The story of web tracking has shifted dramatically in the past five years. The third-party cookie, for two decades the load-bearing mechanism of online advertising, is being phased out in Safari, Firefox, and Chrome. The advertising and analytics industries have responded by building elaborate infrastructure to recreate the same tracking capabilities through alternative channels. The net effect is that the surveillance is largely intact; it just looks different and is harder to see.
Understanding what is happening on the modern web requires understanding the full stack, not just the cookie.
The cookie, properly defined
A cookie is a small piece of data set by a server and sent back by the browser on subsequent requests to the same domain. There are two consequential distinctions:
First-party cookies. Set by the domain you are visiting. Used for session management, login state, preferences. Generally uncontroversial and necessary.
Third-party cookies. Set by domains other than the one you are visiting (typically advertising and analytics services that have iframes or scripts embedded in the page). Used for cross-site tracking, identifying you across the many sites that include their tags.
The third-party cookie is the workhorse of programmatic advertising’s behavioural-targeting model. Phasing it out is the explicit goal of Apple’s Intelligent Tracking Prevention (since 2017), Mozilla’s Enhanced Tracking Protection (since 2019), and Google’s Privacy Sandbox / Tracking Protection (rolling out through 2024–2025).
Tracking pixels
A "pixel" is a 1×1 transparent image (or HTML iframe, or video, or JavaScript file) loaded from a third-party server. The mere act of loading it leaks the visitor’s IP address, User-Agent string, the Referer URL of the page, and any first-party cookies that the third-party domain has previously set.
The Meta Pixel (formerly Facebook Pixel), the Google Ads conversion pixel, the LinkedIn Insight Tag, the TikTok Pixel, and the X (Twitter) conversion pixel are the four most prevalent. Pixels are how an advertiser learns that you visited their landing page, which page you came from, and, through the platform’s identity graph, who you are on Meta, Google, LinkedIn, etc.
The Meta Pixel in particular has been the subject of extensive reporting since The Markup’s 2022 investigation showing that pixels were leaking sensitive medical information from hospital websites and tax data from the IRS Free File system. Pixels are powerful precisely because page-level information about user behaviour is implicitly sent every time the page loads.
Server-side tracking and Conversions API
The next layer is the response to client-side restrictions. Server-side tracking, Google’s Server-Side Google Tag Manager, Meta’s Conversions API, Reddit’s Conversions API, and the rest, moves the tracking call from the user’s browser to the website’s own servers.
The mechanism is straightforward. The website’s own backend receives information about the user’s actions (purchases, sign-ups, page views), then makes a server-to-server call to the advertising platform’s API. The user’s browser never speaks to the advertising platform directly. From the browser’s perspective, no third-party request occurred. Privacy tools that block third-party domains see nothing.
The information transmitted is typically equivalent to or richer than what the client-side pixel provided. The Meta Conversions API, for instance, supports sending hashed email addresses, phone numbers, and other personally identifiable information server-side, which Meta then matches against its own identity graph.
The privacy implication: client-side blocking is no longer sufficient to prevent cross-site tracking when the website itself is collaborating with the tracker.
CNAME cloaking and first-party disguise
Another response to third-party blocking. The advertiser configures a subdomain of the publisher’s site (analytics.publisher.com) to point via DNS CNAME to the tracker’s actual domain. From the browser’s perspective, requests appear to be first-party, the cookie set is a first-party cookie, the request goes to the publisher’s apparent domain, and many privacy tools cannot distinguish.
This was popularised by Eulerian Technologies (now part of Adobe), AT Internet, Adobe Analytics, and others; it is the technical reason that ad-blocker filter lists have to include domain-level rules that catch CNAME redirects. uBlock Origin and Brave both implement CNAME-aware blocking; Safari’s Intelligent Tracking Prevention has specific countermeasures.
The Mozilla research on this, "How Web Trackers Use CNAME Cloaking to Bypass Cookie Restrictions," remains the canonical analysis.
Identity graphs and probabilistic matching
The most consequential layer, hidden from public view. Companies like LiveRamp, The Trade Desk’s Unified ID 2.0, ID5, and ad-platform internal graphs maintain mappings between hashed email addresses, hashed phone numbers, postal addresses, device IDs, IP addresses, and behavioural signatures. When a tracking pixel or server-side call fires with a hashed email, the identity-graph operator finds the match in their database and connects the new event to the existing profile.
The user does not see this happening. The matching uses cryptographic hashes that look anonymising but are deterministic; once your hashed email is in the graph, every site that captures the same hashed email connects to the same profile. The same applies to phone numbers, postal addresses, and a long list of other deterministic identifiers.
The Princeton Web Transparency and Accountability Project’s research at webtap.princeton.edu and the work of Privacy International (privacyinternational.org) provide the most detailed public accounts.
Browser fingerprinting
Even without cookies, identifiers, or pixels, browsers can be uniquely identified through their characteristics: User-Agent string, screen dimensions, installed fonts, WebGL renderer, audio context behaviour, language settings, timezone. The EFF’s Cover Your Tracks tool at coveryourtracks.eff.org demonstrates the uniqueness on demand.
Modern fingerprinting is most prevalent in fraud-detection products (Iovation, ThreatMetrix, Sift), where it is generally legitimate, and in advertising-attribution products, where it operates in ethical grey zones. Apple Safari and Brave have aggressive fingerprinting countermeasures; Firefox has moderate ones; Chrome’s Privacy Sandbox aims to constrain fingerprinting via the User-Agent Client Hints transition.
Privacy Sandbox and the post-cookie design
Google’s Privacy Sandbox is the largest organised attempt to redesign web advertising without third-party cookies. Components:
Topics API. The browser categorises browsing history into topics (sport, finance, etc.) and discloses a small set to advertisers.
Protected Audiences (formerly FLEDGE). On-device auctions for retargeting that do not leak identity off the device.
Attribution Reporting API. Privacy-budgeted conversion measurement.
Privacy Sandbox is technically interesting and politically contested. The UK Competition and Markets Authority has imposed binding commitments on Google’s deprecation timeline; the W3C’s work on the standards continues.
The likely 2026–2027 outcome: a heterogeneous tracking landscape where some advertising operates through Privacy Sandbox primitives, some through server-side conversion APIs and identity graphs, and some through fingerprinting. None of it is what users believe is happening.
What individuals can do
Use Firefox or Brave with Enhanced Tracking Protection / Shields enabled. Safari is the next best mainstream option.
Use uBlock Origin (Firefox) or uBlock Origin Lite (Chromium / where MV3 forces it). Filter lists from EasyList, EasyPrivacy, and AdGuard’s tracking lists cover a meaningful share of trackers.
Use a private DNS resolver with blocklists. NextDNS, Pi-hole, AdGuard DNS. These catch some server-side tracking by blocking the domains entirely.
Use Apple Hide My Email, Firefox Relay, or SimpleLogin to fragment your email-address identity across services.
Disable advertising IDs at the OS level on iOS and Android.
The broader point: the third-party cookie is dying, and the tracking economy has not died with it. The replacement infrastructure is more sophisticated, more opaque, and more resistant to user control. Eternal vigilance is, regrettably, the price of privacy on the modern web.