Privacy & Security · 2026
How Websites Track You Without Cookies
You cleared your cookies. You said no to every banner. You're still being tracked — here's how.
Clicking "Reject All" on every cookie banner feels like the responsible thing to do. And for a while, it genuinely helped. But the tracking industry didn't sit still — it adapted. The techniques being used now don't rely on cookies at all, which means clearing your browser history, using private mode, or toggling off third-party cookies doesn't stop them.
This isn't a conspiracy piece. These are real, widely deployed techniques used by ad networks, analytics platforms, and data brokers — some of them openly documented in their own technical guides. Understanding how they work is the first step to doing something about them.
The Main Ways Sites Track You Without a Single Cookie
Before getting into each method in detail, here's what we're working with. Every technique below is currently in active use — these aren't edge cases or theoretical risks.
| Tracking Method | What It Uses | Blocked by Clearing Cookies? |
|---|---|---|
| Browser Fingerprinting | Your browser and device settings | No |
| Local Storage & IndexedDB | Browser storage that isn't cookies | No |
| CNAME Cloaking | DNS tricks to disguise third-party trackers | No |
| Pixel Tracking | Invisible 1×1 images in emails and pages | No |
| IP Address Tracking | Your network connection | No |
| Login-Based Tracking | Your account identity across platforms | No |
Let's break each one down properly.
1. Browser Fingerprinting — Your Device Has a Unique Signature
Every time you visit a website, your browser silently shares a surprising amount of information about your setup. On its own, any single detail — your screen resolution, your time zone, your browser version — tells you very little. But combine fifteen or twenty of these details together and you get something that functions like a unique ID, specific enough to identify your device across different sites and sessions without storing anything on your computer at all.
This is called browser fingerprinting, and it's quietly one of the most effective tracking methods in use. Because the "fingerprint" is constructed from data your browser sends as part of normal operation, there's nothing to block, clear, or opt out of in the traditional sense. Clearing cookies does nothing — the fingerprint is rebuilt identically the next time you visit.
# Data points used to build a browser fingerprint
- Browser name, version, and installed plugins
- Operating system and version
- Screen resolution and colour depth
- System fonts installed on your device
- Time zone and language settings
- GPU renderer (via WebGL)
- Audio processing behaviour (AudioContext fingerprint)
- How your browser renders a hidden canvas element
- Touch support, battery status (where available)
- Do Not Track header setting (yes, even this gets logged)What actually helps against fingerprinting:
The most effective defence is making your fingerprint look like everyone else's — blending in rather than hiding. The Brave browser does this by default, randomising some fingerprint values. Firefox with privacy settings hardened does a reasonable job. The Tor Browser is the most aggressive option, standardising everything to produce an identical fingerprint for all users — but it comes with significant speed trade-offs for everyday browsing.
2. Local Storage & Supercookies — Tracking That Survives Cookie Deletion
Most people know about cookies — but browsers have several other storage mechanisms that work similarly and survive when cookies are deleted. Local Storage, IndexedDB, and the browser cache can all be used to store a tracking identifier. Clear your cookies and these remain untouched.
A more sophisticated version is called a "supercookie" or "evercookie" — a technique that deliberately stores a tracking ID in as many different places as possible simultaneously: cookies, Local Storage, IndexedDB, the browser cache, and even encoded into favicons. If you clear one, the tracker reads from another and restores the deleted ones. It's designed to be nearly impossible to fully remove without wiping every storage type at once.
# Storage locations an evercookie uses
- HTTP cookies (the normal kind)
- Local Storage (survives cookie clearing)
- IndexedDB (browser database, survives cookie clearing)
- Browser cache (survives cookie clearing)
- Favicon cache (survives cookie clearing)
- CSS history sniffing (can detect visited links)
- ETags (server-side cache identifiers)
# Result: Deleting cookies alone removes only one of these.
# The ID is restored from whichever storage survived.What actually helps:
Most browsers now let you clear all site data — not just cookies but Local Storage, cache, and IndexedDB — in one step. In Chrome: Settings → Privacy and Security → Clear browsing data → tick all boxes. Firefox and Brave have similar options. The more lasting fix is a browser extension like uBlock Origin, which blocks the tracker scripts from running in the first place, so there's nothing to store.
