How To Stop Websites From Tracking You Online
Open a news website in a fresh browser. Before you read a single headline, your visit has already been logged by an average of 40 separate third-party services. None of them are the news site you went to. Most have names you’ll never recognize.
That’s not a worst-case scenario. That’s what privacy researchers consistently find when they audit the invisible infrastructure embedded in ordinary web pages.
This guide covers exactly what those services collect, how each tracking technique works, and what you can realistically do to stop it.
What Gets Collected Before You Click Anything
Most people assume websites track what they do, like which articles they read or which products they view. The reality starts before any of that.
When your browser loads a page, it sends out dozens of simultaneous requests to different servers. Your device’s IP address, operating system, browser version, screen resolution, installed fonts, and time zone all travel with those requests automatically. A tracker doesn’t need you to interact with anything. Your device announces itself the moment it connects.
From that initial signal alone, a tracker can:
- Recognize you on the next site that uses the same tracker network
- Link your current session to a visit you made weeks or months ago
- Connect your mobile browsing to your desktop browsing if both share identifying characteristics
- Associate your anonymous browsing with a purchase made on a different device
According to research by Princeton’s Web Transparency and Accountability Project, a single large ad network has enough reach to observe users across more than 80% of the top 1,000 websites. One network. Eight out of ten pages on the most-visited corners of the internet.
That’s not targeted advertising. That’s a surveillance infrastructure with an advertising revenue model.
The 7 Tracking Techniques Running on Every Page You Visit
Understanding how each method actually functions helps you understand which defenses stop it, and which ones don’t.
Third-Party Behavioral Cookies
Third-party cookies are set not by the site you’re visiting, but by tracker services embedded on that page. When you visit a news site that includes ad network widgets or analytics tools, each one attempts to plant a cookie on your device containing a unique identifier.
When you visit the next site using the same tracker network, that cookie is read. The network now knows both visits were you, even though the two websites have no relationship with each other. Repeat this across 100 sites and the network has a detailed map of your browsing life.
Canvas Fingerprinting
No cookie required for this one. Canvas fingerprinting renders an invisible drawing element in your browser and measures how your device processes it. The combination of your graphics hardware, driver version, browser rendering engine, and installed fonts produces an output that’s unique enough to identify your device across sessions.
Clearing your cookies does nothing against this. The fingerprint reconstructs itself automatically on every visit. A 2014 study published in ACM CCS found canvas fingerprinting deployed on nearly 5% of the web’s top 100,000 sites. That number has grown significantly as browser restrictions have made cookies less reliable for trackers.
Tracking Pixels and Web Beacons
A tracking pixel is a transparent 1x1 image embedded in a webpage or email. Your browser fetches it from the tracker’s server to render it. That fetch contains your IP address, browser type, the page you were viewing, and the exact time of your visit.
Email marketers use pixels to know precisely when you opened a message, from which device, and from what location. Decline to load images in email apps to block this one at the source.
IP Address and Session Profiling
Your IP address reveals your approximate geographic region and, over time, your usage patterns. Advertisers routinely connect household devices to a single behavioral profile when they share the same home IP, even when no direct cookie or login identifier is present.
This also means your browsing from a personal laptop can be linked to a tablet your family members use, with no tracking code on any device required.
Session Recording Scripts
Some analytics platforms record your exact mouse movements, scroll position, and typed keystrokes. Tools like FullStory and Hotjar provide website owners with session replay capabilities so they can watch how visitors navigate their pages in real time.
This is generally disclosed somewhere in a site’s privacy policy. It also means someone may have a recording of how you interacted with a health information site, a job application page, or a financial account portal.
CNAME Cloaking
As browsers began blocking third-party tracker domains by default, some ad technology companies developed a workaround. Instead of loading from tracker.adnetwork.com, tracking scripts now sometimes load through a subdomain configured to look first-party, like analytics.thewebsiteyouvisited.com.
The tracking request disguises itself as belonging to the site you’re on. DNS filtering solutions that resolve the full CNAME chain can catch a significant portion of these, though it remains an active technical arms race.
Social Widget Surveillance
That share button or like widget on a recipe blog makes a live request to Facebook’s or Twitter’s servers the moment the page loads. It sends your IP address, browser details, and the URL you’re viewing. You don’t have to click anything. You don’t even need an account on the platform.
A 2018 Facebook disclosure to the European Parliament confirmed that the platform collects data on users who aren’t logged in, and on people who have never created an account.
Why Online Tracking Creates Real Risks Beyond Targeted Ads
Most people accept tracking as the cost of free websites. That reasoning misses what the collected data gets used for beyond showing you relevant ads.
Behavioral manipulation. Tracking profiles determine what news you see, what prices you’re shown, and what content keeps you engaged on a platform. A 2023 Pew Research report found 81% of Americans believe the risks of company data collection outweigh the benefits, yet feel largely powerless to change the situation.
Data broker exposure. Companies that collect your behavioral data routinely sell it to data brokers, who aggregate it with public records to create detailed profiles available for purchase by essentially anyone. These profiles have been used in employment screening, insurance pricing, and targeted fraud campaigns.
