Everywhere you go online, you’re being tracked. Almost every time you visit a website, trackers gather data about your browsing and funnel it back into targeted advertising systems, which build up detailed profiles about your interests and make big profits in the process. In some places, you’re tracked more than others.
In a little-noticed change at the end of last year, thousands of websites started being more transparent about how many companies your data is being shared with. In November, those infuriating cookie pop-ups—which ask your permission to collect and share data—began sharing how many advertising “partners” each website is working with, giving a further glimpse of the sprawling advertising ecosystem. For many sites, it’s not pretty.
A WIRED analysis of the top 10,000 most popular websites shows that dozens of sites say they are sharing data with more than 1,000 companies, while thousands of other websites are sharing data with hundreds of firms. Quiz and puzzle website JetPunk tops the pile, listing 1,809 “partners” that may collect personal information, including “browsing behavior or unique IDs.”
More than 20 websites from publisher Dotdash Meredith—including Investopedia.com, People.com, and Allrecipes.com—all say they can share data with 1,609 partners. The newspaper The Daily Mail lists 1,207 partners, while internet speed-monitoring firm Speedtest.net, online medical publisher WebMD, and media outlets Reuters, ESPN, and BuzzFeed all state they can share data with 809 companies. (WIRED, for context, lists 164 partners.) These hundreds of advertising partners include dozens of firms most people have likely never heard of.
“You can always assume all of them are first going to try and disambiguate who you are,” says Midas Nouwens, an associate professor at Aarhus University in Denmark, who has previously built tools to automatically opt out of tracking by cookie pop-ups and helped with the website analysis. The data collected can vary by website, and the cookie pop-ups allow some control over what can be gathered; however, the information can include IP addresses, fingerprinting of devices, and various identifiers. “Once they know that, they might add you to different data sets, or use it for enrichment later when you go to a different site,” Nouwens says.
The online advertising world is a messy, murky space, which can involve networks of companies building profiles of people with the aim of showing you tailored ads the second you open a webpage. For years, strong privacy laws in Europe, such as the GDPR, have resulted in websites showing cookie consent pop-ups that ask for permission to store cookies that collect data on your device. In recent years, studies have shown that cookie pop-ups have included dark patterns, disregarded people’s choices, and are ignored by people. “Every single person we’ve ever observed in user testing doesn't read any of this. They find the fastest way they can to close it out,” says Peter Dolanjski, a product director at privacy-focused search engine and browser DuckDuckGo. “So they end up in a worse privacy state.”
For the website analysis, Nouwens scraped the 10,000 most popular websites and analyzed whether the collected pop-ups mentioned partners and, if so, the number they disclosed. WIRED manually verified all the websites mentioned in this story, visiting each to confirm the number of partners they displayed. We looked at the highest total number of partners within the whole data set, and the highest number of partners for the top 1,000 most popular websites. The process, which is only a snapshot of how websites share data, provides one view of the complex ecosystem. The results can vary depending on where in the world someone visits a website from.
It also only includes websites using just one system to display cookie pop-ups. Many of the world’s biggest websites—think Google, Facebook, and TikTok—use their own cookie pop-ups. However, thousands of websites, including publishers and retailers, use third-party technology, made by consent management platforms (CMPs), to show the pop-ups. These pop-ups largely follow standards from the marketing and advertising group IAB Europe, which details the information that should be included in the cookie pop-ups.
Most PopularThe Top New Features Coming to Apple’s iOS 18 and iPadOS 18By Julian Chokkattu CultureConfessions of a Hinge Power UserBy Jason Parham GearHow Do You Solve a Problem Like Polestar?By Carlton Reid SecurityWhat You Need to Know About Grok AI and Your PrivacyBy Kate O'Flaherty
GearIn November 2023, IAB Europe updated its Transparency and Consent Framework, in response to rulings saying it didn’t comply with Europe’s GDPR, to include the provision that companies should disclose how many partners they're sharing user data with on the first pages of their websites. Townsend Feehan, the CEO of IAB Europe, says the update “includes a number of meaningful iterations,” which provide people with more information about what data may be shared and include changes such as making a “reject all” option prominently available. “The addition of the number of vendors corresponds to a recommendation made by the CNIL [the French data privacy regulator] and is meant to help end-users to have a reasonable expectation, before they even access the secondary layer of the CMP, of how many vendors feature on the transparency pop-up,” Feehan says.
However, adding the number of companies data is shared with becomes meaningless if the number is too large, Nouwens says. “If it’s anything more than five, or maybe 10, it becomes untenable,” the researcher adds. “That's still too many for anybody to really form an opinion on considering how opaque and complex this whole data processing pipeline is.”
While individual websites may say data can be shared with hundreds of third-party companies, they may not be doing it directly themselves—the owner of one tracker may ultimately share that data with other advertising companies. The majority of websites contacted for this story did not respond to a request for comment about their data sharing; however, those that did showed the complexity of the advertising industry.
A BuzzFeed spokesperson says they approved all of the IAB’s list of vendors, resulting in 809 partners being shown, but the spokesperson says, in reality, the number of partners it works with is 220. Paul Evans, managing director at news discovery platform NewsNow, says that it only has “direct relationships with a handful” of advertising exchanges, and its 1,298 disclosed figure is the total of the partners those firms work with.
Most PopularThe Top New Features Coming to Apple’s iOS 18 and iPadOS 18By Julian Chokkattu CultureConfessions of a Hinge Power UserBy Jason Parham GearHow Do You Solve a Problem Like Polestar?By Carlton Reid SecurityWhat You Need to Know About Grok AI and Your PrivacyBy Kate O'Flaherty
Gear“We have limited insight into, and ability to influence, their operations, terms of business, or the partners they choose to work with,” Evans says, also pointing toward Google’s long-running aim to remove third-party cookies from its Chrome browser later this year. “We expect the technical opportunities for our ad exchanges’ partners to process our users’ data (even with our users' consent) will decrease, while the ease with which our users can deny consent will increase,” Evans says.
While the disclosures may not provide as much transparency as intended, it’s also possible to analyze the number of trackers that are directly placed on websites. DuckDuckGo keeps a record of the companies that have the biggest tracking footprint across the web. For example, while WebMD and ESPN disclose 809 partners on their cookie pop-ups, DuckDuckGo’s data shows there are 96 and 33 trackers present on their websites when they were scanned. Among the most common trackers, Google has its technology on 79 percent of websites, while those from five other companies are on more than 20 percent of websites.
“For the end user, the reality is, there is a myriad of tracking that happens, there’s a myriad of techniques through which it happens,” DuckDuckGo’s Dolanjski says. Using a privacy browser, making your searches private, and adopting a few basic practices can help keep you more private online.