If you spend most of your day online or with a phone in your pocket, you’re producing a breadcrumb trail dense enough to reconstruct where you were, what you looked at, and often what you were thinking about. The sheer scale makes this consequential: more than 5.5 billion people are online at the start of 2025, and a growing share of that activity happens on mobile devices.

How the web tracks you

Traditional web tracking started with cookies, tiny files that remember who you are between page loads. Third‑party cookies made it possible for ad networks to follow you across sites. As browsers restrict those, the industry leans harder on techniques that don’t require storage on your device: fingerprinting that combines your device’s characteristics, IP address, fonts, and timing signals into a probabilistic ID; URL parameters and link decoration; and server‑side profiling that stitches your sessions together. Even when tracking is “consented,” the design of many consent banners nudges you into allowing more than you intended, and the data often flows into real‑time bidding exchanges where your page views are auctioned off in milliseconds.

Regulators have noticed the imbalance. The UK’s data protection authority, for example, set a 2025 agenda to force clearer choices, curb deceptive consent flows, and scrutinize tracking not just on websites but also in apps and connected devices. It is explicitly targeting compliance among the top 1,000 sites and clarifying when “consent or pay” models are lawful, with the stated aim of fewer intrusive practices and more privacy‑preserving advertising such as contextual targeting.

The plumbing behind targeted advertising deserves plain language. Real‑time bidding (RTB) means that when a page loads, details about your device, approximate location, and interests are broadcast to many participants so they can bid to show you an ad. Even though only one bidder “wins,” others may still receive the data, which is why RTB is often described as one of the most invasive forms of surveillance you’ve never heard of.

How your phone tracks you

Phones intensify tracking because they live with you and have sensors. Many apps don’t just request GPS; they also harvest Bluetooth and Wi‑Fi scan results as a proxy for location and movement. A recent large‑scale analysis of Android apps and their embedded SDKs found that most collected GPS alongside wireless signals and device identifiers, enabling precise indoor tracking and persistent profiles even when users try to reset advertising IDs—a practice known as “ID bridging”.

Governments and security agencies have also warned about the spillover from the commercial location data ecosystem. After a major leak from a location aggregator exposed precise movements tied to popular apps—including ones people installed for privacy—guidance emphasized disabling advertising IDs and tightening location permissions where possible. The concern is straightforward: app‑level data collection and adtech pipelines can reveal daily routines, associations, and sensitive visits, and once brokered, this data can be widely resold or stolen.

The frontier is moving, too. Academic teams have demonstrated that Wi‑Fi networks can be used to re‑identify people without a camera or a device in their hand, by reading how a human body subtly disrupts radio signals. Using channel state information and deep learning, these systems have reported person re‑identification accuracy over 95% across different environments, raising obvious privacy questions about passive tracking in homes, offices, and public spaces.

Who is watching, and why

Private companies watch because data is revenue. Publishers and app developers embed analytics and advertising SDKs to monetize attention; adtech intermediaries enrich those streams and sell audiences; data brokers stitch identities across contexts and resell segments from “frequent traveler” to “diabetics interested in mortgages.” ISPs can see metadata about your traffic and DNS lookups unless you encrypt and route around them; in some jurisdictions they monetize that visibility, in others they are constrained by law. Governments acquire data directly through lawful processes and indirectly by purchasing from commercial brokers—a shortcut that exploits the same marketplace that powers targeted ads. Platform vendors (browser makers and mobile OS providers) both collect telemetry and position themselves as privacy arbiters, which creates a constant push‑pull between product analytics, ecosystem control, and user protection.

The common denominator is incentive: whoever can observe you can predict you, and whoever can predict you can influence or profit from you. The web and your phone are just different windows into the same attention economy.

What you can do today

Your aim isn’t perfection; it’s friction. You want to make data collection more expensive, less certain, and less linkable to your identity, while preserving enough usability that you’ll actually stick with the habits.

Start with your browser. Use privacy‑forward defaults that block third‑party cookies and known trackers, strip link decoration, and resist fingerprinting. Dedicated privacy browsers can do this out of the box; extensions like uBlock Origin, Privacy Badger, and similar tools add tracker blocking and make RTB calls less effective by starving them of signals. Private search engines reduce query profiling, and email aliasing keeps one leak from becoming many.

On phones, minimize the data surface. Turn off or reset your advertising ID, restrict location to “While using the app” and “Approximate” where possible, and disable Bluetooth and Wi‑Fi scanning that apps can exploit for background location. Security advisories now explicitly recommend disabling location tracking features you don’t need, because even with platform protections, app‑level collection can still produce sensitive trails that leak or get brokered. Some tools add another layer: on Android, app‑level tracker blocking can cut off many embedded SDKs from phoning home; on iOS, features like app tracking transparency help, though they’re not a panacea.

A VPN helps in specific ways: it hides your IP from sites and your traffic from your ISP, but it does not stop app or page‑embedded trackers from collecting data once you’re connected. For stronger anonymity, Tor routes and blends your traffic at the cost of speed and convenience. At home, DNS‑level filtering and encrypted DNS can keep devices—especially smart TVs and IoT gadgets—quieter by default. None of these solve everything, but together they reduce how much can be collected, linked, and resold.

If you prefer software that bundles protections, there are anti‑tracking suites that combine fingerprinting defenses, cookie management, and tracker blocking. Independent roundups regularly highlight options from privacy‑centric browsers to extensions and stand‑alone tools; they differ in aggressiveness and usability, so pick what you’ll actually maintain.

The near future of tracking and privacy

Tracking is shifting from “who are you?” to “what are you doing right now?” Browsers are deprecating legacy cookies and standardizing APIs for privacy‑preserving ads, while adversaries lean on probabilistic identity, cross‑app SDKs, network‑level signals, and ambient sensing. Regulators are moving from guidance to enforcement, scrutinizing manipulative consent flows and “consent or pay” models, and pushing sites and apps toward clearer choices and less intrusive defaults across web, mobile, and connected devices.

At the same time, research like Wi‑Fi‑based re‑identification shows that even spaces without cameras can become observable if there’s a radio field to read, which expands both the promise and the peril of “smart environments.” It underscores a hard truth: privacy is not just a setting; it’s an ecosystem outcome. Progress will come from a mix of product design that collects less by default, legal pressure that limits what can be traded, and user habits that deprive trackers of easy signals.