The naughty ways retailers track you online and 5 steps you can take to protect your privacy while shopping online this holiday season

November 30, 2018By Ghostery Team

The name of the game in the online retail business is tracking. Retailers have always looked for ways to compete for your business, whether through promotions or doorbuster sales. With the rise of online shopping, retailers—to stay competitive— have capitalized on tracking technologies that seek your personal data.

Tracking is done by collecting data points as you visit different pages on the web. This can be accomplished in two main ways: when a browser saves an identifier locally on your device, as in the case of cookies, or when information about your browser and/or network is used to create a unique digital fingerprint. Cookies and fingerprints can then be used to retarget you on your computer or mobile device. Read on below to learn more about cookies, fingerprinting and retargeting.

COOKIES

A cookie is a small text file that is stored on your device for a certain period of time after you visit a website; it contains information such as your log-in data or the items in your shopping cart. A first-party cookie is created by the website you are visiting. Third-party cookies (used by cross-website trackers), on the other hand, don’t belong to the website you are visiting, instead, they belong to the company that operates the tracker (Google, Facebook, etc.). They land on your device through image files (advertising banners or pixels) and once on your device, track you as you move from website to website creating a profile of your online behavior. This data not only includes shopping interests and browsing history, but can also store financial data, sexual orientation, health status, political views and religious beliefs.

FINGERPRINTING

Many browsers now include an option to block third-party cookies, preventing cookie-based website tracking. Enter… fingerprinting. Fingerprinting creates a “fingerprint” of the user’s systems, which acts as a unique identifier. It does this by tracking device browser configurations and settings over time. Device fingerprinting can be used to identify a user and track them across websites even when cookies are being blocked!

RETARGETING

Retargeting is a process whereby third-party trackers are used to serve advertisements to a user based on their unique browsing habits. The process works like this: you visit a particular site, say a news site, and the news site contains a Google tracker on it that will set a cookie that is now saved on your device. Next, you visit an e-commerce site (that also contains a Google tracker) looking for running shoes. You continue to browse the internet and notice that the shoes you were looking at are appearing in ads on other websites you visit and within other apps you use. Why does this happen? Google (the tracker operator) has detected the same tracking ID on both sites, and thus, can identify you as a unique user.

Today, retailers (and advertisers) have the upper hand when it comes to extracting value from user data – but we believe the consumers have the right to know exactly what happens when they spend time online unknowingly giving away their information for free, particularly at a moment when privacy is at the forefront of our conversations about online technologies. With holiday shopping in full swing, we set out to uncover exactly what online tracking techniques some of the top retailers are leveraging this year. We looked at the following ten retailers: Walmart, Best Buy, Target, Home Depot, Nike, H&M, Macy’s, Costco, Nordstrom and Wayfair.

Of the 10 retailer websites analyzed, we found the following (figure 1):

Tracking requests per page load

  • Average tracking requests per page loads is 11.4
  • Wayfair has a strikingly high number of requests, at 41, compared to the average
  • Wayfair also had the highest proportion of loads on which tracking occurred, totaling 93%, compared to the average of 70.3%

Delving a bit further into these retailers’ online tracker ecosystems, we found – to no surprise – advertising trackers came out on top, representing nearly half of all trackers found in the analysis. Advertising trackers should not be taken lightly. These trackers are used specifically for data collection, behavioral analysis, targeting and, perhaps the most naughty of them all, retargeting.

Figure 2 illustrates the presence of advertising trackers on these retailers’ websites and reveals the following:

Advertising trackers

  • All websites analyzed contained advertising trackers, accounting for 49% of all trackers found, with an average of 15.6 per retailer website
  • Nike had the most advertising trackers, at 25; Costco had the least, at 6

Five Steps You Can Take to Protect Your Personal Information Online

While tracking is inevitable, there are steps you can take to ensure that your personal data stays private and to stop retailers from profiling and targeting you.

1. Use an anti-tracking tool on all your devices

Desktop anti-tracking extensions identify third-party trackers and allow you to control which trackers you permit while you browse the internet. They also ensure that personally identifiable information isn’t sent to third parties that you’ve chosen to block. There are also mobile apps (browsers for your phone) that offer the same capabilities as a desktop anti-tracking extension.

2. Use an ad blocker on all your devices

Ads clutter your browsing experience and are often unwanted and obtrusive. Furthermore, some ad practices, known as “Malvertising”, are outright dangerous to the user: malicious advertisers buy ad space on websites and then place ads on these sites that are infected with viruses, spyware, or malware. The Ghostery desktop extension and Privacy Browser for mobile offer ad blocking and anti-tracking capabilities.

3. Change cookie settings & adjust your privacy settings

In your browser settings, delete and block third-party cookies. When setting up software, accounts and online services, pay attention to your privacy settings and restrict data access if necessary. This applies to both operating systems and social media services like Facebook. For social media services, you can limit who can access the content you share.

4. Use a VPN (virtual private network) on all your devices

VPNs provide online privacy and anonymity by allowing you to access a secure private network while sharing data across a public network. They use encryption protocols to encrypt any transmitted data and they disguise the IP address assigned to your device- your IP address is used when building your digital fingerprint.

5. Beware of phishing schemes

Don’t open emails that seem suspicious or click on any links that might be in the body of these suspicious emails. If the sender of the email is not someone you know and trust, mark the email as spam and block the sender. There are browsers that protect you against phishing. For example, Cliqz offers a browser with an anti-phishing feature built into it that detects deceptive websites trying to access your passwords or personal data.

 

Methodology

The study is based on data collected via Alexa and whotracks.me on November 14, 2018. Whotracks.me is an online resource owned by Cliqz and Ghostery that aggregates information on website trackers (i.e. number, type, presence on page loads, etc.). Alexa was used to identify the top retailer websites for consumer goods that use third-party tracking technologies. Ghostery analyzed the specific tracking techniques of the following retailers to better educate users on the internet tracker ecosystem: Walmart, Best Buy, Target, Home Depot, Nike, H&M, Macy’s, Costco, Nordstrom and Wayfair.