Cross-site tracking is the practice of following one user's activity across multiple, separate websites to build a behavioral profile. Advertisers and data brokers do it most, mainly through third-party cookies and similar trackers embedded on many sites. It powers the targeted ads that seem to follow you everywhere.
What Is Cross-Site Tracking?
Cross-site tracking is when a company, often an ad network or data broker, identifies the same visitor across two or more unrelated websites. It then links those visits into one profile. The company does this by embedding the same tracking code, cookie, or pixel on every site it wants to monitor.
The everyday experience is familiar. You look at a pair of shoes on one retailer's site. Those same shoes then follow you as an ad on a completely different news site. That is cross-site tracking at work: advertisers and data brokers monitoring your activity across unrelated sites and stitching it into one profile.
This is not limited to end users browsing casually. Any site that embeds a third-party ad tag, analytics script, or social widget participates in cross-site tracking, whether or not the site owner intended it.
How Does Cross-Site Tracking Work?
Cross-site tracking works because the same third-party code runs on many different sites, and that code reads the same identifier everywhere it appears.
- You visit Site A, which embeds a resource (an ad, a pixel, or a script) from a tracking domain.
- The tracking domain sets or reads its own cookie or identifier in your browser, not Site A's cookie.
- You later visit Site B, which embeds the same tracking domain's resource.
- The tracking domain reads the identifier it set on Site A and recognizes you on Site B.
- The tracking company stitches your visits into one profile and uses it to target ads or measure conversions.
Third-party cookies are the classic mechanism, but the identifier does not have to be a cookie. WebKit, the engine behind Safari, draws the boundary by registrable domain. It defines a website as "a registrable domain including all of its subdomains." A subdomain of the site you are visiting counts as first-party. A different registrable domain, embedded on that page, is the third party doing the tracking.
For a deeper technical breakdown of the mechanism, see how cookies track you across the web.
What Methods Are Used for Cross-Site Tracking?
Cookies are only one of several methods used for cross-site tracking. Pixels, fingerprinting, embedded widgets, and URL-based techniques all achieve the same result, and none of them strictly needs a cookie.
| Method | How it tracks | Cookie-dependent? |
|---|---|---|
| Third-party cookies | A cookie set by a domain other than the one in the address bar | Yes |
| Tracking pixels | A tiny invisible image that pings a server when the page loads | Often paired with a cookie |
| Browser fingerprinting | A device/browser signature built from fonts, screen, and settings | No |
| Social widgets | Embedded Like, Share, or login buttons that load third-party code | Often |
| Link decoration and bounce tracking | Tracking IDs appended to URLs or routed through an intermediate domain | No |
Third-Party Cookies
A third-party cookie is set by a domain other than the one shown in your address bar. It is readable anywhere that domain is embedded. This is the mechanism ITP and Enhanced Tracking Protection target directly. See first-party vs third-party cookies for the full distinction.
Tracking Pixels (Web Beacons)
A tracking pixel is a tiny, often invisible, image or code snippet embedded in a page or email. It fires a request to a tracking server the moment it loads, reporting that you viewed that page or opened that email. For the full mechanics, see tracking pixels.
Browser Fingerprinting
Browser fingerprinting builds a near-unique signature from your device and browser settings, fonts, screen size, and configuration, without setting a cookie at all. This means it survives cookie deletion and private browsing. WebKit actively defends against it. It restricts font access to web fonts and OS fonts only. It also freezes user-agent detail to your platform's major version so fewer devices look unique. Some fingerprinting techniques also power trackers that survive deletion.
Social Media Widgets and Share Buttons
Embedded Like, Share, and login widgets load third-party code on every page that hosts them. That code can track your visit even if you never click the button, because loading the widget alone is enough to contact the third-party domain.
Link Decoration and Bounce Tracking
Link decoration appends a tracking identifier to a URL as a parameter, so your identity carries across a click from one site to another. Bounce tracking briefly routes you through an intermediate tracker domain that appears first-party for a moment before redirecting you onward. Both are real, named techniques with dedicated browser countermeasures. WebKit caps the expiry of JavaScript-set landing-page cookies at 24 hours specifically to blunt link decoration. It detects bounce tracking separately, by counting unique top-frame redirects.
Why Do Companies Track You Across Sites?
Companies track you across sites mainly to serve targeted ads, measure whether those ads convert, and build profiles they can sell or share.
- Targeted and behavioral advertising: showing ads based on sites you have already visited.
