When “no cookies” isn’t enough: How browsers still track you 

For many users, rejecting cookies or deleting them feels like a privacy win. But in reality, that's just part of the story. Whether out of negligence, clever engineering, or emerging technologies, today's web tracking methods extend far beyond cookie banners.  

Cookie banners have proliferated under GDPR and similar regulations. Yet a substantial number of websites continue tracking users even after consent rejection. A June 2025 study of over 20,000 domains revealed that around 50% send so-called intractable cookies—cookies that persist and are sent to trackers before you even provide consent on subsequent sites.  

Even worse: only 15% of top websites actually comply with modern consent laws. Most still rely on confusing, implied consent mechanisms. In other words, cookie banners are often superficial: you might think you’ve opted out, but tracking continues in stealth. 

Cookies are visible, deletable, and for many, something users consciously manage. Fingerprinting, by contrast, is silent — and far more insidious. 

JavaScript can read device-specific traits like your screen size, OS, fonts, time zone, browser version, GPU rendering quirks, and more. These traits combine into a unique digital fingerprint that persists even after deleting cookies and using private browsing. 

A Texas A&M study from mid2025 confirmed that browser fingerprinting is now actively being used for tracking, correlated with ad behavior across sessions and sites. An August 2025 analysis put it simply: “Cookies are optional. Fingerprinting isn’t.” And realworld browsing studies show that automated scans undercount fingerprinting—about 45% of fingerprinting sites are only encountered during genuine user interactions.  

Tech giants exacerbate this. Google’s recent policy shift empowers fingerprinting across connected devices, even into smart TVs and consoles. This move is described as “irresponsible” by UK regulators, including the ICO, because it undercuts user control.  

Cookie deletion isn’t always effective—ever heard of Evercookies or zombie cookies? These scripts store identifiers in multiple browser storage areas (Flash, HTML5, ETags, local storage…), allowing trackers to resurrect deleted cookies. 

Likewise, canvas fingerprinting exploits how different machines render images or text via the HTML5 canvas element. It results in unique identifiers based on subtle graphical differences, making it harder to block or erase. 

Tracking isn't limited to websites. A June 2025 investigation showed how Meta and Yandex exploit Android’s internal communication to deanonymize users—even when browsing in incognito mode or when using VPNs. Embedded JavaScript like Meta Pixel collected browser metadata, cookies, and commands via the app interface — sidestepping incognito safeguards entirely. 

Although Meta paused the feature and Yandex denied wrongdoing, regulators under GDPR and the UK’s Data Protection Act are now scrutinizing such covert practices. 

If you think switching browsers will solve privacy issues, think again. Chrome may be especially privacy-hostile, but alternatives like Edge, Brave, or Opera are often built on the same Chromium foundation. That means Google still influences tracking behaviors even when you think you're escaping. 

Meanwhile, Chrome, which syncs your history, search, shopping, and more across your Google account, settled a USD 1.375 billion lawsuit in May 2025 for unlawfully tracking users' geolocation, incognito searches, and biometric data. 

Regulators warn: data collection remains prioritized, while user control is buried by default. 

To recap, cookie banners are not sufficient because many sites continue to track via intractable cookies or implied consent. Cookies cannot protect you from invisible-by-design fingerprinting, impossible-to-erase evercookies, browser-bypassing app-level tracking, and even the browser itself.  

Saying “no thanks” to cookies may feel like a step toward privacy, but the digital world has evolved. Tracking now comes in hidden ways and lurks in almost every connected activity. Even if cookie consent is not enough to protect individual privacy, it is still the first gateway to preserving privacy – and needs to be done right to serve its purpose.