The TLDR

When you load a webpage, an auction happens in about 100 milliseconds. Your browsing history, location, device type, and inferred interests get packaged into a bid request and broadcast to hundreds of companies who compete to show you an ad. This system is called Real-Time Bidding (RTB), and it’s the engine behind the roughly $600 billion digital advertising industry. You’re not the customer. You’re the product being auctioned, in real time, thousands of times a day. The IAB OpenRTB specification literally defines how this works, and it’s publicly available if you want to read the machine’s instruction manual.

The Reality

Here’s what happens when you load a single article on a news website. Before the text even finishes rendering, your browser has made 50 to 200 additional network requests to domains you’ve never heard of. Each one of those requests is either collecting data about you, participating in an auction for your attention, or both.

A 2024 FTC report on commercial surveillance found that nine of the largest social media and video streaming companies collected and monetized data far beyond what most folks would ever expect. We’re talking about companies that know what you searched for at 2 AM, what products you looked at but didn’t buy, which political articles you lingered on, and how long you spent on a page about depression before you closed the tab. That last one matters more than you think.

The ad tech industry processes an estimated 700 billion RTB auctions per day globally. Each auction contains data about you – sometimes including precise GPS coordinates, your age bracket, your income estimate, and categories like “expectant parent” or “diabetes interest” that the system inferred from your behavior. That bid request goes out to hundreds of companies simultaneously. Not just the one that wins the auction. All of them see it. All of them can store it.

One Page Load, Traced

You type in a news URL. Here’s roughly what fires:

  1. The page loads its content from the publisher’s server.
  2. An ad tag on the page calls the publisher’s Supply-Side Platform (SSP).
  3. The SSP packages your data into a bid request: your cookie ID, IP address, the page URL, your approximate location, device type, screen size, and any audience segments the publisher has tagged you with.
  4. That bid request goes to an ad exchange, which broadcasts it to dozens of Demand-Side Platforms (DSPs).
  5. Each DSP checks your cookie ID against its own data, matches you with profiles from Data Management Platforms (DMPs), and decides how much you’re worth.
  6. The DSPs that want you submit bids. The highest bid wins.
  7. The winning ad creative loads in your browser. The losing DSPs still got your data.
  8. Tracking pixels fire. Your visit to this page gets added to your profile for next time.

Total elapsed time: 80 to 120 milliseconds. This happened for every ad slot on the page. A typical page has 5 to 15 ad slots. Multiply that by every page you visit, every day, across every device you own.

How It Works

Cookies, Pixels, and the Identity Layer

The whole system depends on being able to identify you across websites. Traditionally, that meant third-party cookies – small text files that a domain other than the one you’re visiting drops in your browser. When you visit Site A, a cookie from doubleclick.net gets set. When you visit Site B, that same doubleclick.net cookie gets read. Now Google knows you visited both sites.

Tracking pixels work similarly. A 1x1 transparent image loaded from a tracking domain lets that domain set and read cookies, log your IP address, and record which page triggered the pixel. The Facebook Pixel is the most famous example – it’s embedded on millions of websites and feeds data back to Meta’s ad targeting engine even if you don’t have a Facebook account. Meta calls this “Off-Facebook Activity,” and it includes data from apps and websites that have nothing to do with Facebook.

The Ad Tech Stack

The industry has built a bewildering tower of intermediaries between you and the advertiser:

The RTB Process, End to End

The IAB OpenRTB 2.6 specification defines the technical protocol. A bid request contains fields like:

Every DSP that receives this bid request gets all of this data, whether they win the auction or not. A 2019 study by researchers at Brave estimated that the average European’s RTB data is broadcast 376 times per day. The Irish Council for Civil Liberties called it “the biggest data breach ever recorded” – not because of a hack, but because the system is working as designed.

Third-Party Cookies and Their Deprecation

Google has been promising to kill third-party cookies in Chrome since 2020. The deadline has been pushed back repeatedly. Safari and Firefox blocked them years ago. Chrome, which holds roughly 65% of the browser market, kept them alive because Google’s ad business depends on them.

The replacement is the Privacy Sandbox, a suite of APIs that Google says will enable targeted advertising without tracking individuals. The flagship proposal, Topics API, has the browser itself categorize your interests based on your browsing history and share those categories with advertisers. Critics, including the EFF, point out that this just moves the tracking from cookies to the browser itself, with Google controlling the entire pipeline.

