Data collection on the web: cookies, pixels and tags

Web data collection has evolved from cookies—the original mechanism driving cross-site tracking and a catalyst for GDPR—to a much broader ecosystem of technologies including pixels, tags, hashed emails, fingerprinting, and identity bridging. While cookies remain prevalent and auditable, cookie deprecation pressure has accelerated investment in alternate identifiers built on hashed emails, which now underpin most modern identity solutions. Regulators are tracking this evolution closely, with fingerprinting and ID bridging appearing in FTC guidance and enforcement cases such as Avast. State-level regulators are also active. The New York AG's office conducted desk research across a dozen websites, identifying tracking tags that continued firing even after consumers opted out—misconfigured or uncontrolled tags that rendered consent choices meaningless. This kind of enforcement-by-observation is low-cost and highly accessible: regulators can check outdated privacy policies and visible tag activity without significant technical resources. Connecticut's privacy chief made the same point—an unchanged privacy policy from 2017 signals a company that simply doesn’t care, and no business should assume their practices are invisible to scrutiny. The same data collection challenge extends to physical retail. Beacons, RFIDs, and footfall tracking technologies collect in-store location and behavioral data, which companies routinely merge with online profiles for personalization and cross-selling. The tying together of offline and online behavioral data is an area where regulatory activity is expected to grow. More broadly, data brokers remain the central lever for upstream systemic change—going after individual consumer companies is operationally impossible at scale, while targeting the aggregators and distributors that supply data to many companies simultaneously creates much broader compliance pressure across the ecosystem.

**Raashee:** There is a lot of different data types that are being collected out there, and there are what methods are being employed. Right? So that's where start to peel the onion in terms of like, before digital surveillance was a big deal, you were looking at a lot of, like, data that was collected from offline sources. It would be, like you said, filling up a form or survey or list, brokers or things like that. And then as digital, activities and, surveillance has increased, we're changing our focus to looking at what are the different digital mechanisms to collect data. Cookies, obviously, we've been all, looking at cookies for a long time, even pre GDPR. That's what kinda led its way into GDPR. And so that's was sort of one of the primary ways that we're starting to, understand and, try to control this data collection and abuse that was happening, and cross site tracking was powered by cookies or is still powered by cookies. So that was one. But then we all know that with a lot of the work that, happens in the privacy technology space where we are able to look at what cookies are, first party cookies, third party cookies, you can audit them. You can try to control them to some extent. But then the newer forms of technologies. So they are looking at what happens beyond technologies. What are the different ways that data is being collected? So pixels, tags is just a business as usual practice in the advertising marketing world. Like, any company you work with, it's given that there's a pixel that brand's website, and it will connect who knows what. So that is sort of, like, the focus that has been shifted. I wouldn't say shift. Shift is not the right word. I would say expansion of focus from cookies to technologies like pixels and tags. And then now what we're also seeing is even further expansion, especially in the light of changes that are happening in the advertising world where cookie deprecation, when it happens, if it happens, TBD, but cookie deprecation, which has led to a lot more focus on first party data and alternate identifiers. So, that's where hashed emails come into play, which is the backbone of a lot of ID solutions, which is a backbone of a lot of, alternate, sort of options that are out there for a replacement of cookies. Then, there are other things that I'm starting to see in guidance, in language, in cases that are coming out is I've seen fingerprinting being mentioned. I've seen ID bridging being mentioned, especially in the case of Avast. So so these are sort of I think these breadcrumbs sort of tell you a bit more about what is the focus, after cookies and where are some of these things happening. And that's just not in the federal space. Right? That's also the New York AG. Their their, announcement said that they had done a study for, I think, probably a dozen websites where they saw a lot of pixels and tracking tags happening, and that led to their guidance on, consent on guidance on, proper consumer experience. **Jonathan:** Yeah. I wanted to ask you about that, Rashi. So, well, we're definitely seeing demand for just, you know, tools that help you understand which infrastructure is collecting data off your website and which vendors are ushering in others. You know? They you may not have a first party relationship or you don't have a first party relationship with. And the FTC wrote a blog a while back, the hidden pages of pixel tracking, I think, was called, which just told me they really understand this space. Like and then I actually want to ask you about the New York AG piece. I didn't know that. So what was the what did they find when they looked at those twelve? What was the point, hey. We just see a lot of this going on, and, it's too much? Or what's the point, hey. I see this, and it doesn't seem like you're enforcing privacy choices? **Raashee:** What what I gleaned from that is they were through their sort of investigation analysis, whatever you wanna call it, they were able to identify presence of tags on various websites. And these tags were still there even if somebody opted out. They were still sort of, like, they were misconfigured or the right controls weren't firing or they were just not, sort of what you expect of so they they think of them as, like, they are putting a hat as a consumer, and they are browsing those websites and doing all the things that the website tells them to do. Hey. Opt out here. Here's a privacy notice. Opt in here. Here's a cookie banner. So and behind the scenes, they are measuring those actions or they are analyzing those actions. Like, wait. I did a. Did b happen? I did so it it's a lot of sort of, like, that desk research that we all in the industry do or should do or can do. These are the things that they're so accessible. Right? Like and it's funny when we were talking to the data privacy chief in Connecticut, she said, you know I can see your privacy policy. Right? Like, you know it's on the website, and you haven't changed it since twenty seventeen. So that tells me you don't really care. It's not like your business hasn't evolved since twenty seventeen. **Jonathan:** Exactly. Yeah. Yeah. Yeah. So, and and it's, like, it's pretty easy to look at what tags are firing. Right? Tag Explorer or whatever. You you could see that. **Raashee:** I want to ask you that often. Yeah. **Jonathan:** What about what about when, you know, walking into a store, data collection practices? Like, how I mean, that feels like a huge gap. Do you think that's the next place for the FTC to go or or state AGs to go? **Raashee:** I mean, I think, I mean, long time ago with I think this was, like, when Starbucks had first started to do a lot of, sort of innovation in store. Right? The whole idea of beacons and RFIDs was was prominent, and that was kinda like the the shiny object. So So I think those things are still out there. Right? So that data is being collected. That, again, goes back to ties with location to some extent. So me, I came into your store. I did this and that, and I sort of spent this much time in your store. So there's a lot of footfall data that companies have access to that they then marry with online data to do their personalization, their upset upselling, cross selling of products. So I wouldn't be surprised that that would be something that this tying the two together as a connection will be an area that we start to see more, more sort of activity in. **Jonathan:** Sure. Well, I want to ask you about number three in your framework. And so this this idea that if the FTC or others are trying to, you know, Ketch change in in an industry, you're gonna go after the the big cogs in that machine. And I want to ask you about two of those cogs. One of them is data brokers, which you mentioned. And the other one, which you mentioned in in kind of, in in the second part of your framework, is the identity, stitching the identities together. So so let's talk about data brokers first. I mean, obviously, that's the place. Right? That's this is you you see the California Delete Act. We see all sorts of activity around data brokers. Is it that is that obvious? Right? It's anything **Raashee:** Yes. I think I mean, it goes back to you. Right? So going after a consumer company or a b to b company, they're one in many. How many it's just humanly impossible, to go after every single entity out there who may be doing bad practices.