(Credit: Vectorpouch/Shutterstock)

As we look back on the state of digital privacy in 2018, one could argue that the stage was actually set during the 2016 presidential election, when an academic researcher at Cambridge University collected Facebook user data en masse and used it to build psychological profiles for a UK client who may have influenced who won and who lost.

In the time since, the public has heard a lot about how much they are tracked online, and how this data can be used to follow you around online and learn perhaps more about you than you know about yourself. And to hear The New York Times tell it, the anonymity of this portrait is not a high priority in this marketplace.

SEE: Best apps for securing Android and managing privacy settings

Without clear laws like the European Union's General Data Protection Regulation, or GDPR, the owners of these profiles exist in a gray area where they can keep this data as long as they want, sell it or trade to whomever they want, and never notify you that any of this is going on.

The digital privacy company Ghostery, maker of an ad-blocking mobile browser (Android, iOS) based on Firefox, reports that many major retail websites ranging from Walmart to Nordstrom are packed with third-party advertising trackers, right when millions of Americans are shopping for holiday gifts.

We spoke with the company director Jeremy Tillman about the report, and what you can do to reduce your exposure.

While third-party cookies and trackers can abuse their collection abilities, he says that they're not all necessarily bad. "There's some weird scenarios where you may want some third-party cookies. For logging in particular, like if a website was using LinkedIn Connector or something like that. You may not want to block all third-party cookies off the bat, unless you know what you're doing. But by blocking the trackers, it prevents them from placing [cookies], and the kind of trackers that we have in our database are the ones that are trying to profile users."

What kind of personal data can a cookie contain?

Ghostery's report says that these trackers can store unsettlingly specific data about individual users, including their estimated income, sexual orientation, physical health, politics, and religious affiliation.

We asked Tillman how this sort of thing can happen in your web browser, and he identified Facebook as an important piece of the puzzle. "One of the most direct ways that third-party cookies can be used in this way would be something like the Facebook cookie. The Facebook cookie is really effective. It's actually their Facebook Custom Audience tracker that can place the cookie. And what it does really well -- and this is one reason why Facebook is so effective in this -- is that it can reference your specific Facebook profile in the cookie itself.

"So it basically places the unique profile identifier for you. And the advertiser on the back end ...They can then leverage all the information that's inside your profile that would include gender, political affiliation, sexual orientation, and everything else that you have in your social footprint."

Tillman has a general example as well: "Let's just imagine a 'tracker.com' cookie that places a cookie in your browser -- if that same tracker is on, say, a political candidate's website or if it's on, say, a medical website or a health.org website. They can then write to that cookie all of the behavioral actions that you're taking. In particular, that you're going to these websites and perhaps what you're doing on those websites.

"That tracker -- if they've got a unique identifier tied to you -- can then link that up and consolidate information to a user profile that you have. And there's actually quite a lot of trackers that are in this 'data brokerage' space where they exist almost purely to Hoover up this information and build these profiles on you."

(Credit: Golden Sikorka/Shutterstock)

Other tracking companies you should we be aware of

But while Google and Facebook are the dominant facilitators between advertisers and shoppers, smaller companies are still carving out their own spaces that you may want to be aware of. "Once you get outside the big players like Facebook and Google, then you get into, say, Quantcast, which is really good at building these really detailed profiles.

"They're able to convince a lot websites to put their trackers on their website because the owners get insight from it -- but it really allows [Quantcast] to create a blanket ecosystem where they're able to really connect a lot of dots between different websites that you visit.

"Let's say somebody's using Quantcast, and Quantcast has dropped a cookie in your browser, and then there's an ad tech partner of theirs that is on a website. They can pull up that profile from Quantcast and determine -- based on any number of parameters -- what kind of person you are. And that could include not just shopping behavior but those sort of demographic or psychographic data points that we talked about.

"And then through the [ad] bidding platform, they can say, 'OK, this is the ad that wants to pitch to you.' And maybe that's a political campaign that's looking to target somebody with your somewhat narrow demographic.

