Data Collection and Profiling: How Companies Build Your Profile

Every website you visit, every app you open, and every search you run generates data. Most of it is collected automatically, processed at scale, and used to build detailed profiles of who you are — without your active participation. Understanding how this works is the first step toward controlling it.

What data is being collected

Data collection happens at multiple layers simultaneously:

• Identifiers: IP address, device ID, advertising ID (GAID on Android, IDFA on iOS), email address, phone number. These anchor your profile to a persistent identity.
• Behavioural data: Which pages you visit, how long you spend on each, what you click, what you search for, what you buy — and what you almost bought but didn't.
• Location data: Precise GPS coordinates, Wi-Fi network names, cell tower data. Accurate enough to identify your home, workplace, gym, place of worship, and medical facilities you visit.
• Device data: Screen resolution, installed fonts, browser version, battery status, hardware sensors. Combined, this data forms a "fingerprint" that identifies your device even without cookies.
• Social graph: Who you communicate with, how often, and in what context. Even if the content of your messages is encrypted, metadata (who, when, how often) reveals a great deal.

How profiling works

Individual data points are not especially revealing. The power is in aggregation. A data broker or advertiser correlating your location history, purchase history, search history, and social graph can infer your income, health conditions, political views, relationship status, and psychological profile with high accuracy — often more accurately than you would describe yourself.

This is done programmatically and at scale. A major data broker holds profiles on hundreds of millions of people, updated continuously from hundreds of data sources. The profile built on you has likely never been seen by a human — but it is bought, sold, and acted upon constantly, influencing the ads you see, the prices you're quoted, the loans you're offered, and the content recommended to you.

Who is doing the collecting

Data collection is not limited to the obvious actors:

• Advertising platforms — Google and Meta operate the two largest tracking networks, present on the majority of websites and apps via embedded trackers, analytics scripts, and social sharing buttons.
• Data brokers — Companies like Acxiom, Experian, and LexisNexis aggregate data from hundreds of sources and sell it. They are largely invisible to consumers but have detailed profiles on most adults in developed countries.
• Apps — Most free mobile apps monetise via advertising SDKs that collect and transmit device data, location, and usage patterns to third-party networks.
• Your ISP — In countries without strong data protection law (including the United States), internet service providers are legally permitted to collect and sell your browsing history. In the EU, this is generally prohibited under GDPR and the ePrivacy Directive — but metadata (connection timing, volumes) may still be retained. Encrypted DNS and a VPN reduce but do not eliminate this.
• Employers and institutions — Corporate devices and networks typically log all traffic. Institutional Wi-Fi may do the same.

Browser fingerprinting: tracking without cookies

Cookies are the most well-known tracking technology, but modern tracking often does not rely on them at all. Browser fingerprinting combines dozens of signals — your screen resolution, installed fonts, timezone, language settings, WebGL rendering output, and more — to generate a unique identifier for your browser that persists even after you clear your cookies or switch to private mode.

The Tor Browser and Brave with its fingerprint randomisation features are the most effective mitigations. Firefox with the right extensions (uBlock Origin, Canvas Blocker) provides partial protection. Chrome provides essentially none by default — fingerprinting is a feature from Google's perspective, since it supports the advertising infrastructure the company depends on.

What you can do

• Use a privacy browser with tracking protection enabled (Brave, Firefox with uBlock Origin).
• Use a private search engine — DuckDuckGo, Brave Search, or Startpage — to break the connection between search queries and your Google account.
• Audit app permissions regularly. Location, contacts, and microphone access granted to apps you barely use are active collection points.
• Use a VPN to prevent your ISP from logging your browsing activity and to mask your IP address from the sites you visit.
• Opt out of advertising IDs — both Android and iOS allow you to reset or disable the advertising identifier. This disrupts cross-app tracking.
• Use a privacy-first phone — GrapheneOS removes the advertising ID entirely and gives you per-app network access controls that prevent apps from transmitting data even if they collect it.

The limits of individual action

Individual privacy measures reduce data collection meaningfully but do not eliminate it. Data brokers often obtain information from offline sources — loyalty card schemes, public records, credit applications — that cannot be blocked by browser extensions. The most effective protection is limiting data generation at the source: using privacy hardware, privacy operating systems, and services that do not collect data in the first place.

The Norypt Pixel Secure runs GrapheneOS, which removes all Google tracking infrastructure at the OS level. Combined with the Norypt Privacy Router — which blocks tracking domains at the network level across every device in your home — it addresses collection at both the device and network layer, not just the application layer where most consumer privacy tools operate.