You are viewing an archived webpage. The information on this page may be out of date. Learn about EPIC's recent work at

Online Tracking and Behavioral Profiling

Online Tracking and Behavioral Profiling


This page provides an overview of the current state of online tracking, behavioral profiling, and related forms of data-driven, targeted marketing.

The world of online tracking has grown increasingly complicated and poses a great threat to consumer privacy. Marketing has come a long way from telephones, and online advertisers use a variety of technologies to track consumers' online and offline behavior and target ads based on that behavior.

Latest News

  • Wiretapping Claims Against Facebook Move Forward as Supreme Court Denies Review: This week, the U.S. Supreme Court denied a petition for review in In re: Facebook, Inc. Internet Tracking Litigation, a case challenging Facebook's use of "cookies" to track internet browsing activity even when users were logged out of their Facebook accounts. The U.S. Court of Appeals for the Ninth Circuit held that Facebook's use of cookies to track Internet users browsing other websites might violate the federal Wiretap Act because Facebook was not an authorized party to those communications. Facebook's efforts to get the Supreme Court to reject this holding of the Ninth Circuit failed, and now the case will move forward. EPIC filed an amicus brief in the Ninth Circuit in this case and has filed briefs opposing settlements in other cases challenging cookie-based surveillance. EPIC has long advocated against the use of cookies and other surveillance tools to track people online. EPIC continues to advocate for clear rules and restrictions on web tracking as companies replace cookies with new surveillance techniques that would do little to protect privacy online. (Mar. 22, 2021)
  • D.C. Metro Wants to Track Riders for Advertising Revenue: The D.C. Metro is proposing to track the cellphones of D.C. metro riders, with a network of sensors to detect Wi-Fi and Bluetooth connections. "WMATA has already begun to develop a network of digital display units and seeks to expand that network through digital place-based and location-based devices and programs," the Metro contracting document stated. After 9-11. EPIC led the Observing Surveillance campaign to limit the use of surveillance cameras in DC against residents and visitors. EPIC is pursuing a lawsuit against AccuWeather alleging that the company engaged in unlawful and deceptive practices in tracking consumers' locations in violation of the D.C. Consumer Protection Procedures Act. (Sep. 16, 2019)
  • FTC Issues Report on Cross-Device Tracking: The Federal Trade Commission has issued Cross-Device Tracking: An FTC Staff Report, which describes online tracking technology used to link a consumer's activity across smartphones, laptops, tablets, and other internet-connected devices. The report follows from an FTC workshop on this emerging practice. EPIC filed comments with the Commission urging limits on cross-device tracking, which presents significant privacy challenges due to the "lack of transparency and control in this undetectable online tracking scheme." EPIC explained how "notice and choice" fails to protect consumers from this surreptitious activity. The FTC's report recommends continued industry-self regulation and application of the unworkable "notice and choice" approach to this new practice. (Jan. 26, 2017)
  • Lack of Privacy Impacts Internet Use, Economy, Says NTIA Survey: A recent study by the National Telecommunications and Information Administration found that nearly half of Internet users in the US refrained from online activities due to privacy and security concerns. Identity theft was the top concern, cited by 63 percent of respondents, followed by financial fraud, noted by 45 percent. Nearly a quarter of Americans cited concerns about online tracking. “In addition to being a problem of great concern to many Americans, privacy and security issues may reduce economic activity and hamper the free exchange of ideas online,” NTIA concluded. EPIC has supported enactment of the Consumer Privacy Bill of Rights and recently launched “Data Protection 2016,” a non-partisan campaign to make data protection an issue in the 2016 election. (May. 16, 2016)
  • FCC Moves Forward With Narrow Privacy Rules: The Federal Communications Commission has voted to adopt a Notice of Proposed Rulemaking on consumer privacy regulations. The proposal follows Chairman Wheeler's earlier draft proposal, which EPIC explained was too limited to safeguard online privacy. During the vote, Commissioner Ajit Pai echoed EPIC's view that the rulemaking should not focus solely on ISPs. EPIC has argued that the FCC proposal ignores invasive practices by Internet firms, including search companies and social media firms that track and profile Internet users. EPIC previously urged the Commission to "address the full range of communications privacy issues facing US consumers" and to apply the Consumer Privacy Bill of Rights to communications data. (Mar. 31, 2016)