3. CNAME Cloaking — Third-Party Trackers Pretending to Be First-Party
Browser privacy settings and ad blockers have become good at blocking third-party trackers — scripts loaded from external domains like analytics providers or ad networks. So the industry found a workaround: disguise the tracker as a first-party resource instead.
CNAME cloaking works through a DNS trick. A website owner creates a subdomain — say, metrics.theirsite.com — which actually points to a third-party tracker's server behind the scenes. From your browser's perspective, it looks like the site's own code. Blockers that check domain names against block lists see a first-party subdomain and let it through. The tracker collects data as if it were part of the site itself.
What actually helps:
Standard blocklists don't catch this. DNS-level blocking tools like NextDNS or Pi-hole can resolve CNAME records before the request goes through, exposing the real destination. Brave Browser also performs CNAME uncloaking natively as of recent versions, blocking these disguised trackers without extra setup.
4. Pixel Tracking — The Invisible Image in Your Inbox
Marketing emails almost universally contain a tracking pixel — a transparent 1×1 image embedded in the email body that you can't see. When your email client loads the image (which happens automatically if you have "load remote images" enabled), it sends a request to the sender's server. That request contains your IP address, the time you opened the email, what device you're using, and roughly where you're located.
This is why marketers know open rates with such precision. It's also how some senders know that you opened their email eleven times even if you never replied. The pixel logs every load. The same technique is used on web pages — a 1×1 invisible image from a data broker embedded on any site tells them you visited, even if you never interacted with anything.
# What a tracking pixel captures when loaded
- Your IP address (reveals approximate location)
- Timestamp of when you opened the email
- Email client and operating system
- Device type (desktop, mobile, tablet)
- Number of times the email was opened
# The pixel itself is invisible — a 1x1 transparent image
# It looks like: <img src="https://tracker.com/open?id=abc123" width="1" height="1">What actually helps:
Turn off automatic remote image loading in your email client — this is the single most effective step. Gmail, Outlook, and Apple Mail all have this setting. For Gmail specifically: Settings → General → Images → "Ask before displaying external images." Apple Mail on iPhone now has Mail Privacy Protection enabled by default, which pre-fetches images through Apple's proxy, masking your real IP from senders. The email is still opened, but the location and device data is hidden.
5. IP Address Tracking — Location Without Your Permission
Your IP address is handed to every website you visit as a basic part of how the internet works — there's no way to connect to a server without it. On its own it doesn't identify you by name, but it reveals your approximate location, your internet service provider, and whether you're on a home connection, mobile network, or corporate network.
Over time, an IP address becomes a consistent identifier. Ad networks correlate it across multiple sites: the same IP visited a car insurance comparison site, three news articles about electric vehicles, and a charging point locator — that's enough for a targeting profile, even with no cookies involved. When your IP changes (as it does occasionally), cross-referencing the fingerprint data ties the new IP to the same person.
6. Login-Based Tracking — Being Logged In Is the Tracking
All the other methods on this list are trying to track you despite the fact that you haven't identified yourself. Login-based tracking is simpler: if you're logged into Google, Facebook, or any platform with a wide web presence, the platform knows who you are on any page that loads their resources — which is an enormous portion of the web.
Those "Like" buttons, "Sign in with Google" widgets, and embedded YouTube videos aren't just features — they're connections back to those platforms. When a page loads a Facebook Like button, Facebook's server receives a request that includes your identity (if you're logged in), the URL of the page, and a timestamp. You didn't click anything. The page just loaded.
# Resources that silently phone home to platforms
- Facebook Like / Share buttons
- Google Analytics (present on ~85% of websites)
- Google Fonts loaded from Google's servers
- Embedded YouTube videos
- Twitter / X share widgets
- "Sign in with Google / Apple / Facebook" buttons
- reCAPTCHA verification widgets
# Every one of these = a request to the platform's server
# If you're logged in = they know you visited this pageWhat actually helps:
Log out of platforms like Facebook and Google when you're not actively using them, or use a separate browser profile for social media. Firefox's Multi-Account Containers extension is built for exactly this — it isolates Facebook into one container tab so its scripts can't see your activity in other tabs. uBlock Origin also blocks many of these third-party widgets by default.