Building the Profile

Cross-Site Tracking

The reason your browsing feels surveilled is because it is. When you search for “knee pain” on Google, then visit WebMD, then browse Amazon for knee braces, and then see knee brace ads on Instagram, that’s not a coincidence and it’s not your phone listening to you through the microphone. It’s cross-site tracking working exactly as intended.

Google sees the search. Amazon sees the product browse. Meta’s pixel on WebMD sees the article visit. All three companies have your advertising identifier. The DSPs that work with all three can merge these signals into a profile that says “this person is researching knee problems and is ready to buy.”

Device Fingerprinting in a Post-Cookie World

As third-party cookies fade, the industry has shifted to fingerprinting – identifying you based on your browser configuration, screen resolution, installed fonts, GPU rendering characteristics, timezone, language, and dozens of other signals. The combination is often unique enough to identify you without any cookie at all. We cover this in depth in our browser fingerprinting deep dive, but know that the ad industry sees cookie deprecation as a speed bump, not a wall.

Facebook Pixel and Off-Facebook Activity

Meta’s tracking pixel is on over 8 million websites. When you visit a site with the pixel installed, Meta logs the visit and ties it to your Facebook account (or shadow profile if you don’t have one). In 2019, Meta introduced the “Off-Facebook Activity” tool that lets you see this data. Most folks who check it are stunned by the volume – hundreds of apps and websites reporting your activity back to Meta.

The EFF’s Privacy Badger documentation catalogs how these trackers operate. Meta’s pixel doesn’t just record page visits – it can capture form submissions, button clicks, and purchase data if the website implements the pixel’s event tracking features. This means Meta may know what you bought on a retailer’s website, what you searched for on a travel site, and what health conditions you researched on a medical portal.

Google’s DoubleClick / DFP

Google’s ad tracking infrastructure is so pervasive that it’s essentially part of the internet’s plumbing. DoubleClick (now Google Ad Manager) serves ads on millions of sites. Google Analytics is installed on over 28 million websites. Chrome is the most popular browser. Android is the most popular mobile OS. Gmail reads your purchase confirmations and travel itineraries to build a profile. Google Maps knows where you go. YouTube knows what you watch.

When one company controls the browser, the search engine, the email, the mobile OS, the ad exchange, the SSP, the DSP, and the analytics platform, the tracking is less “cross-site” and more “omniscient.”

Mobile Advertising IDs

IDFA (iOS) and GAID (Android)

Every iPhone has an Identifier for Advertisers (IDFA). Every Android phone has a Google Advertising ID (GAID). These are device-level identifiers designed specifically for ad tracking. They work like a super-cookie that follows you across every app on your device.

Before Apple’s App Tracking Transparency (ATT) framework launched in iOS 14.5 (2021), apps could read your IDFA without asking. Entire businesses were built on matching IDFAs across apps to build profiles. A dating app, a health app, and a banking app all sharing the same IDFA meant a data broker could build a profile that included your relationship status, health conditions, and financial behavior.

On Android, the GAID is still accessible by default. Google announced it would let folks delete their advertising ID in 2022, but the setting is buried, and the ecosystem still depends on it. The difference between Apple and Google here is telling – Apple’s business model is hardware and services, so they can afford to restrict tracking. Google’s business model is the tracking.

Why Resetting Matters

Resetting your advertising ID is better than nothing, but the industry has developed “ID bridging” techniques that re-link your new ID to your old profile using probabilistic matching – same IP address, same device fingerprint, same usage patterns. The only reset that truly breaks the chain is opting out entirely (iOS) or deleting the ID (Android), combined with limiting app permissions.

The Data Layer

Ad Tech Meets Data Brokers

The ad tech stack doesn’t operate in isolation. DSPs and DMPs purchase data from traditional data brokers – companies like Acxiom, Oracle Data Cloud (before they exited), and LexisNexis – to enrich online profiles with offline data. Your voter registration, property records, estimated income, purchase history from loyalty cards, and magazine subscriptions get merged with your browsing history.

The result is a profile that knows where you live, what you earn, what you buy at the grocery store, what you search for online, and what apps you use. A 2024 Duke University study found that data brokers openly advertise the ability to target people based on sensitive categories including mental health conditions, political affiliation, and sexual orientation.