  • EPIC, Consumer Groups Challenge Facebook on Web Snooping: EPIC, along with a coalition of consumer groups, has urged the Federal Trade Commission to block Facebook's plan to collect users' web browsing history. Facebook recently announced plans to collect user data from sites all over the web. But the practice may violate a Federal Trade Commission order prohibiting Facebook from changing its business practices without users' express consent. The groups asked the FTC "to act immediately to notify the company that it must suspend its proposed change in business practices to determine whether it complies with current U.S. and EU law." EPIC has also filed a FOIA request, seeking the FTC's communications with Facebook about this change. For more information, see EPIC: Facebook Privacy, EPIC: Online Tracking and Behavioral Privacy, and EPIC: FTC. (Jul. 29, 2014)
  • EPIC Seeks Records on FTC "Sign-off" for Facebook Changes: EPIC has filed a FOIA request with the Federal Trade Commission, seeking records related to Facebook's decision to collect users' internet browsing history for advertising purposes. Previously, Facebook collected user data from and mobile apps. Now, Facebook plans to collect user data from sites all over the web. Facebook claims that the FTC was briefed about the change beforehand. However, the plan may violate a Federal Trade Commission order prohibiting Facebook from changing its business practices without users’ express consent. Through the FOIA request, EPIC seeks information about the FTC's review of Facebook's plans to monitor users. For more information, see EPIC: Facebook Privacy, EPIC: Online Tracking and Behavioral Privacy, and EPIC: Practical Privacy Tools. (Jun. 20, 2014)
  • Facebook to Profile User Browsing, May Violate FTC Consent Order: Facebook has announced that it will collect detailed browser history on users for advertising purposes. Users who object were told to opt-out. The plan may violate a Federal Trade Commission order, prohibiting Facebook from changing its business practices without users’ express consent. The FTC order follows from complaints filed by EPIC and other consumer privacy organizations in 2009 and 2010. In issuing the order, the FTC found that Facebook "deceived consumers by telling them they could keep their information on Facebook private, and then repeatedly allowing it to be shared and made public." A recent Consumer Reports poll found that consumers overwhelmingly object to having their online activities tracked for advertising purposes. For more information, see EPIC: Facebook Privacy, EPIC: FTC Facebook Settlement, EPIC: Online Tracking and Behavioral Profiling, and EPIC: Practical Privacy Tools. (Jun. 12, 2014)
  • Consumer Reports: 85% of Shoppers Oppose Internet Ad Tracking: According to a recent study by Consumer Reports, consumers overwhelmingly object to having their online activities tracked for advertising purposes. The report found that 85% of consumers would not trade even anonymized personal data for targeted ads. Additionally, 76% of consumers said that targeted advertising adds "little or no value" to their shopping activities. For more information, see EPIC: Public Opinion on Privacy, EPIC: Privacy and Consumer Profiling, EPIC: Online Tracking and Behavioral Profiling, EPIC: Practical Privacy Tools. (May. 20, 2014)
  • Gov. Brown Signs New California Privacy Laws: California Governor Jerry Brown has signed several new Internet privacy bills into law. Assembly Bill 370 amends the California Online Privacy Protection Act by requiring that businesses disclose how they respond to Do Not Track signals or other mechanisms used by consumers to prevent the surreptitious collection of their browsing history. The Governor has also signed Senate Bill 568, which provides for an "eraser button" that would require websites to allow minors to remove their own information. Finally, California has enacted Senate Bill 255, which prohibits "revenge porn": the posting of explicit images or videos without the victim's consent. The passage of these laws has led many to observe that California is "driving Internet privacy policy." For more information, see EPIC: Online Tracking and Behavioral Advertising and EPIC: Children’s Online Privacy. (Oct. 9, 2013)


There is a significant disconnect between the type of tracking that companies are engaged in on the web and what people know or think is occurring. The general public has very little idea that every second they are connected to the Internet, their behavior is being tracked and used to create a "profile" which is then sold to companies for targeted advertising and other purposes.

