provide an opt-out or opt-in mechanism, via cookie banners that many of us know. Moreover, these have long been considered a threat to privacy, so-much-so, Google has been pressured into deprecating them by the second half of 2024 (for 1% of internet users).


Small images (1x1 or 0x0 pixels in dimension) embedded in the code of webpages - are “invisible” and can “send” all sorts of personal data to marketers. This can include data on how a user interacts with a web page, specific items a user has purchased, or information users have typed within an online form.

Pixel tracking can be monetized: for example, audiences that have visited certain types of sites can be sold to companies wishing to advertise with more targeted advertisement content.

Facebook’s pixel-tracking technology has been found to directly violate the GDPR and the so-called ‘Schrems II’ decision on transatlantic dataflows and has been ruled illegal.


These are small pieces of code inserted in the website code - are even more invasive: they collect all the javascript parameters from a browser.  If you have a Facebook or X icon – social media sharing buttons - on your website, you cannot control tracking by third parties on your website anymore, since it is third-party code

Example: Bank websites – many of them have javascript tags on their login page – these tags for example can harvest keystrokes (which includes the passwords you type when logging in). This should give us pause: How secure is it to have tags on a website where you enter personal access codes and other information accessible through keystroke logging


Tracking consumer’s online behaviour is a multi-billion dollar industry which isn’t going away anytime soon, tech companies are building new mechanisms to harvest user data in place of the third-party cookie. And, the greyish legal environment of the metaverse presents a wealth of opportunities for tech companies to completely rewrite the rulebook.

Reviewing our current state of play, blocking third-party cookies is not yet 100% effective. Useless ads keep being fired at us – because we looked at something, because we belong to a certain demographic – or because the “internet knows” that we experience depression or have faced fertility issues - all of which should absolutely stay private.

Yet, Google and Co. know all of your secrets and if you have ever searched for information on a medical condition on Google, this is likely to be found on your profile. Google sells search history data to companies who want to personalize the user experience – also in Europe

How should consumers keep themselves safe online, and how do organizations ensure they only collect what is absolutely necessary?



There is a desperate need for more consumer literacy around data privacy, and as more of our lives move online it is important for all internet users to better understand how their information is being used.


The rallying cry from most marketing departments now is that ‘data is king’!

But, the important questions organizations need to be asking themselves are:

A recent study by the Mozilla Foundation found that car manufacturers are some of the worst perpetrators of bad data practice, collecting data including anything from the user’s name, address, phone number, and email address to more intimate data like photos, calendar information, and even details on the driver’s race, genetic information, and immigration status.

How necessary is this to the manufacturer? Probably not much, but they don’t use it, they sell it to third-party data brokers, who then sell it to advertising companies.

Final Statemen

Trust 3.0 is a data privacy advocacy group committed to helping consumers and organizations develop a better understanding of data best practices. We convene the brightest minds in data to debate the best way for organizations to build sustainable and equitable solutions that consumers can trust.

As part of our Champions of Digital Trust series you can watch our interview with Augustine Fou here

Written by Lydia Knab, Greig Dowling, with help from Dr Augustine Fou.