I Said No to Online Cookies. Websites Tracked Me Anyway.

Thomas Germain

September 29, 2022 at 7:20 AM·11 min read

Companies may be showing you targeted ads even after you opt out of tracking on their websites, Consumer Reports finds

By Thomas Germain

A while back I got a tip from Boltive, a tech company that helps businesses audit their privacy and security practices. You know those pop-ups you see all over the internet, asking permission to track you with cookies? The ones that make you deal with confusing little menus if you want to say “no”? A lot of the time, Boltive said, the controls don’t work.

You tell websites not to track you, but they do it anyway.

I’m jaded when it comes to the internet, but this was a bit surprising because certain privacy protections are mandated by law in Europe and California, and consumers are starting to see these pop-ups everywhere. I found the cookie settings annoying, but I was using them anyway. Were companies all over the internet just wasting my time?

“There are a lot of companies trying to do the right thing, but there’s no one grading the homework,” says Christine Derosier, Boltive’s director of product management. “We’re seeing a pattern of violations and risks.”

To see for myself, I conducted an informal experiment. I went to a bunch of websites I don’t normally visit, opted out of tracking using whatever tools were provided, and then navigated the sites acting like someone they’d really want to advertise to. I watched videos about the companies’ products, clicked links, and added stuff to my cart that I then “forgot” to buy.

Then I went back to my normal browsing habits and kept a watch out for ads. If the opt-outs worked, I shouldn’t have been shown targeted ads from those brands on other websites. But I saw plenty of them.

I’d never encountered ads for most of these brands before—not the water bottles, not the women’s probiotic supplements, not the thousand-dollar office chairs.

Months later, I still get come-ons for a nutritional drink powder called Athletic Greens. And Instagram’s ad network seems convinced that I have colitis, an inflammatory bowel disease. Fortunately, I don’t, so I’m guessing it’s because the opt-outs didn’t work on Delzicol.com, a colitis medication website. (Neither company answered questions from CR.)

It seemed like Boltive was right. The websites and their advertising partners were tracking me for targeted ads even though I’d taken the time to tell them not to—using the tools the companies themselves had provided.

Still, the internet is complicated. My test didn’t prove these were targeted ads—maybe it was just a coincidence. So Boltive designed a more rigorous experiment, harnessing a patented system it uses to help companies audit the ad technology on their websites, including the privacy controls offered to consumers.

Boltive created a program we called ThomasBot (yes, named after me). The bot would surf the internet using a custom-built web browser that made websites think it was a real guy. Boltive gave the bot a browsing history, just like a real person’s. We picked 21 websites to test and sent out an army of ThomasBots to opt out of cookies. Then we watched as they surfed the web for months, taking pictures of every ad they saw.

The goal was to learn whether opting out of cookies prevents targeted ads. The results supported my experience: It seems like the opt-out boxes often don’t work.

A Recipe for Cookies

A cookie is basically a small block of text with a user identifier made up of letters and numbers and some other details that a website stores on your computer or phone. When you go back a website later, the company retrieves the data it has collected about you.

Cookies come from several sources, sometimes including the company that owns the website. These can be “functional” cookies that are used just to keep you logged in, or to remember what products you put in your cart.

But website developers also insert cookies that come from companies such as Google and Meta (Facebook’s parent company). When those tech companies receive data from your device, they use it to track what you do online, adding the details to their ever-growing databases of consumer information.

Companies embed these advertising cookies on their websites so tech companies like Google can keep tabs on their visitors—including what products they click on and other details—and then show those people ads on other parts of the internet. Websites and their partners track you in lots of other ways, too, but Derosier says cookie opt-outs are supposed to turn all of that off.

(Consumer Reports uses cookies on its website, as outlined in our privacy policy. Boltive tested the site and confirmed that our opt-out controls function properly.)

Companies may be adding more pop-ups and similar controls in response to new privacy laws, and consumers’ growing interest in the issue, experts say. So far, the most significant privacy law in the U.S. is the California Consumer Privacy Act (CCPA), according to according to Justin Brookman, director of technology policy at CR. But it’s taking time for implementation and enforcement to catch up to the law.

