I Said No to Online Cookies. Websites Tracked Me Anyway.

Companies may be showing you targeted ads even after you opt out of tracking on their websites, Consumer Reports finds

By Thomas Germain

September 29, 2022

An illustration of someone with a magnifying glass inspecting footprints of a person looking at ads coming out of their laptop.

A while back I got a tip from Boltive, a tech company that helps businesses audit their privacy and security practices. You know those pop-ups you see all over the internet, asking permission to track you with cookies? The ones that make you deal with confusing little menus if you want to say “no”? A lot of the time, Boltive said, the controls don’t work.

You tell websites not to track you, but they do it anyway.

I’m jaded when it comes to the internet, but this was a bit surprising because certain privacy protections are mandated by law in Europe and California, and consumers are starting to see these pop-ups everywhere. I found the cookie settings annoying, but I was using them anyway. Were companies all over the internet just wasting my time?

“There are a lot of companies trying to do the right thing, but there’s no one grading the homework,” says Christine Desrosiers, Boltive’s director of product management. “We’re seeing a pattern of violations and risks.”

To see for myself, I conducted an informal experiment. I went to a bunch of websites I don’t normally visit, opted out of tracking using whatever tools were provided, and then navigated the sites acting like someone they’d really want to advertise to. I watched videos about the companies’ products, clicked links, and added stuff to my cart that I then “forgot” to buy.

Then I went back to my normal browsing habits and kept a watch out for ads. If the opt-outs worked, I shouldn’t have been shown targeted ads from those brands on other websites. But I saw plenty of them.

I’d never encountered ads for most of these brands before—not the water bottles, not the women’s probiotic supplements, not the thousand-dollar office chairs.

Months later, I still get come-ons for a nutritional drink powder called Athletic Greens. And Instagram’s ad network seems convinced that I have colitis, an inflammatory bowel disease. Fortunately, I don’t, so I’m guessing it’s because the opt-outs didn’t work on Delzicol.com, a colitis medication website. (Neither company answered questions from CR.)

It seemed like Boltive was right. The websites and their advertising partners were tracking me for targeted ads even though I’d taken the time to tell them not to—using the tools the companies themselves had provided.

Still, the internet is complicated. My test didn’t prove these were targeted ads—maybe it was just a coincidence. So Boltive designed a more rigorous experiment, harnessing a patented system it uses to help companies audit the ad technology on their websites, including the privacy controls offered to consumers.

Boltive created a program we called ThomasBot (yes, named after me). The bot would surf the internet using a custom-built web browser that made websites think it was a real guy. Boltive gave the bot a browsing history, just like a real person’s. We picked 21 websites to test and sent out an army of ThomasBots to opt out of cookies. Then we watched as they surfed the web for months, taking pictures of every ad they saw.

The goal was to learn whether opting out of cookies prevents targeted ads. The results supported my experience: It seems like the opt-out boxes often don’t work.

A Recipe for Cookies

A cookie is basically a small block of text with a user identifier made up of letters and numbers and some other details that a website stores on your computer or phone. When you go back a website later, the company retrieves the data it has collected about you.

Cookies come from several sources, sometimes including the company that owns the website. These can be “functional” cookies that are used just to keep you logged in, or to remember what products you put in your cart.

But website developers also insert cookies that come from companies such as Google and Meta (Facebook’s parent company). When those tech companies receive data from your device, they use it to track what you do online, adding the details to their ever-growing databases of consumer information.

Companies embed these advertising cookies on their websites so tech companies like Google can keep tabs on their visitors—including what products they click on and other details—and then show those people ads on other parts of the internet. Websites and their partners track you in lots of other ways, too, but Desrosiers says cookie opt-outs are supposed to turn all of that off.

(Consumer Reports uses cookies on its website, as outlined in our privacy policy. Boltive tested the site and confirmed that our opt-out controls function properly.)

Companies may be adding more pop-ups and similar controls in response to new privacy laws, and consumers’ growing interest in the issue, experts say. So far, the most significant privacy law in the U.S. is the California Consumer Privacy Act (CCPA), according to according to Justin Brookman, director of technology policy at CR. But it’s taking time for implementation and enforcement to catch up to the law.

“CCPA gives California residents the right to stop companies from sharing your data for targeted advertising,” Brookman says. “Breaking your privacy promises to consumers also violates federal and state rules against deceptive business practices.”

Other states have passed their own privacy laws, and in California even more stringent protections are set to go into effect this January, under a newer statute called the California Privacy Rights Act, or CPRA.

ThomasBot's Big Adventure

The 21 websites we chose for ThomasBot included big, well-known companies such as American Express, FitBit, and Herman Miller, along with a number of smaller brands.

Here’s how it worked. A fresh ThomasBot went to each of these sites, opted out of cookies, and then clicked around inside the site like an interested customer, the same way I did. Afterward, each ThomasBot surfed the internet for months, taking screenshots of all the ads it saw.

We compared what those ThomasBots found to an otherwise identical bot that never visited the 21 sites. According to Boltive, the ThomasBot alter-ego didn’t see a single ad for any of the 21 brands.

The original ThomasBots saw plenty of them.

