Surveillance advertising: Trackers, fingerprinting, and what users can do

Tracking in 2026: an assembly line, not a cookie jar

Surveillance advertising in 2026 is less about a single “tracking cookie” and more about an assembly line: scripts on a page or SDKs in an app collect signals, match them to an identifier, enrich that profile via partners or brokers, and then use it to target and measure ads across the sites and apps you use. Even when third-party cookies are restricted, trackers can still follow you using pixels, link decoration, mobile identifiers, and increasingly device fingerprinting, which can help re-identify you after you clear storage.

The UK privacy context: PECR, UK GDPR, and the ICO’s view of “tracking”

In the UK, this tracking stack sits under two overlapping rulebooks. PECR governs the act of storing or reading information on your device, and the ICO explicitly includes device fingerprinting, tracking pixels, and link decoration in the technologies it expects organisations to treat as “storage and access” tracking, not as a clever workaround. The UK GDPR then governs what companies do with the personal data those techniques produce, which is why the fight is as much about data sharing and profiling as it is about browser settings.

Cookies still matter, but they’re no longer the whole story

Cookies still play a role, but they are no longer the whole story. A cookie can be a simple preference tool, but in advertising it often becomes a handle for a much larger profile that is shared, synced, and extended. The ICO’s updated cookies guidance is blunt that advertising cookies are not “strictly necessary,” and that consent is the baseline for advertising cookie use, including the third-party cookies used for common adtech functions.

Mobile identifiers: the tracking handle in your pocket

Mobile identifiers are the other major handle. On iPhone, App Tracking Transparency forces the question into the open: apps must ask permission to track you across other companies’ apps and websites, and Apple ties that permission to access to the advertising identifier. On Android, Google’s advertising ID remains important, but Google also documents user controls to reset or delete it, which reduces long-lived linkage across apps when it’s actually respected.

Fingerprinting: the fallback when obvious identifiers disappear

Then there’s fingerprinting, the technique trackers reach for when you take away obvious identifiers. Fingerprinting doesn’t need a cookie jar; it builds a “likely you” score from device and browser traits. Standards bodies now treat it as a core web threat, and browsers are expanding fingerprinting defences alongside tracker blocking.

What users can do: browsers first, then phones

If you want to shrink your exposure, start where the tracking starts: your browser. Using a browser with strong anti-tracking defaults makes a measurable difference because it can block known tracker scripts and contain cross-site storage so one site can’t easily read what another wrote.

Next, treat cookie banners as a policy signal, not a technical shield. Saying “no” is still worth doing, especially in the UK where consent is central for non-essential tracking, but remember that tracking can also be done through pixels, link decoration, and fingerprinting. That’s why browser-level blocking matters even when you make the “right” banner choice.

On phones, the most powerful move is to break the identifier chain. On iPhone, when an app asks to track, choosing not to allow tracking limits cross-company tracking and access to the advertising identifier. On Android, deleting or resetting the advertising ID is the equivalent “chain break,” and it’s built into system settings; it’s not a magic invisibility cloak, but it does stop one of the simplest ways to keep a stable profile across apps.

Data brokers and why “opting out” can feel like it doesn’t stick

If you want one more lever, look beyond ads to the data market behind them. Data brokers can help stitch “anonymous” signals back to real people or households. That’s part of why opting out in one place can feel like it “doesn’t stick” elsewhere: the profile may be rebuilt from other sources.

The publisher trade-off: less tracking, noisier measurement

Publishers face a real trade-off in this shift, and it’s not just revenue versus privacy. When tracking is reduced, ad targeting can get less precise, attribution gets noisier, and fraud detection can get harder, especially for smaller sites that don’t have large pools of first-party logged-in users. That pressure is one reason “consent or pay” models are spreading, but UK guidance frames those models as a test of whether consent is genuinely freely given, not as a shortcut around consent.

A workable middle ground: trust, minimisation, and contextual revenue

The healthier long-term bargain is to compete on trust and performance rather than on hidden collection. Contextual ads, first-party analytics with strict minimisation, shorter retention, fewer third-party tags, and straightforward consent flows reduce regulatory risk and can improve user loyalty—while still keeping many sites commercially viable.

Why policy headlines won’t save you

Finally, don’t expect browser policy headlines to solve this for you. In a world where the rules of third-party cookies can swing, the techniques that survive—fingerprinting, identity graphs, first-party identifiers, broker enrichment—become more attractive unless users, publishers, and regulators constrain them directly.