Why Ads Follow You: Cookies, RTB, and Privacy
A pair of running shoes you glanced at once follows you across every news site for the next few days. You only mention something to a friend in passing, and that evening the same topic shows up as an Instagram ad. At this point it is hard not to wonder, “is my phone listening?”
This post walks through how ads actually get tailored to you — what clues are collected, and how they end up as that one image on your screen. No code.
It is inference, not eavesdropping #
Start with the most common misunderstanding. Ads are accurate enough that microphones look suspect, but no credible evidence has ever surfaced that major ad platforms run constant audio surveillance. What they do instead is gather your search history, the sites you visit, your location, the ads you click, and the behavior of people whose patterns look like yours, and from all that they infer “this person is likely to react to this ad.” Less dramatic than eavesdropping. In practice, more precise.
What lets them recognize “you” #
For ads to be tailored to you, the ad system needs a way to keep tracking you as the same person. The most common tool for that job is the cookie. What cookies are and how they are used to keep you logged in is covered in Staying Logged In — Cookies, Sessions, and Tokens; advertising puts them to a slightly different use.
On the web, there is a distinction between first-party and third-party cookies. A first-party cookie is set directly by the site you are looking at. A third-party cookie is set by some other company’s advertising code embedded inside that page. When the same ad company’s code is embedded across many sites, that company can use its third-party cookies to stitch together a single thread of one person moving from site to site. This is what people mean by cross-site tracking.
When cookies are blocked, the tracking moves to other clues. On mobile, a device advertising ID. On the web, your IP address, screen resolution, language, browser, even the list of installed fonts can be combined into something that distinguishes one person from another — a technique known as device fingerprinting. The arms race between ever-more-clever tracking and the browsers trying to stop it is one of the big background plotlines of the ad industry.
A 0.2-second ad auction #
In the short moment when an empty ad slot fills on a news site, an actual auction is taking place. Each time the page opens, an anonymous profile of you (“cookie ID, interest categories, rough location”) is thrown to an ad exchange. Several advertisers’ systems bid within 0.1–0.2 seconds — “I will pay this much to put this ad in that slot.” The highest bidder wins the slot, and one ad gets drawn on your screen. To human eyes the page just loaded all at once, but behind it a small auction has been spinning each time.
This structure is called RTB (Real-Time Bidding), and the largest exchanges are run by the big platforms — Google, Meta, and a handful of others.
The rules are shifting #
Once third-party cookies became too powerful a tracking tool, browsers started blocking them. Safari closed the door long ago, Firefox followed, and Chrome is gradually shrinking and replacing them. On mobile, Apple introduced App Tracking Transparency (ATT) in iOS in 2021, forcing apps to ask the user explicitly — a single change that shook the ad industry hard.
Europe’s GDPR and the wave of regulations after it locked in a direction: get explicit consent before collecting data for advertising. The long, fiddly cookie consent banners you meet on every site are the visible side of that rule. They are often clicked through carelessly, but at least for advertising tracking, “off by default” is becoming the new normal.
If you want to reduce exposure #
You cannot fully block targeting, but you can shrink your exposure quite a bit.
- At the browser level: use a browser like Safari or Firefox where tracking protection is on by default, or use Chrome in private mode with a tracker-blocking extension.
- At the account level: Google, Meta, and Apple all have settings to “turn off personalized ads” and “reset advertising ID.” Ads do not disappear, but they tilt toward more generic ones.
- At the app level: on iOS each app has to ask for tracking permission, and Android is steadily strengthening the same kind of controls.
The question is not whether ads are good or bad #
Targeted advertising props up a huge part of the free internet economy, so it is not going away overnight. What is worth knowing as a user, though, is “what information of mine is collected, by whom, and how far it travels.” The next time an ad feels uncannily accurate, before suspecting a microphone, try retracing which clues might have led to it. That lines up far better with how the system actually works than any conspiracy theory does.