“CCPA gives California residents the right to stop companies from sharing your data for targeted advertising,” Brookman says. “Breaking your privacy promises to consumers also violates federal and state rules against deceptive business practices.”

Other states have passed their own privacy laws, and in California even more stringent protections are set to go into effect this January, under a newer statute called the California Privacy Rights Act, or CPRA.

ThomasBot's Big Adventure

The 21 websites we chose for ThomasBot included big, well-known companies such as American Express, FitBit, and Herman Miller, along with a number of smaller brands.

Here’s how it worked. A fresh ThomasBot went to each of these sites, opted out of cookies, and then clicked around inside the site like an interested customer, the same way I did. Afterward, each ThomasBot surfed the internet for months, taking screenshots of all the ads it saw.

We compared what those ThomasBots found to an otherwise identical bot that never visited the 21 sites. According to Boltive, the ThomasBot alter-ego didn’t see a single ad for any of the 21 brands.

The original ThomasBots saw plenty of them.

One ThomasBot added a ski glove to his cart on Backcountry.com—and subsequently saw more than 20 ads for those exact gloves. Another ThomasBot added a Fitbit Sense smartwatch to his cart, and then saw an ad for the same watch on a cake-decorating website. A ThomasBot shopped for an Aveeno daily moisturizing lotion, and later saw two ads for it.

All told, we saw what seemed to be targeted ads for 12 of the 21 companies in our experiment.

Advertisers displayed these ads to an automated system dubbed "ThomasBot" after it opted out of cookies on their websites.

Source: Boltive

Some of this could have been coincidence. For example, one of the ThomasBots saw ads for American Express after visiting the company’s website, while the other bots never saw an Amex ad. However, American Express is a huge company that does a lot of mass market advertising—it’s hard to be sure these were targeted ads. (When we asked the company about the ads, it would only say it was committed to safeguarding people’s choices and privacy.)

When we contacted Fitbit to ask about the fitness tracker ads that ThomasBot saw, the company assured us that we weren’t actually seeing targeted ads. “Fitbit’s consent management system respects the individual’s choices,” Andrea Holing, a Fitbit spokesperson, said via email.

But it’s bigger stretch to imagine a coincidence in cases like Backcountry’s, where we saw numerous ads for the exact gloves ThomasBot shopped for. Backcountry says it’s looking into the problem, and it blames the tech industry as a whole. “Targeted advertising services like Facebook and Google independently gather information outside of our control, which can affect what our customers may see on those platforms,” says Venkatesh Ananthanarayanan, Backcountry’s vice president of engineering.

ThomasBot also saw what appeared to be targeted ads for Fjällräven, an outdoor-equipment company, after opting out of tracking on its site. Handling customers’ privacy “is of the utmost importance to us,” says Steve Stout, a senior global director at Fenix Outdoor, Fjällräven’s parent company. “As such, we are reviewing the opt-out mechanism you identified to ensure it is clear and understandable to our website visitors and meets applicable compliance requirements.”

Several other companies that showed ThomasBot ads—including Hanna Anderson, Alex and Ani, Aveeno, and Herman Miller—didn’t respond to questions from CR.

As a consumer who takes the time to use these tools to try to protect my privacy, I found our results disheartening, even a little outrageous. One ironic example was OneTrust, a company that actually builds the cookie consent pop-ups that a lot of other websites use. We had a ThomasBot visit the OneTrust website and opt out of tracking. It later saw numerous ads for OneTrust’s services popping up on websites he visited.

OneTrust didn’t directly answer questions about what we saw, but spokesperson Ainslee Shea says that privacy law and web technology are “rapidly evolving” and that the company actively follows new developments to help consumers protect their privacy.

So what’s going wrong, not just on the OneTrust site, but across the web?

“I don’t think any of these companies are bad guys,” Derosier says. “They’re trying to do the right thing. But the tech industry spent 20 years trying to target you more minutely, and now we’re trying to bolt on tools to stop it. It’s just not built for this.”