Lookalike Audiences and Interest Categories

Platforms like Meta and Google let advertisers target “lookalike audiences” – people who statistically resemble a brand’s existing customers. You’ve never visited a company’s website, never bought their product, but you match the profile. You get the ad because your data fingerprint resembles someone who already converted.

The interest categories these systems assign can be uncomfortably specific. Google’s Ad Settings page (if you check it) might list categories like “parenting,” “credit and lending,” “substance abuse recovery,” or “weight loss” – all inferred from your behavior, all used to target ads, and all available to any advertiser willing to pay.

How It Gets Exploited

Surveillance Advertising Enabling Real-World Harm

In 2022, a Catholic newsletter purchased Grindr location data from a data broker and used it to identify and out a priest. The data was commercially available through the ad tech pipeline. No hacking required. The system worked as designed – it just so happened that “as designed” meant anyone with money could track someone’s movements and app usage.

The FTC has brought enforcement actions against data brokers selling location data that could be used to track people visiting abortion clinics, domestic violence shelters, and places of worship. This data originates in the RTB pipeline – the bid requests that broadcast your location to hundreds of companies per page load.

Sensitive Health Data in Ad Profiles

When you search for “HIV testing near me” and then visit a health clinic’s website that has ad tracking pixels, that information enters the ad tech ecosystem. A 2023 study published in JAMA found that 98% of hospital websites sent visitor data to third parties, with 56% sending data to Meta’s pixel. Your hospital visit, the department you browsed, and the conditions you researched – all feeding the machine.

Government Purchase of Commercial Ad Data

Why bother getting a warrant when you can buy the data? Multiple investigations, including reporting by the Wall Street Journal and ACLU, have documented how U.S. government agencies, including the IRS, DHS, and the military, purchase commercial location data derived from advertising to track individuals without judicial oversight. The data comes from the same RTB pipeline that serves you shoe ads.

What You Can Do

What Actually Moves the Needle

Not all privacy measures are equal. Some are theater. Here’s what matters:

Browser choice. Firefox with uBlock Origin blocks the vast majority of trackers and ad auction requests before they fire. Brave blocks ads and trackers by default. Safari’s Intelligent Tracking Prevention blocks most third-party cookies. Chrome, the browser made by the world’s largest ad company, is the worst choice for privacy – even with Privacy Sandbox, Google’s incentives are structurally opposed to yours.

Ad blockers. uBlock Origin isn’t just an ad blocker – it’s a network request filter. It prevents the tracking pixels, the SSP calls, the bid requests from ever leaving your browser. This isn’t about avoiding annoying ads. It’s about cutting off the data pipeline at the source. Install it. Leave it on. If a site complains, decide whether the content is worth the surveillance.

iOS App Tracking Transparency. When apps ask to track you, say no. Apple’s ATT framework means apps must ask before accessing your IDFA. According to Flurry Analytics, only about 25% of folks on iOS opt in when asked. This single change cost Meta an estimated $10 billion in ad revenue in 2022. It works.

Android advertising ID. Go to Settings > Privacy > Ads and delete your advertising ID. It’s not as robust as Apple’s approach, but it’s better than the default.

DNS-level blocking. Pi-hole or NextDNS can block ad and tracker domains at the network level for every device in your home, including smart TVs and IoT devices that don’t support browser extensions.

What’s Mostly Theater

Sources & Further Reading

  1. IAB OpenRTB 2.6 Specification – The technical standard that defines how real-time bidding works
  2. FTC Report on Commercial Surveillance – Federal Trade Commission investigation into data practices of major platforms
  3. EFF: Google’s Privacy Sandbox Still Lets Advertisers Profile You – Analysis of cookie replacement proposals
  4. Irish Council for Civil Liberties: The Biggest Data Breach – ICCL report on the scale of RTB data broadcasts
  5. EFF Privacy Badger – How browser-based tracker blocking works
  6. Brave: The State of the Web – Research on the volume of RTB data transmissions
  7. Duke University Tech Policy Lab: Data Broker Research – Research on sensitive data categories sold by brokers
  8. CISA: Security Tip on Online Tracking – Government guidance on web tracking risks
  9. uBlock Origin – The most effective browser-based tracker blocker