Mechanisms
How they track you
Five mechanisms that follow you across browsers, TVs, and phones — most without your knowledge, some without any way to opt out. Each one traced to primary sources.
Browser Fingerprinting
Your browser has a face. You can't change it with Incognito.
Every browser leaks dozens of signals — canvas rendering, GPU model, screen dimensions, installed fonts, timezone, CPU core count — that combine into a signature unique to your device. No cookies required.
How it works
A tracking script draws invisible text and shapes to a canvas element, reads back the pixel data, and hashes it. The hash varies by GPU, driver, OS, and font stack — giving each device a stable identifier. Combined with WebGL renderer strings, audio-pipeline math, and hardware signals, 80–90% of desktop browsers are uniquely identifiable without any cookie or login.
Why it matters
Unlike cookies, you cannot clear your fingerprint. Incognito mode, cookie clearing, and most ad blockers have no effect. Google reCAPTCHA — present on roughly 1 in 10 websites — deploys 5 or more fingerprinting-capable APIs. Chrome, used by the majority of users, ships no fingerprinting defenses.
Common misconception
“Incognito mode protects me from tracking.”
Incognito mode only prevents your browser from storing cookies and history locally after the session. Your canvas hash, GPU string, screen size, and all other fingerprint signals are unchanged. A tracker that saw your browser yesterday will recognise it in Incognito today.
What you can do
Use Brave browser
Brave 'farbles' canvas, WebGL, and audio output per site per session — making your fingerprint different to every site without breaking pages.
Use Firefox with Fingerprinting Protection enabled
Default Firefox blocks known fingerprinting scripts (Disconnect list). Firefox Private Browsing adds canvas noise and font restrictions automatically.
Use Tor Browser
Tor makes every user look identical. Trade-off: many sites block Tor exit IPs; site breakage is common.
Avoid Chrome as your primary browser
Chrome ships no fingerprinting defenses. Switching away is the simplest high-impact action.
Pixel & Server-Side Tracking
Your ad blocker stops the script. The server-side copy still fires.
A tracking pixel is a 1×1 transparent image or JavaScript snippet embedded on third-party websites. When the page loads, it reports your visit — including IP address, referrer, and any conversion events — to the platform that placed it. Meta's version reaches 22–25% of the public web.
How it works
The client-side Pixel (a JS snippet) fires when a page loads, capturing your HTTP headers, browser data, and button clicks. The server-side Conversions API (CAPI) routes the same events directly from the merchant's server to Meta's API — bypassing your browser entirely. Safari's ITP, uBlock Origin, and Brave all block the JS Pixel. None of them can block CAPI.
Why it matters
If you've never created a Facebook account, Meta may still have data on you. In 2018 congressional testimony, Zuckerberg confirmed Facebook collects data on non-users for 'security purposes.' The Off-Facebook Activity tool lets you disconnect this data from your account — but the data itself is de-identified, not deleted.
Common misconception
“I use an ad blocker, so Meta can't track me.”
Ad blockers stop the client-side Pixel script from running in your browser. The Conversions API sends the same event from the merchant's server — your blocker is never involved. If you completed a purchase or filled in a form, that event likely reached Meta regardless.
What you can do
Use Off-Facebook Activity to disconnect off-platform data
De-identifies the data from your account. Does not delete it. Requires a Facebook account.
Use uBlock Origin + Brave or Firefox
Blocks the client-side Pixel. Cannot block server-side CAPI events.
Use a privacy-focused email and avoid checkout as guest
CAPI events are often matched via hashed email. A separate email for shopping reduces cross-service linking.
Smart TV — Automatic Content Recognition
Your TV watches what you watch. Every 10 milliseconds.
Automatic Content Recognition (ACR) takes a snapshot of whatever is on your screen — every 10–500 milliseconds — converts each frame to a fingerprint, and uploads those fingerprints to be matched against a content library. It captures not just streaming apps, but also HDMI input: your game console, laptop, AirPlay, and set-top box.
How it works
ACR software runs in the TV's OS, independent of the app you're using. It generates a perceptual hash of each frame and sends it to the manufacturer's ACR server every 15 seconds to 1 minute. The server matches the hash against its content library and returns metadata: show title, episode, timestamp, ad break. This viewing record is then licensed to advertisers, measurement companies (Nielsen, iSpot), and identity-graph partners (LiveRamp, Experian, Acxiom).
Why it matters
This is the only tracking mechanism that captures linear TV, physical media, and external device input. Vizio (now Walmart-owned) was fined $2.2 million in 2017 for doing this without consent. In December 2025, the Texas AG sued Samsung, Sony, LG, Hisense, and TCL for the same practice. Opt-out stops ACR traffic — but manufacturer telemetry outside ACR continues.
Common misconception
“ACR only tracks what I watch through the TV's apps.”
ACR captures the screen at the pixel level. It doesn't know — or care — where the signal comes from. Your PlayStation, Apple TV, Chromecast, and laptop connected via HDMI are all captured. The TV cannot tell the difference between an app and an HDMI source for ACR purposes.
What you can do
Opt out of ACR / 'Viewing Data' in your TV's settings
Verified by UCL 2024 measurement: opting out stops traffic to ACR endpoints. Location varies: Samsung → Settings → Terms & Privacy → Viewing Information Services; LG → Settings → All Settings → General → About TV → User Agreements.
Use a streaming device (Apple TV, Roku) instead of built-in apps
External devices have their own ACR or tracking. Roku has its own ACR pipeline. This doesn't eliminate ACR — it just changes who collects it.