Still, privacy experts say that companies need to take responsibility for the tracking that happens on their websites. “Ultimately the brand, or the retailer, whoever the first party is, they’re responsible,” says Don Marti, a vice president at CafeMedia, a digital ad management service. Marti, who has collaborated with CR on privacy projects, says the problem is many companies don’t put enough effort into setting up their privacy controls.

“It’s a big challenge for website developers, who are often under-resourced in doing their jobs,” he says. Managers have to invest a lot of programming time to incorporate the privacy technology into websites that are filled with complex, interconnected advertising tools.

There is a simpler solution, though. Instead of asking you if you want to opt out of tracking, companies could just choose not to track you in the first place. Or companies could set it up so that you can opt in if you want targeted ads to follow you all over the internet. And if companies don’t want to make those changes themselves, legislators could force the issue.

“Ultimately, this kind of targeted advertising should just be banned,” says CR’s Brookman. “That would be consistent with what people want.”

How You Can Limit Tracking Right Now

The pop-ups and privacy links on websites might not always work, but there are effective tools you can use to limit tracking, even if you can’t eliminate it entirely.

One thing that doesn’t typically work is just closing the cookie pop-ups without making a decision. It might seem like a life hack, but you can assume it’s usually the same as clicking “I accept.”

Use privacy protecting browser extensions. You can add extensions to your browser that will do a lot to protect your privacy. One is Disconnect, made by a company that frequently partners with CR on privacy investigations. Disconnect shows you how websites are trying to track you and blocks a lot of that data collection. CR’s privacy experts also recommend uBlock Origin.

Adjust your browser’s privacy settings. A lot of browsers have built-in controls you can use to block third-party cookies and other trackers. Open your browser’s preferences or settings, and you’ll usually find the controls in the privacy section.

Switch to a more private web browser. CR Security Planner recommends Firefox and Brave as two good options.

Consumer Reports is an independent, nonprofit organization that works side by side with consumers to create a fairer, safer, and healthier world. CR does not endorse products or services, and does not accept advertising. Copyright © 2022, Consumer Reports, Inc.

Yahoo Sports
Dolphins owner Stephen Ross reportedly declined $10 billion for team, stadium and F1 race
The value of the Dolphins and Formula One racing is enormous.
Yahoo Sports
Welcome to the WNBA: Caitlin Clark's regular-season debut is anything but easy
Clark set the Indiana Fever’s franchise record for turnovers (10), shot 5-of-15 from the floor and struggled with the Connecticut Sun’s physical defense.
Yahoo Sports
Caitlin Clark, Fever facing plenty of growing pains early after another blowout loss in home debut
The atmosphere was electric for Clark's home debut and there were brief flashes from the Fever, but it's clear they've got plenty to work on before they can compete with the WNBA's elite teams.
Yahoo Sports
NBA Draft Combine reactions: Edey oh my, Bronny James is ready & whose stock is rising? | On the Clock with Krysten Peek
Yahoo Sports NBA draft expert Krysten Peek is back for another season of On the Clock with Krysten Peek. Krysten just spent the week in Chicago at the NBA Draft Combine and kicks off draft season joined by CBS Sports' Kyle Boone.
Yahoo Sports
World No. 1 Scottie Scheffler tees off at PGA Championship after being arrested, charged with felony for incident outside Valhalla
Scottie Scheffler was arrested by police en route to Valhalla Golf Club during a traffic incident.
Yahoo Sports
2024 NBA Mock Draft 7.0: Who will the Hawks take at No. 1? Our projections for every pick with lottery order now set
With the lottery order set, here's a look at Yahoo Sports' projections for both rounds of the 2024 NBA Draft.
Yahoo Sports
Fox Sports host Doug Gottlieb hired as Green Bay's coach, will reportedly still host radio show
Gottlieb's repeatedly courted controversy in his media role and will reportedly continue to host his nationally syndicated radio show while coaching Green Bay.
Yahoo Sports
What scouts think of Bronny James' NBA prospects
The biggest question looming over the NBA draft combine this week: How will Bronny James do?
Yahoo Sports
2024 Wide Receiver rankings for fantasy football
The Yahoo Fantasy football analysts reveal their first wide receiver rankings for the 2024 NFL season.
Yahoo Sports
Scottie Scheffler releases statement following arrest: 'There was a big misunderstanding of what I thought I was being asked to do'
Scheffler was arrested following an incident with an officer outside the entrance to Valhalla Golf Club.
Yahoo Sports
2024 NFL schedule: Everything you need to know about this season's slate of games
Here's what you need to know about the 2024 NFL schedule after Wednesday night's announcement.
Yahoo Sports
NFL schedule release: The top 10 must watch games of the regular season
What are the most anticipated games for this NFL season?
Yahoo Sports
The Spin: Making a call on 5 slumping fantasy baseball stars
All five of these hitters were drafted highly in fantasy baseball leagues. So far, they have not lived up to their ADPs — and that's an understatement. Scott Pianowski analyzes.
Yahoo Sports
2024 Tight end rankings for fantasy football
The Yahoo Fantasy football analysts reveal their first tight end rankings for the 2024 NFL season.
Yahoo Sports
Attorneys say Scottie Scheffler likely won't face felony conviction: 'Probably about a zero percent chance'
Scottie Scheffler will likely avoid the most serious charges filed against him stemming from Friday morning's altercation with police.
Yahoo Sports
Fantasy Baseball Numbers Do Lie: Luck evening out will change fortunes for these 5 players
Dalton Del Don puts some fraudulent stats under the magnifying glass as we move through Week 7 of the fantasy baseball season.
Yahoo Sports
Rory McIlroy files for divorce from wife Erica after seven years of marriage
On the eve of the PGA Championship, Rory McIlroy has filed for divorce from his wife, Erica.
Yahoo Life Shopping
Memorial Day sales 2024: Everything we know, including early deals you can shop now
Mark your calendar: The holiday weekend runs May 24-27, but you don't have to wait to save.
Yahoo Life Shopping
'No Botox, no peels, no fillers': Salma Hayek's go-to ingredient for ageless skin is in this $10 cream
The bark of the 'Mexican skin tree' is known for its regenerative properties.
Yahoo Sports
Lionel Messi's salary, Inter Miami's payroll are MLS record highs
Even without his Apple deal and his equity in Inter Miami, Lionel Messi is making more money than all but a few MLS teams.