What You Can Actually Do — A Practical Summary
You won't stop every method completely, but you can significantly reduce the picture these trackers build of you. Here's what works, ranked by how much it helps versus how much effort it takes.
| Action | What It Stops | Effort | Cost |
|---|---|---|---|
| Install uBlock Origin | Pixels, scripts, storage trackers | 5 min | Free |
| Switch to Brave Browser | Fingerprinting, CNAME, trackers | 10 min | Free |
| Block email images | Pixel tracking in emails | 2 min | Free |
| Firefox Containers | Login-based cross-site tracking | 10 min | Free |
| Use a VPN | IP-based tracking and location | 15 min | ~£5/month |
| Use NextDNS | CNAME cloaking, DNS-level ads | 20 min | Free tier |
Frequently Asked Questions
▸ Does private / incognito mode protect against any of this?
Barely. Incognito mode stops your browser from saving local history and clears cookies when you close the window — that's it. Your IP address is still visible, your browser fingerprint is unchanged, pixel trackers still fire, and if you log into anything, login-based tracking works exactly the same. It's useful for keeping searches off your local device history and for avoiding personalised results, but it provides essentially no protection against the methods covered in this article.
▸ Does using a different browser help — is Safari more private than Chrome?
Safari and Firefox both have meaningful tracking protections that Chrome lacks by default — particularly around cross-site tracking and fingerprinting resistance. Apple's Intelligent Tracking Prevention in Safari is genuinely useful. Brave goes furthest of any mainstream browser, with aggressive fingerprinting protection, CNAME uncloaking, and built-in ad blocking turned on by default. Chrome's protections are weaker, which makes sense given Google's business model is built around advertising. For privacy, the order roughly goes: Brave > Firefox (hardened) > Safari > Edge > Chrome.
▸ Is any of this actually illegal?
In the UK and EU, GDPR requires consent for most tracking — which is why cookie banners exist. However, fingerprinting and some supercookie techniques exist in a legal grey area, and enforcement is inconsistent. In the US, there's no equivalent federal law. Some methods described here — particularly CNAME cloaking and supercookies — have drawn regulatory attention from the French data protection authority (CNIL) and others, but the legal landscape is still evolving. The practical reality is that the tracking happens regardless of the legal status.
▸ Will using all these privacy tools break websites?
uBlock Origin occasionally breaks a site that depends on the script it's blocking — you'll usually notice if a page looks broken or a feature doesn't work. The fix is a single click to disable it for that specific site. Brave has a similar per-site toggle. Firefox Containers don't affect page rendering at all. A VPN occasionally triggers CAPTCHA requests or region-detection errors on streaming services. Overall, the friction is minor and manageable — most people who use these tools barely notice any breakage.
▸ If I use all of these, am I completely invisible online?
No — and it's worth being honest about that. If you log into Google, Google knows it's you. If you browse the web with a consistent device, a sufficiently detailed fingerprint can still be constructed. What these tools do is significantly raise the cost and difficulty of tracking, break the cross-site profile building that ad networks rely on, and protect specific high-value data like your location and email open behaviour. Complete invisibility isn't a realistic goal for most people, and it shouldn't need to be — meaningful protection from the most invasive tracking is achievable with the steps above.
Conclusion
The cookie banner was never the full picture — it was just the part the law required companies to show you. The tracking underneath it has been running without interruption, evolving every time a new browser protection or regulation forced it to adapt. Knowing that it exists and how it works at least puts you in a position to make informed choices about how much of it you want to accept.
You don't need to go to extreme lengths. Install uBlock Origin, switch to a privacy-respecting browser, turn off automatic image loading in your email client, and you've addressed the most significant vectors. After that, it's a question of how far you want to take it — each additional step gives you more control, at a gradually increasing cost to convenience.
Where to start — in order of impact
1. Install uBlock Origin — blocks tracker scripts at the source
2. Disable automatic email images — kills pixel tracking instantly
3. Check coveryourtracks.eff.org — see your current fingerprint exposure
4. Switch to Brave or harden Firefox — built-in fingerprint protection
5. Add Firefox Containers — isolate social media logins
Free, takes one evening, and the difference is real.