Block ACR domains at the router (Pi-hole / NextDNS)
Network-level blocking prevents ACR uploads even if the TV setting is on. Requires technical setup.
Location Harvesting
Your phone reports its location hundreds of times a day — even when you ask it not to.
Location data is one of the most sensitive categories of personal data — it can reveal your home, workplace, medical visits, political activity, and religious practice. It's collected continuously by apps, sold to data brokers, and resold to advertisers and law enforcement, often bypassing warrant requirements.
How it works
An idle Android phone with Chrome sends location updates to Google approximately 340 times per day (AP investigation). Many apps collect location in the background using permissions granted once and never reviewed. That data is sold to location brokers like Venntel and Gravy Analytics, who aggregate signals from hundreds of millions of devices and resell them as audience segments or raw data to advertisers, political campaigns, and government agencies.
Why it matters
In December 2024, the FTC banned Mobilewalla and Gravy Analytics/Venntel from selling sensitive location data after finding they collected it without informed consent. ACLU FOIA records show DHS, CBP, ICE, and FBI spent millions purchasing this data as an end-run around Fourth Amendment warrant requirements.
Common misconception
“Turning off Location History on Google means Google stops tracking my location.”
An AP investigation found Google stored precise, timestamped location data in 'My Activity' even after users turned off Location History. Google updated its policies in response to the investigation, but location signals still flow through other mechanisms (weather checks, search queries, IP geolocation) even with the setting off.
What you can do
Audit app location permissions: allow 'While Using' only
iOS: Settings → Privacy → Location Services. Android: Settings → Privacy → Permission Manager → Location. Revoke 'Always' for apps that don't require it.
Turn off Wi-Fi and Bluetooth when not in use
Wi-Fi probe requests and Bluetooth beacons are used for indoor location tracking even without GPS.
Use Google Maps offline or switch to a privacy-respecting map app
Organic Maps (offline, no tracking) or Apple Maps (Apple's privacy practices are more limited in scope than Google's) are alternatives.
Enable 'Precise Location' off for apps that don't need it
iOS 14+ and Android 12+ let you grant approximate location only. This degrades the commercial value of the data significantly.
The Data Broker Pipeline
545 companies in California alone are building a file on you — without your knowledge.
Data brokers aggregate your data from hundreds of sources — purchase histories, public records, app activity, location data, social profiles — and sell it as segmented audience profiles to advertisers, insurers, lenders, employers, and government agencies. You never agreed to this. Most people don't know it exists.
How it works
Brokers ingest data from loyalty programs, retail point-of-sale systems, credit bureaus, public records (births, deaths, court filings, address changes), social media scrapes, and other brokers. They then build a consumer profile: inferred income, political lean, health condition proxies, relationship status, purchase intent, and life events. These profiles are packaged as audience segments sold to advertisers, or as individual risk scores sold to insurers and lenders. Acxiom alone claims 2.6 billion people and 10,000 attributes per person.
Why it matters
Broker data is used for: (1) targeted advertising with profiles you never consented to; (2) insurance and credit pricing — LexisNexis Risk Solutions explicitly sells driving and financial-stress scores to auto insurers; (3) employment and tenant screening; (4) law enforcement warrant bypass — ACLU FOIA records show DHS/ICE/FBI purchasing location data commercially. Even after opting out of one broker, your data reappears on others within 6–12 months.
Common misconception
“I can opt out and that's the end of it.”
Consumer Reports documented that even after manual opt-outs, personal information reappeared on broker sites within one week to four months. There are 545+ registered brokers in California alone. Opting out of the top 10 leaves the other 500+ untouched. The CA DELETE Act (August 2026) will let a single request reach all registered CA brokers — but it covers CA residents only.
What you can do
Submit opt-out requests to the top 40 people-search brokers
Removes your public record from the most visible broker sites. Re-removal required every 6–12 months. The /brokers page on this site covers the top 40 with step-by-step instructions.
California residents: use the CA DELETE Act (August 2026+)
A single request to the CPPA will be forwarded to all 545+ registered California brokers. Processing required every 45 days. This is the most leveraged single action available for CA residents.
Use a credit freeze (Equifax, Experian, TransUnion)
Prevents new credit lines being opened in your name and limits the data licensed to downstream risk vendors. Free in all US states since 2018.
Use a dedicated email and phone number for promotions and loyalty programs
Limits broker ingestion from purchase-history sources. A secondary email breaks the cross-broker matching graph.
What actually works — at a glance
| Action | Fingerprint | Pixel/CAPI | ACR | Location | Brokers |
|---|---|---|---|---|---|
| Incognito mode | ✗ | ✗ | ✗ | ✗ | ✗ |
| VPN | ✗ | ✗ | ✗ | ~ | ✗ |
| uBlock Origin | ✗ | ~ | ✗ | ✗ | ✗ |
| Brave browser | ✓ | ~ | ✗ | ✗ | ✗ |
| TV opt-out | ✗ | ✗ | ✓ | ✗ | ✗ |
| Location permission audit | ✗ | ✗ | ✗ | ✓ | ✗ |
| Broker opt-out (top 40) | ✗ | ✗ | ✗ | ✗ | ~ |
✓ Effective · ~ Partial · ✗ No effect
Ready to reduce your exposure?
The audit walks you through every device and platform — with specific steps calibrated to your actual setup. Takes about 10 minutes.