In notifications about the use of third-party cookies, according to GDPR requirements and a number of similar regulations, the number of "partners" with whom the site shares user information must now be specified. You will be surprised at how many companies receive your data.

Wherever you go on the Internet, you will be tracked. Every time you visit a site, trackers collect data about your visit and pass it on to advertising platforms. These platforms create detailed profiles of your interests and get paid for it.

In some places, the level of tracking is higher than in others. At the end of 2023, thousands of sites began more openly disclosing how many companies receive your data, which allowed a better understanding of the scale of the advertising ecosystem. The number of these "partners" that sites now have to report has come as an unpleasant surprise to many users.

An analysis of the 10,000 most popular sites conducted by WIRED showed that dozens of sites share data with more than 1,000 companies, and thousands of other sites share data with hundreds of firms. The quiz and puzzle site JetPunk tops the list, passing information to 1809 "partners" who can collect personal information, including "browsing behavior or unique identifiers".

More than 20 sites from the publisher Dotdash Meredith, including Investopedia.com, People.com, and Allrecipes.com, reported that they may share data with 1609 partners. The Daily Mail reported 1207 partners, while Speedtest.net, WebMD, Reuters, ESPN, and BuzzFeed stated they could share data with 809 companies. These hundreds of advertising partners include many firms most people have likely never heard of.

«You can expect that they first try to identify who you are.» — says Midas Nouwens, assistant professor at Aarhus University in Denmark, who previously developed tools for automatically rejecting tracking cookie pop-ups and participated in the site analysis.

The data collected may vary depending on the site, and pop-up warnings about collection provide users with certain choices. This data may include IP addresses, digital device fingerprints, and various identifiers.

«Once they get to know you, they can include you in various data sets or use this data to complement other data in the future when you visit another site,» — says Nouwens.

Top 10 most popular sites with the most "partners"

The world of online advertising is a complex field, where companies create user profiles to show ads to a specific audience. Often, such platforms already know exactly what to show you. Over many years, strict privacy laws have led to the emergence of pop-ups asking for consent to use third-party cookies to store data on your device. Studies in recent years have shown that such data collection warning pop-ups often contain complex wording, do not consider people's choices, or are ignored by users.

«All the focus group participants we conducted user testing with do not read these notifications. They just try to close this window as quickly as possible,» — says Peter Dolanski, product director at DuckDuckGo. «As a result, their data becomes available to numerous companies.»

For the site analysis, Nouwens studied the 10,000 most popular sites to find out if partners are mentioned in pop-ups, and if so, how many partners they disclose. WIRED manually checked all the sites mentioned in this article, visiting each one to confirm the number of partners they display. We checked the maximum total number of partners across the entire dataset, as well as for the 1,000 most popular sites. Note that these data represent the situation at the time of collection. Results may vary depending on the user's location.

This also includes sites using a unified system to display information about the use of third-party cookies. Many of the world's largest sites, such as Google, Facebook, and TikTok, use their own systems to inform about third-party cookies. However, thousands of sites use third-party technologies for displaying pop-ups, created by consent management platforms (CMP). These pop-ups typically follow the standards of IAB Europe, which details what information should be included in such warnings.

In November 2023, IAB Europe updated its Transparency and Consent Framework in response to decisions on its non-compliance with the European GDPR, including a requirement that companies report the number of partners with whom they share user data on the front pages of their websites. Townsend Feehan, CEO of IAB Europe, notes that the update "includes a number of significant provisions" that give people more information about what data they can share, including changes such as prominently placing the "reject all" option.

«Adding the number of providers aligns with CNIL [French data privacy regulator] recommendations and is intended to help users get a clear understanding of the number of providers before proceeding to the secondary level of the CMP,» — notes Feehan.

However, according to Nouwens, adding a large number of companies to which data is transferred becomes meaningless.

«If there are more than five or maybe ten, it loses all meaning», — adds the researcher. «It's still too many for anyone to form a real opinion, given how opaque and complex the entire data processing process is».

Top 10 of the 10,000 sites with the most "partners"

While some sites claim that data can be transferred to hundreds of third-party companies, this often happens without the site's involvement. The owner of one tracker may eventually pass this data on to other advertising companies. Most of the sites we contacted for this article did not respond to requests for comments on data sharing. However, the responses from those who did demonstrate the complexity of the advertising industry.

A BuzzFeed representative claims they use the entire IAB-approved vendor list, which led to the display of 809 partners. However, according to the representative, the company actually works with 220 partners. Paul Evans, managing director of the news search platform NewsNow, says he has "direct relationships with several" ad exchanges, and his 1298 disclosed figures are the total number of partners these exchanges work with.

«We do not have sufficient capacity to influence their [exchanges'] activities, business conditions, or choice of partners,» — notes Evans, also mentioning Google's long-term goal — to remove support for third-party cookies from the Chrome browser by the end of this year. «We expect the technical capabilities of our ad exchanges' partners to process user data (even with their consent) to decrease, and the ease with which users can opt-out of consent to increase.»

Companies that track you the most on the Internet (% of sites with trackers)

Although disclosure may not be as transparent as one would like, the number of trackers placed on sites can be analyzed. DuckDuckGo keeps track of companies with the most trackers on the Internet. For example, WebMD and ESPN indicate 809 partners in their cookie pop-ups, but DuckDuckGo data shows that at the time of scanning their sites had 96 and 33 trackers respectively. Among the most common trackers, Google uses its technology on 79% of sites, while trackers from five other companies are present on more than 20% of sites.

«In practice, for the end user, there are many ways to be tracked,» — says Dolanski from DuckDuckGo.

Using browsers with tracking protection, private search, and following a few simple rules will help you keep your data private.

Other related materials:

• Viewability: without it nothing will work
• Study of the distribution of Yandex Header Bidding adapters on Runet
• Google faces demands to overhaul Privacy Sandbox
• The use of AI in ad fraud and disinformation
• Advertising visibility and brand safety in Russia in 2023