"And not everything works that way -- a lot e-commerce sites that we analyze are doing a simpler kind of retargeting where the cookies they're writing are more concerned about what products you have got. So for them, if they dropped a cookie, that cookie could have product names and a product ID number.

"It's not a political campaign trying to target 18 to 34 year olds who like sports, it's more like 'Hey, this guy looked at shoes -- this exact pair of shoes, in fact. Let's try to get him to convert when he goes to whatever news site he goes to in the morning.'"

Reconciling the privacy status of Google Chrome on mobile devices

So if the mobile version of Google Chrome (Android, iOS) doesn't let users control cookies, and its tracker management is only the Do Not Track feature that websites are free to ignore, what does Ghostery think of the app?

Tillman says, "[With] Chrome for your desktop -- you have all these extensions and tools. Privacy tools, ad blockers. You do not have that same option on mobile Chrome. Which means that there's absolutely no way to defend against a lot of these [trackers]. There's nothing you can do. The trackers are loading the page, the cookies will be written on the page.

"And to a lesser extent, Safari for iOS does allow some custom blocker apps that you can install. There's a few in the App Store. So you have a little bit more freedom, I think, with Safari on iOS to take some corrective measures. If you're at all concerned about your own privacy, Chrome for Android or iOS is as bad as it gets, knowing that it has no real defenses."

He also adds, "Your Android device itself has a unique identifying ID. I think the iPhone has something similar that can be used to precisely target you. And that can be tied back to a lot of the location services, especially if it's a Google-tied network.

"And they're able to, through their other apps, very precisely determine that a person is in that store, or in the state, or that time -- that's all tied back to your Android device ID, which can then be tied to your sort of Google advertising profile, which -- if it's a Google ad network -- can be used to target you inside the Chrome browser with stereo precision."

Fortunately, iOS does have one setting to reduce how much tracking happens on your iPhone or iPad.

(Credit: BigMouse/Shutterstock)

One thing you can do to protect yourself

According to Tillman, "The best thing for you to do there was a concern about this is to use a privacy browser like Ghostery or some other third-party browser, and then set that as your default browser, and then go into some of these applications and make sure that the links in these applications open in an external browser.

"Because if you're searching 'I'm looking to buy a new couch' in Google, and you click on a link there, it's going to open in the built-in browser inside the Google Search [app]. It won't necessarily even direct you to Chrome. So there's a lot of default settings on mobile devices that make it really hard to proactively protect yourself, but there are distinct steps that users can take."

Where Microsoft and its Edge browser fit into this picture

Meanwhile, Microsoft recently announced that it's switching the programming code of its Edge web browser to basically be Google Chrome under the hood. As you might expect, Tillman is not enthusiastic: "I think users suffer when there's less competition between different browsing stacks. Edge completely migrating to a Chromium browser make sense for them, because they're trying to gain market share ...The essential downside is that it just sort of cements who is dominant as the only viable browser for for most of the population."

Looking ahead to the future of online privacy

Where does Tillman think this ad tracker industry will go next? "Overall, I think 2018 was definitely a year where we saw a lot of the big companies -- Facebook in particular, and increasingly, Google -- kind of take a couple hits to the face when it comes to the data-driven business model.

"And so I think, through a combination of growing consumer awareness and also a harsher regulatory environment -- both in the EU as well as potentially in the US, given the momentum for privacy laws -- that in 2019, it'll be interesting to see the increasing market demand for privacy solutions."

As we head into 2019, Tillman says, "Something that someone like you could keep on the radar is, 'How does the ecosystem take that next step forward?' Because I think you're going to see a lot of interesting stuff coming from not just us but from other companies and other players in this space, too."

Also see

Tom McNamara is a Senior Editor for CNET's Download.com. He mainly covers Windows, mobile and desktop security, games, Google, streaming services, and social media. Tom was also an editor at Maximum PC and IGN, and his work has appeared on CNET, PC Gamer, MSN.com, and Salon.com. He's also unreasonably proud that he's kept the same phone for more than two years.