Account takeover via stolen cookies. Authentication cookies can bypass login systems entirely. In 2024, security researchers documented infostealer campaigns that extracted authentication cookies from browsers and used them to access Google accounts continuously, even after users changed their passwords.
Breach amplification. The 2024 National Public Data breach exposed an estimated 2.9 billion records including Social Security numbers. The reason those records were so exploitable: years of behavioral tracking data, cross-referenced with public records, had already enriched them into highly actionable profiles.
The data that trackers collect is not just an advertising tool. It’s a liability that compounds every time it gets aggregated, sold, or breached.
How to Stop Website Tracking: A Defense in Layers
No single tool stops all tracking. The approach that works in practice combines network-level filtering with browser hardening and behavioral habits.
Layer 1: Block Tracker Domains at the Network Level
Every tracker loads from a domain. doubleclick.net, connect.facebook.net, scorecardresearch.com are infrastructure, not content. They can be stopped before they ever reach your browser.
DNS filtering intercepts the domain lookup that happens before any page element loads. When your device tries to reach a known tracker domain, the filtering service returns nothing. The script never loads. The pixel never fires. The session recording never starts.
Services like Stoix handle this at the network level, which means every app and browser on your device gets protection simultaneously without any per-app configuration. Unlike browser extensions that only cover one browser, DNS filtering protects mobile apps, connected devices, and anything using your network profile.
This is the highest-leverage privacy action available. It doesn’t require changing how you browse. It changes what your devices are permitted to reach. Setup takes about five minutes with a guided walkthrough, and no technical background is needed.
Layer 2: Harden Your Browser Settings
After DNS filtering handles network-level tracker domains, browser configuration addresses what remains:
Disable third-party cookies. Safari blocks these by default. In Firefox, go to Preferences > Privacy and Security and set Enhanced Tracking Protection to Strict. In Chrome, visit Settings > Privacy and Security > Third-party Cookies and select the blocked option.
Enable strict tracking protection mode. Firefox’s Strict mode blocks not just cookies but cryptominers and fingerprinting scripts. This is one setting change that eliminates an entire category of tracking.
Add uBlock Origin. uBlock Origin is a free, open-source browser extension available for Firefox and Chrome that blocks tracker domains at the browser level, complementing DNS filtering for first-party scenarios and CNAME cloaking attempts.
Consider a privacy-default browser. Firefox and Brave both ship with fingerprinting resistance and aggressive default tracker blocking. Neither requires manual configuration to improve substantially over Chrome’s defaults.
Layer 3: Review Cookie Consent Carefully
Most sites now show cookie consent banners to comply with GDPR in Europe and similar laws elsewhere. The default option these banners push you toward is “Accept All.” The less-visible choice is usually the more useful one.
When a cookie consent notice appears:
- Look for “Reject All” or “Decline Non-Essential.” Some sites place this on the second screen.
- If only “Accept” and “Customize” appear, click “Customize” and look for an option limiting to strictly necessary cookies only.
- Essential cookies (keeping you logged in, remembering your cart) are technically separate from behavioral tracking cookies. A site functions normally without the latter.
Consistently declining non-essential cookies reduces the volume of cross-site tracking data attached to your sessions.
Layer 4: Opt Out of Personalized Advertising
These opt-outs don’t stop data collection, but they remove your data from the ad targeting pipeline, which limits downstream use:
- Google: Visit My Ad Center and disable personalized ads
- Meta: Settings > Ads > Ad Preferences > Ad Settings
- Apple: Settings > Privacy and Security > Apple Advertising, then toggle off Personalized Ads
- iOS app tracking: Settings > Privacy and Security > Tracking, then disable “Allow Apps to Request to Track” to block cross-app tracking requests entirely
These opt-outs carry legal weight under privacy regulations and are enforced more seriously than in previous years.
Layer 5: Clear Your Tracking Footprint Regularly
Stored cookies, site data, and cached content accumulate over time and give tracker networks more material to build persistent profiles from. Regular clearing resets this accumulation.
Browser-specific steps:
- Chrome: Settings > Privacy and Security > Clear Browsing Data, select Cookies and Other Site Data
- Firefox: Settings > Privacy and Security > Cookies and Site Data > Clear Data
- Safari: Settings > Privacy > Manage Website Data > Remove All Website Data
Clearing browsing data does not stop canvas fingerprinting (which reconstructs your identifier without stored data), but it forces tracker networks to rebuild connections rather than reading from a long-established profile.
Layer 6: Reduce Your Digital Surface Area
Every account you create, every form you complete, and every permission you grant expands the data available about you across the internet. Reducing this surface area reduces what trackers have to work with.