Online tracking is no longer limited to the installation of traditional "cookies" that record websites a user visits. Now, new tools can track in realtime the data people are accessing and generating and combine that with data about that user's location, income, hobbies, and even medical problems. These new tools include flash cookies and beacons. Flash cookies can be used to re-install cookies that a user has deleted, and beacons can track everything a user does on a web page including what the user types and where the mouse is being moved.

Digital advertising companies also deploy hard-to-detect tracking techniques to follow consumers across their various devices. Today's average consumer uses a variety of Internet-connected devices throughout the day such as smart phones, tablets, smart watches, laptops, health devices, and smart TVs. To keep up, advertisers turn to "cross-device tracking" to monitor consumers across all their devices and create more comprehensive and detailed behavioral profiles.

Very sensitive information is often collected, including health and financial data. Online advertisers can track people with, for example, bipolar disorder, overactive bladder, or anxiety - producing ads related to those conditions targeted at specific people. Advertisers collect, use, and sell Social Security Numbers, financial account numbers, and information about sexual behavior and sexual orientation with no controls or limits.

Online tracking and behavioral profiling violate several Fair Information Practices (FIPs). Online advertisers provide minimal transparency into their practices - so there is no way for a user to access the data being collected about her or correct any inaccuracies. And even if users somehow discovered what information was being collected, they have no control over what the data collecting companies subsequently do with that information.

According to the Consumer Federation of America and Consumers Union, "there is a fundamental mismatch between the technologies of tracking and targeting and consumers' ability to exercise informed judgment and control over their personal data." The information being collected online is not information that consumers voluntarily share with these ad tech companies. There are no meaningful legal contraints on what can be collected.


The concept of a Do Not Track mechanism was first proposed in 2007 as a remedy to the invasive tracking and profiling practices described above. Initial proposals suggested the mechanism could be modeled on the Do Not Call registry that the Federal Trade Commission (FTC) administers. The proposal has evolved since then, and is currently being debated in Congress, at the FTC, and among advocacy groups and industry.

One concept for a Do Not Track mechanism, proposed by researchers at Stanford, is the browser-header approach. In this approach, a user's browser sends a signal to a website that the user wants to opt-out of being tracked. It does so using an HTTP "header." Whenever a web browser requests content or sends data using HTTP, the protocol that underlies the web, it can optionally include extra information, called a 'header," explain the Stanford researchers.

Yet, in order to be effective, advertising companies will have to actually “listen” to this Do Not Track signal being sent from users' browsers. According to the Stanford researchers, there are a variety of ways that this could be enforced, including self-regulation, "supervised self-regulation or 'co-regulation,' to direct regulation by an entity such as the FTC." Currently there is no legal enforceable Do Not Track mechanism. As a result, many websites ignore the clearly expressed


As consumers continuously switch from laptop to smart phone to tablet throughout the day, online advertisers have developed a variety of "cross-device tracking" techniques to monitor and serve targeted ads to the same consumer across all his devices. This practice poses numerous privacy challenges for consumers, particularly the lack of transparency and control in this largely undetectable online tracking scheme.

Compounding the secrecy of these practices, companies that engage in cross-device tracking collect vast amounts of personal, sensitive information. Tracking consumer behavior across numerous connected devices creates consumer profiles at an unprecedented level of detail and poses increased risk to consumer privacy. First, connected devices such as smartphones and wearable health devices produce sensitive data not typically available from traditional computer web browsing. Second, while data may not be considered sensitive or personal on one device, it may become highly sensitive or personal when combined with data from linked devices. For example, someone who searches for information about a medical condition from the privacy of her own home may see ads related to that condition on her work computer or family smart TV the next day. Or an employee who is job hunting from his tablet at home may later be shown job search ads on his employer-provided computer at work.

Related Resources

Share this page:

Defend Privacy. Support EPIC.
US Needs a Data Protection Agency
2020 Election Security