One ThomasBot added a ski glove to his cart on Backcountry.com—and subsequently saw more than 20 ads for those exact gloves. Another ThomasBot added a Fitbit Sense smartwatch to his cart, and then saw an ad for the same watch on a cake-decorating website. A ThomasBot shopped for an Aveeno daily moisturizing lotion, and later saw two ads for it.

All told, we saw what seemed to be targeted ads for 12 of the 21 companies in our experiment.

A collage of internet ads from different companies. — Advertisers displayed these ads to an automated system dubbed "ThomasBot" after it opted out of cookies on their websites.

Some of this could have been coincidence. For example, one of the ThomasBots saw ads for American Express after visiting the company’s website, while the other bots never saw an Amex ad. However, American Express is a huge company that does a lot of mass market advertising—it’s hard to be sure these were targeted ads. (When we asked the company about the ads, it would only say it was committed to safeguarding people’s choices and privacy.)

When we contacted Fitbit to ask about the fitness tracker ads that ThomasBot saw, the company assured us that we weren’t actually seeing targeted ads. “Fitbit’s consent management system respects the individual’s choices,” Andrea Holing, a Fitbit spokesperson, said via email.

But it’s bigger stretch to imagine a coincidence in cases like Backcountry’s, where we saw numerous ads for the exact gloves ThomasBot shopped for. Backcountry says it’s looking into the problem, and it blames the tech industry as a whole. “Targeted advertising services like Facebook and Google independently gather information outside of our control, which can affect what our customers may see on those platforms,” says Venkatesh Ananthanarayanan, Backcountry’s vice president of engineering.

ThomasBot also saw what appeared to be targeted ads for Fjällräven, an outdoor-equipment company, after opting out of tracking on its site. Handling customers’ privacy “is of the utmost importance to us,” says Steve Stout, a senior global director at Fenix Outdoor, Fjällräven’s parent company. “As such, we are reviewing the opt-out mechanism you identified to ensure it is clear and understandable to our website visitors and meets applicable compliance requirements.”

Several other companies that showed ThomasBot ads—including Hanna Anderson, Alex and Ani, Aveeno, and Herman Miller—didn’t respond to questions from CR.

As a consumer who takes the time to use these tools to try to protect my privacy, I found our results disheartening, even a little outrageous. One ironic example was OneTrust, a company that actually builds the cookie consent pop-ups that a lot of other websites use. We had a ThomasBot visit the OneTrust website and opt out of tracking. It later saw numerous ads for OneTrust’s services popping up on websites he visited.

OneTrust didn’t directly answer questions about what we saw, but spokesperson Ainslee Shea says that privacy law and web technology are “rapidly evolving” and that the company actively follows new developments to help consumers protect their privacy.

So what’s going wrong, not just on the OneTrust site, but across the web?

“I don’t think any of these companies are bad guys,” Desrosiers says. “They’re trying to do the right thing. But the tech industry spent 20 years trying to target you more minutely, and now we’re trying to bolt on tools to stop it. It’s just not built for this.”

Still, privacy experts say that companies need to take responsibility for the tracking that happens on their websites. “Ultimately the brand, or the retailer, whoever the first party is, they’re responsible,” says Don Marti, a vice president at CafeMedia, a digital ad management service. Marti, who has collaborated with CR on privacy projects, says the problem is many companies don’t put enough effort into setting up their privacy controls.

“It’s a big challenge for website developers, who are often under-resourced in doing their jobs,” he says. Managers have to invest a lot of programming time to incorporate the privacy technology into websites that are filled with complex, interconnected advertising tools.

There is a simpler solution, though. Instead of asking you if you want to opt out of tracking, companies could just choose not to track you in the first place. Or companies could set it up so that you can opt in if you want targeted ads to follow you all over the internet. And if companies don’t want to make those changes themselves, legislators could force the issue.

“Ultimately, this kind of targeted advertising should just be banned,” says CR’s Brookman. “That would be consistent with what people want.”

How You Can Limit Tracking Right Now

The pop-ups and privacy links on websites might not always work, but there are effective tools you can use to limit tracking, even if you can’t eliminate it entirely.

One thing that doesn’t typically work is just closing the cookie pop-ups without making a decision. It might seem like a life hack, but you can assume it’s usually the same as clicking “I accept.”

Use privacy protecting browser extensions. You can add extensions to your browser that will do a lot to protect your privacy. One is Disconnect, made by a company that frequently partners with CR on privacy investigations. Disconnect shows you how websites are trying to track you and blocks a lot of that data collection. CR’s privacy experts also recommend uBlock Origin.

Adjust your browser’s privacy settings. A lot of browsers have built-in controls you can use to block third-party cookies and other trackers. Open your browser’s preferences or settings, and you’ll usually find the controls in the privacy section.

Switch to a more private web browser. CR Security Planner recommends Firefox and Brave as two good options.

Thomas Germain

Thomas Germain was previously a technology reporter at Consumer Reports, covering several product categories and reporting on digital privacy and security issues. He investigated the sharing of sensitive personal data by health-related websites and the prevalence of dark patterns online, among other topics. During his tenure, Germain’s work was cited in multiple actions by the Federal Trade Commission.