Practical steps:
- Use a secondary email address for account creation to separate it from your primary identity
- Fill in only required fields when signing up for services, leave optional fields blank
- Delete accounts you no longer use; dormant accounts with stored data are a liability with no benefit
- Audit app permissions regularly and revoke location, microphone, and contacts access from apps that have no functional need for them
Layer 7: Request Removal From Data Broker Lists
Data brokers aggregate behavioral data that web trackers collect and sell it as compiled profiles. Platforms like Spokeo, Whitepages, and Acxiom maintain records on most adults, often in significant detail.
You can request removal manually by finding your profile on each broker site and following their opt-out process. This is time-intensive, and brokers often re-acquire data from new sources within months.
Automated removal services submit these requests on your behalf on a recurring basis, which is more effective for maintaining reduced visibility over time than a single round of manual removals.
What Tracking Protection Cannot Fully Stop
An honest limitation: some tracking happens outside the reach of consumer tools.
First-party analytics. When a site runs its analytics on its own domain rather than a third-party service, DNS filtering cannot block it without making the site stop working. This data stays with that particular site rather than flowing across a tracker network, which limits its utility for cross-site profiling.
Server-side tracking. Some data collection happens on the server before any page content reaches your browser. The server logs your request, records your IP, and processes behavioral data before sending the page. Browser extensions and DNS filters have no visibility into this layer.
Login-based tracking. When you’re signed into Google, Facebook, or any platform, your activity on any site that uses their embedded infrastructure is associated with your account regardless of other protections in place. Using these accounts less frequently, or logging out after sessions, is the practical response.
ISP-level monitoring. Your internet service provider can observe which domains you connect to even with DNS filtering active. A VPN addresses this by encrypting traffic before it reaches your provider. For a deeper look at how these tools complement each other, see the comparison of DNS filtering vs VPN.
Understanding these limits calibrates realistic expectations. Layered protection significantly reduces your tracking exposure. Total elimination requires trade-offs that most people aren’t willing to live with.
How to Measure Your Current Exposure
Before and after making privacy changes, you can measure what trackers can see.
Cover Your Tracks by EFF tests your browser’s fingerprint uniqueness and reports whether tracking protection is working. It shows exactly what trackers can identify about your device right now, without any cookies or login information.
If you use Stoix’s DNS filtering, the analytics dashboard logs every blocked tracker domain in real time. Common entries (doubleclick.net, googletagmanager.com, amazon-adsystem.com, connect.facebook.net) represent tracking requests that were stopped before reaching your browser. Running this on a normal browsing session for a few hours makes the scale of routine tracking visible in concrete terms.
Run both tests before and after implementing the steps above. The difference shows up in the data, not just in theory.
Ready to block trackers across every device you own? Stoix filters tracker domains at the DNS level, protecting all your apps and browsers simultaneously. No technical background needed. Get started in minutes with the setup guide.
Frequently Asked Questions
How do I stop websites from tracking me?
The most effective approach layers DNS-level filtering (blocks tracker domains before they load), browser hardening (disable third-party cookies, enable strict tracking protection), and regular data hygiene (clear cookies, audit app permissions). No single tool stops everything. Combining methods covers most real-world tracking vectors.
Does incognito mode stop website tracking?
No. Private browsing mode only prevents your browser from saving local history, cookies, and form data on your device after the session ends. Websites, advertisers, and your ISP can still track activity in real time. Incognito mode hides browsing from other people on your device, not from the internet itself.
What is the most effective way to block online trackers?
DNS filtering is one of the highest-leverage options because it stops tracker domains at the network level, before any tracking code loads in your browser. It covers every app and browser on your device simultaneously. Combining DNS filtering with strict browser settings closes most remaining gaps.
Can websites still track you after you decline cookies?
Yes. Cookies are one tracking method among several. After declining cookies, sites can still use device fingerprinting, log your IP address, and collect server-side data about your visit. Declining cookies meaningfully reduces some tracking, but it doesn’t stop the other mechanisms.
What is device fingerprinting and how do I stop it?
Device fingerprinting identifies your device by combining characteristics like browser version, screen resolution, installed fonts, and time zone into a signature that persists after cookie clears. Blocking the domains that serve fingerprinting scripts via DNS filtering, and using a browser with built-in fingerprint resistance like Firefox in Strict mode or Brave, are the most practical defenses.
How many trackers does a typical website have?
Research consistently finds that the average news or media site loads 40 to 60 third-party tracking elements per page, with some exceeding 100. Most of these come from ad networks, analytics tools, social widgets, and data management platforms that are embedded across thousands of sites simultaneously.
Does a VPN stop website tracking?
Partially. A VPN hides your IP address and encrypts traffic from your internet service provider. It does not block tracker scripts, pixels, or cookies. Once a tracker loads in your browser, it can identify your device through fingerprinting or account login status regardless of your IP address. VPNs and DNS filtering solve different parts of the privacy problem; using both together provides more comprehensive coverage.
What data do trackers actually collect about me?
Trackers log your IP address, browser and device specifications, pages visited, time on each page, clicks, scroll depth, search queries, purchase intent signals, approximate location, and behavioral patterns across unrelated sites. Over time this builds a detailed profile used for ad targeting, algorithmic content selection, price discrimination, and in some cases resale to data brokers.