The digital marketing strategy that tracks users across the web is called retargeting (sometimes referred to as remarketing). It works by placing a small piece of code on a website that identifies visitors, then serving those visitors targeted ads as they browse other sites. If you’ve ever looked at a pair of shoes online and then seen ads for those exact shoes follow you around the internet, you’ve experienced retargeting firsthand.
How Retargeting Works
Retargeting relies on tracking technologies embedded in websites you visit. The most common is a tracking pixel: a tiny, invisible 1×1 image or snippet of JavaScript code that loads when you open a webpage. When that pixel fires, it sends a request to an advertising server, registering that you visited that page, viewed a product, or took some other action. The server then associates your browser with that activity, typically by dropping a cookie (a small data file) into your browser.
Later, when you visit a completely different website that participates in the same advertising network, the ad server recognizes your browser through that cookie and displays an ad related to the site you visited earlier. This is why an ad for a hotel you researched last Tuesday can appear on a news site you’re reading on Thursday. The advertiser didn’t buy space on that specific news site hoping you’d see it. The ad network identified your browser and served the ad wherever you happened to be.
Tracking pixels can monitor a wide range of actions: which pages you viewed, how long you stayed, whether you added something to a cart, and whether you completed a purchase. Marketers use this data to segment audiences and tailor follow-up ads. Someone who abandoned a shopping cart might see an ad with a discount code, while someone who only browsed a homepage might see a broader brand awareness ad.
Beyond Cookies: Other Tracking Methods
Cookies have been the backbone of cross-site tracking for years, but they aren’t the only method. Browser fingerprinting is a technique that identifies your browser by combining dozens of small details it shares with every website you visit: your screen resolution, time zone, device model, installed fonts, and more. Taken individually, none of these details are unique. Combined, they create a “fingerprint” that is often distinct enough to identify a single browser.
Research from Johns Hopkins University found that websites use fingerprinting to track people across browsing sessions and sites, and that some sites linked fingerprint data directly to real-time ad bidding processes. Unlike cookies, which you can delete or block, fingerprinting is much harder to detect or prevent. The Johns Hopkins researchers confirmed that tracking persisted even after users cleared their cookies.
Other methods include email-based tracking (matching your email address across platforms when you log in to different services) and probabilistic matching, which uses patterns like IP address, device type, and browsing behavior to infer that two sessions likely belong to the same person. These approaches let advertisers maintain a profile of your activity even when traditional cookies aren’t available.
Privacy Laws That Limit Cross-Site Tracking
Major privacy regulations now require websites to get your permission before tracking you across the web. Under the GDPR (the European Union’s privacy law) and similar state-level laws in the U.S., consent must be a genuine choice. Pre-checked boxes and default opt-in settings don’t count. You have to actively agree to tracking cookies, and you can withdraw that consent at any time, at which point the site must stop cross-site tracking and stop sharing your data.
Websites are also required to disclose their tracking practices in a privacy notice, explaining what data they collect, how they use it, and who they share it with. Some companies have tried to justify tracking under a “legitimate interest” exception, arguing they need the data for fraud prevention or security, but this argument doesn’t extend to advertising-driven tracking in most regulatory interpretations.
These rules are why you see cookie consent banners on nearly every website. The banners aren’t just a formality. They’re a legal requirement, and the choices you make on them directly control whether tracking pixels and third-party cookies activate in your browser.
How Apple and Browsers Restrict Tracking
Technology companies have also built tracking restrictions directly into their products. Apple’s App Tracking Transparency (ATT) framework, introduced for iOS, requires every app to ask your permission before tracking you across other companies’ apps and websites. When you tap “Ask App Not to Track,” the app loses access to your device’s advertising identifier, which is the key that lets advertisers link your activity across different apps.
ATT only restricts third-party tracking. Companies can still use data you generate within their own app (first-party data) without triggering the permission prompt. To help advertisers measure ad performance without cross-site tracking, Apple created a tool called SKAdNetwork (SKAN), which provides aggregated campaign results without identifying individual users.
On the browser side, Apple’s Safari has blocked third-party cookies by default since introducing Intelligent Tracking Prevention in 2017. Firefox and Brave take similar approaches. Google Chrome, which holds the largest share of browser usage, still allows third-party cookies. Google explored replacing them through a set of tools called the Privacy Sandbox, but scrapped most of those plans. In July 2024, Google dropped its cookie deprecation timeline entirely, and by 2025 it had retired key Privacy Sandbox technologies including the Topics API and Protected Audience API.
What Google Kept (and What It Means for You)
Although Google abandoned most of its Privacy Sandbox proposals, a few privacy-focused features survived. CHIPS (Cookies Having Independent Partitioned State) lets websites store cookies separately for each site you visit, so a third-party service embedded on multiple sites can’t use those cookies to track you across all of them. FedCM is a browser-based sign-in system that lets you log into websites without relying on third-party cookies. Private state tokens are encrypted tokens that help websites verify you’re a real person without tracking your identity.
Google is also supporting a proposal called Attribution, a browser-based system for measuring whether an ad led to a conversion without enabling cross-site tracking. These tools signal a shift in how the industry thinks about measurement: advertisers can still learn whether their campaigns worked, but with less ability to build detailed profiles of individual users.
How Retargeting Affects You in Practice
For most people, retargeting shows up as eerily relevant ads. You search for a blender, and blender ads appear on social media, news sites, and video platforms for the next two weeks. The experience can feel invasive, but you have more control over it than you might realize.
Clearing your cookies breaks the connection between your past browsing and future ad targeting, at least temporarily. Using browsers with built-in tracking protection (Safari, Firefox, Brave) blocks many third-party cookies automatically. Opting out through cookie consent banners prevents tracking pixels from activating. On your phone, declining the ATT prompt in iOS apps cuts off a major tracking pathway.
None of these steps eliminate tracking entirely, especially fingerprinting, which operates without cookies. But together they significantly reduce the amount of cross-site data advertisers can collect about you. If you’ve noticed that ads seem less personalized than they were a few years ago, these privacy tools and regulations are the reason.