News

Life

Entertainment

Finance

Sports

New on Yahoo

I Said No to Online Cookies. Websites Tracked Me Anyway.

A Recipe for Cookies

ThomasBot's Big Adventure

How You Can Limit Tracking Right Now

Recommended Stories

Dolphins owner Stephen Ross reportedly declined $10 billion for team, stadium and F1 race

Welcome to the WNBA: Caitlin Clark's regular-season debut is anything but easy

Caitlin Clark, Fever facing plenty of growing pains early after another blowout loss in home debut

NBA Draft Combine reactions: Edey oh my, Bronny James is ready & whose stock is rising? | On the Clock with Krysten Peek

World No. 1 Scottie Scheffler tees off at PGA Championship after being arrested, charged with felony for incident outside Valhalla

2024 NBA Mock Draft 7.0: Who will the Hawks take at No. 1? Our projections for every pick with lottery order now set

Fox Sports host Doug Gottlieb hired as Green Bay's coach, will reportedly still host radio show

What scouts think of Bronny James' NBA prospects

2024 Wide Receiver rankings for fantasy football

Scottie Scheffler releases statement following arrest: 'There was a big misunderstanding of what I thought I was being asked to do'

2024 NFL schedule: Everything you need to know about this season's slate of games

NFL schedule release: The top 10 must watch games of the regular season

The Spin: Making a call on 5 slumping fantasy baseball stars

2024 Tight end rankings for fantasy football

Attorneys say Scottie Scheffler likely won't face felony conviction: 'Probably about a zero percent chance'

Fantasy Baseball Numbers Do Lie: Luck evening out will change fortunes for these 5 players

Rory McIlroy files for divorce from wife Erica after seven years of marriage

Memorial Day sales 2024: Everything we know, including early deals you can shop now

'No Botox, no peels, no fillers': Salma Hayek's go-to ingredient for ageless skin is in this $10 cream

Lionel Messi's salary, Inter Miami's payroll are MLS record highs