- Retargeting: the shoe-ad pattern, where an item you viewed follows you to other sites.
- Conversion measurement: confirming an ad you saw on Site A led to a purchase on Site B.
- Profile building for data brokers: aggregating your cross-site activity into a profile that gets shared or sold.
- Content personalization: adjusting what a site shows you based on activity it observed elsewhere.
What Are the Privacy Risks of Cross-Site Tracking?
The main privacy risk of cross-site tracking is that it builds a detailed behavioral profile of you without your active awareness. That profile can end up in places you never agreed to.
- Profiles built without meaningful awareness: most users never see the full picture a tracker assembles from dozens of sites.
- Data shared with data brokers: profiles get aggregated, packaged, and sold to companies you have no relationship with.
- Sensitive inferences: cross-site activity can reveal health concerns, financial stress, or political views, even if you never stated them directly.
- Persistence and re-identification: profiles can outlive a single browsing session and later be matched back to you.
- Aggregated exposure risk: the more data a tracker holds, the more damaging a breach of that data becomes.
What Does "Prevent Cross-Site Tracking" Mean?
"Prevent Cross-Site Tracking" is a browser privacy setting, most associated with Safari and on by default, that blocks third-party trackers. It limits a site to seeing your activity on that site, not across the web. Chrome and Firefox offer equivalent controls under different names.
Apple describes the Safari feature directly. It stops third-party content providers from tracking you across websites for advertising. Unless you visit and interact with that provider directly, their cookies and website data are deleted. The setting also reduces fingerprinting. It presents a simplified version of your system configuration to websites, so fewer devices look unique.
Chrome does not use the phrase "cross-site tracking" for its equivalent control. Instead, it blocks third-party cookies under Settings, and Firefox calls its version Enhanced Tracking Protection. All three achieve the same underlying result: they stop a third party embedded on multiple sites from linking your visits together. Whether this setting satisfies a site's own consent obligations is a separate question, covered below under legality.
Should You Turn Cross-Site Tracking On or Off?
Leave "Prevent Cross-Site Tracking" on. There is rarely a privacy reason to allow cross-site tracking. Turning it off gives advertisers and data brokers a clearer view of your activity across every site you visit.
The one legitimate reason to turn it off temporarily is that some sites break without third-party cookies. The common breakage points are consistent.
- Login and single sign-on widgets: "Log in with Google" or "Log in with Facebook" buttons can depend on a third-party cookie to complete the handoff.
- Payment processors embedded in an iframe: some checkout flows load a payment provider's third-party frame that needs its own cookie to function.
- Cross-account aggregation tools: some finance and education platforms use a third-party cookie to bridge a legacy multi-site view.
If a specific site breaks, turn the setting off only for that task, then turn it back on immediately afterward. Leaving it off permanently trades your privacy for a convenience you only need occasionally.
How to Stop Cross-Site Tracking in Your Browser
Every major browser has a setting for this, and each one lives in a different place.
| Browser | Setting name | Where to find it |
|---|---|---|
| Safari (Mac) | Prevent cross-site tracking | Safari > Settings > Privacy |
| Safari (iPhone/iPad) | Prevent Cross-Site Tracking | Settings > Apps > Safari > Privacy & Security |
| Chrome | Block third-party cookies | Settings > Privacy and security > Third-party cookies |
| Firefox | Enhanced Tracking Protection | Settings > Privacy & Security |
Safari (Mac, iPhone, and iPad)
Safari splits the control across the desktop and mobile apps, so follow the path for your device.
On a Mac, open the Safari privacy settings and enable the toggle.
- Open Safari.
- Choose Safari, then Settings.
- Click Privacy.
- Select "Prevent cross-site tracking."
On an iPhone or iPad, the same control lives inside the system Settings app.
- Open Settings.
- Tap Apps, then Safari.
- Tap Privacy & Security.
- Toggle "Prevent Cross-Site Tracking" on.
This setting is on by default in current Safari versions. Most users never need to touch it unless a site has broken.
Google Chrome
Chrome frames this as third-party cookie control rather than a named "cross-site tracking" toggle.
- Open Chrome and select Settings.
- Click Privacy and security.
- Select Third-party cookies.
- Choose to block third-party cookies.
Menu wording shifts between Chrome versions, so confirm the exact path in your installed version before relying on these steps.
Firefox
Firefox handles this under its Enhanced Tracking Protection panel:
- Open Firefox and select Settings.
- Click Privacy & Security.
