Everywhere you go online, you’re being tracked. Almost every time you visit a website, trackers gather data about your browsing and funnel it back into targeted advertising systems, which build up detailed profiles about your interests and make big profits in the process. In some places, you’re tracked more than others.
In a little-noticed change at the end of last year, thousands of websites started being more transparent about how many companies your data is being shared with. In November, those infuriating cookie pop-ups—which ask your permission to collect and share data—began sharing how many advertising “partners” each website is working with, giving a further glimpse of the sprawling advertising ecosystem. For many sites, it’s not pretty.
A WIRED analysis of the top 10,000 most popular websites shows dozens of sites say they are sharing data with more than 1,000 companies, while thousands of other websites are sharing data with hundreds of firms. Quiz and puzzle website JetPunk tops the pile, listing 1,809 “partners” that may collect personal information, including “browsing behavior or unique IDs.”
More than 20 websites from publisher Dotdash Meredith—including investopedia.com, people.com, and allrecipes.com—all say they can share data with 1,609 partners. The newspaper The Daily Mail lists 1,207 partners, while internet speed monitoring firm Speedtest.net, online medical publisher WebMD, and media outlets Reuters, ESPN, and BuzzFeed all state they can share data with 809 companies. (WIRED, for context, lists 164 partners). These hundreds of advertising partners include dozens of firms most people have likely never heard of.
“You can always assume all of them are first going to try and disambiguate who you are,” says Midas Nouwens, an associate professor at Aarhus University in Denmark, who has previously built tools to automatically opt-out of tracking by cookie pop-ups and helped with the website analysis. The data collected can vary by website, and the cookie pop-ups allow some control over what can be gathered; however, the information can include IP addresses, fingerprinting of devices, and various identifiers. “Once they know that, they might add you to different data sets, or use it for enrichment later when you go to a different site,” Nouwens says.
The online advertising world is a messy, murky space, which can involve networks of companies building profiles of people with the aim of showing you tailored ads the second you open a webpage. For years, strong privacy laws in Europe, such as GDPR, have resulted in websites showing cookie consent pop-ups that ask for permission to store cookies that collect data on your device. In recent years, studies have shown cookie pop-ups have included dark patterns, disregarded people’s choices, and are ignored by people. “Every single person we’ve ever observed in user testing doesn’t read any of this. They find the fastest way they can to close it out,” says Peter Dolanjski, a product director at privacy focused search engine and browser DuckDuckGo. “So they end up in a worse privacy state.”
For the website analysis, Nouwens scraped the 10,000 most popular websites and analyzed whether the collected pop-ups mentioned partners and, if so, the number they disclosed. WIRED manually verified all the websites mentioned in this story, visiting each to confirm the number of partners they displayed. We looked at the highest total number of partners within the whole dataset, and the highest number of partners for the top 1,000 most popular websites. The process, which is only a snapshot of how websites share data, provides one view of the complex ecosystem. The results can vary depending on where in the world someone visits a website from.
It also only includes websites using just one system to display cookie pop-ups. Many of the world’s biggest websites—think Google, Facebook, and TikTok—use their own cookie pop-ups. However, thousands of websites, including publishers and retailers, use third-party technology, made by consent management platforms (CMPs), to show the pop-ups. These pop-ups largely follow standards from the marketing and advertising group IAB Europe, which details the information that should be included in the cookie pop-ups.