You Turned Off Ad Tracking. They Still Know It's You.
If you've ever gone into your phone settings and switched off "Allow Apps to Request to Track" or reset your Advertising ID, you probably assumed that was the end of it — no more ID, no more tracking. It isn't. There's a second, quieter tracking method running underneath that toggle, and turning off your Ad ID does nothing to stop it. It's called device fingerprinting, and it's the reason your Instagram ads still feel oddly specific even after you've locked everything down.
What actually happens
Every time your phone or browser talks to a website or app, it hands over a small pile of technical details as a matter of routine — details that have nothing to do with your name or number, but everything to do with making websites render correctly. Your screen resolution. Your installed fonts. Your device model and OS version. Your timezone and language setting. Your battery level. Your GPU's rendering signature. Individually, none of these identify you. Combined — 20, 30, sometimes 50 signals stitched together — they form a fingerprint that's often unique enough to single out your exact device among hundreds of thousands of others, no ID required.
Why this exists now
This isn't new technology, but it's become far more prominent recently, for a specific reason: Apple's App Tracking Transparency (ATT) put IDFA behind an opt-in prompt in 2021 — apps have to ask, most users decline, and a decline hands back a zeroed-out ID. Google's GAID hasn't been blocked or deprecated; it's still available by default on Android, though users can reset or opt out of it in settings. The practical effect is the same either way: ID-based tracking has gotten a lot less reliable, and advertisers found a workaround that doesn't need an ID at all. Fingerprinting doesn't ask permission because, technically, none of the individual data points it uses are considered sensitive. Your screen size isn't private. Neither is your timezone. It's the combination that's the problem, and no popup asks you to consent to a combination.
Why there's no toggle for it
Cookie tracking eventually got regulated hard enough that you now see consent banners everywhere. Fingerprinting has no equivalent, because it doesn't store anything on your device the way a cookie does — there's nothing to delete, no permission dialog to decline, because your browser was designed since the 1990s to share these details automatically, before anyone thought about privacy implications.
Where the law stands
India's DPDP Act does apply in principle — a fingerprint that reliably identifies a specific person counts as personal data under the Act's broad definition. But the Act is still in its phased rollout: the Data Protection Board was set up in November 2025, the Consent Manager framework activates in November 2026, and full substantive enforcement doesn't begin until May 2027. Unlike GDPR's ePrivacy rules, which specifically call out tracking technologies including fingerprinting, the DPDP Act doesn't yet have fingerprinting-specific guidance. In practice, that means this tracking method sits in a regulatory gray zone for at least another year.
What actually reduces it — and what doesn't
Resetting your Ad ID: does nothing here, since fingerprinting never used that ID in the first place.
Clearing cookies: does nothing here either — fingerprints aren't stored as cookies.
What helps, partially: browsers built with fingerprint resistance — Firefox's Strict tracking protection, Brave, or Safari's tracking prevention — don't remove your fingerprint, but they add noise or standardize your signals so more devices look identical, making individual identification harder. No solution eliminates fingerprinting entirely on a stock phone; the goal is raising the cost of tracking you, not making it impossible.
The honest takeaway: the privacy controls you were given were designed around the last generation of tracking. This one runs quietly underneath them.