- Under Enhanced Tracking Protection, choose Standard for default blocking, or Custom for granular control over cookies specifically.
Firefox blocks known cross-site tracking cookies by default under Standard protection.
Is Cross-Site Tracking Legal? What Website Owners Must Know
Cross-site tracking is legal but regulated. In the EU and UK, the GDPR and the ePrivacy Directive require prior, informed consent before non-essential trackers fire. In the US, laws like the CCPA and CPRA give consumers opt-out rights, and pixel-based tracking has driven a wave of wiretap-style lawsuits.
If your site embeds a third-party tracker, ad tag, analytics script, or social widget, you are responsible for getting consent before it fires. You are also responsible for proving that consent later if challenged. This obligation sits with the site owner, not the tracking vendor. Getting cookie consent before non-essential trackers load is the core compliance step. Pixel-based tracking specifically has driven laws like CIPA lawsuits in the US.
Cross-Site Tracking vs Cross-App Tracking
Cross-site tracking follows you across websites in a browser, mainly through third-party cookies and pixels. Cross-app tracking follows you across mobile apps using a device advertising identifier. Apple's App Tracking Transparency prompt ("Ask App Not to Track" or "Allow") governs the app side.
Both serve the same goal: building a cross-context profile for advertising. But they run on different surfaces with different controls. A browser's tracking-prevention setting has no effect on an app's advertising identifier. Disabling App Tracking Transparency for one app has no effect on browser cookies either. If you manage both a website and a mobile app, address each surface separately.
Is Cross-Site Tracking Going Away?
Cross-site tracking is shrinking but not gone. Safari's ITP and Firefox's Enhanced Tracking Protection already block third-party cookies by default. Google has also been curtailing them in Chrome through the Privacy Sandbox initiative, though its timeline has shifted more than once.
Google states plainly that "some Privacy Sandbox technologies are being phased out," without committing to one universal date for removing third-party cookies from Chrome. Advertisers are responding by shifting investment toward first-party data and privacy-preserving measurement that does not depend on a shared cross-site identifier. The full third-party cookie phase-out timeline lives on the first-party vs third-party cookies page linked above.
How Consently Helps You Manage Third-Party Trackers
Consently helps you find and control the exact cross-site trackers running on your own site, then proves you got consent before they fired.
The trackers discussed throughout this page are not just something you toggle off as a visitor. If your site embeds a third-party ad tag, analytics script, or social widget, you have to disclose it and get consent for it. Auto Scanning crawls your site on install and detects every cookie and tracker present, updating your banner categories automatically so nothing slips through unlisted. Cookie auto-blocking, plus script and iframe blocking, stop non-essential third-party trackers from firing until a visitor consents. Consent logs record every choice as proof for an audit.
This maps directly to the GDPR and CCPA consent duties covered above: you cannot prove consent you never recorded.
Try Consently Free and scan your site for the third-party trackers running on it right now.
FAQs
What is cross-site tracking in simple terms?
Cross-site tracking is when a company follows the same visitor across different websites by using the same cookie, pixel, or script on each one. It links your separate visits into one profile, usually to target ads.
Is it good to prevent cross-site tracking?
Yes. Preventing cross-site tracking limits how much advertisers and data brokers can learn about you across the web. It carries no real downside for most everyday browsing.
Is it safe to turn off "Prevent Cross-Site Tracking"?
It is safe but it lowers your privacy while it is off. Turn it off only temporarily for a specific site that has broken, then turn it back on right after.
Does preventing cross-site tracking stop all tracking?
No. It blocks third-party cookies specifically, but fingerprinting and the current site's own first-party analytics can still track you. Browsers keep tightening these gaps, but no single setting closes all of them.
How do I turn off cross-site tracking on my iPhone?
Go to Settings, tap Apps, then Safari, then Privacy & Security, and toggle "Prevent Cross-Site Tracking" off. Full steps, including how to turn it back on, are above.
Is cross-site tracking the same as third-party cookies?
No. Third-party cookies are one method used for cross-site tracking. Tracking pixels, browser fingerprinting, and link decoration achieve the same result without a cookie.
Does cross-site tracking need consent under GDPR?
Yes. Non-essential third-party trackers require prior, informed consent under the GDPR and the ePrivacy Directive before they load.
Why does turning off cross-site tracking break some logins?
Some login, single sign-on, and payment features rely on a third-party cookie to hand off your session between domains. The privacy setting blocks that cookie along with every other cross-site tracker, so the handoff can fail.

