There is a particular kind of irony buried in the early web. The people who built it were, by and large, academics and engineers who believed deeply in openness, in the free flow of information, in a kind of digital commons where anyone could read and share without gatekeepers. And yet, almost from the very beginning, the tools to watch what you were doing were quietly being assembled in the background. The history of online privacy is not really a story about villains and victims. It is a story about infrastructure, commerce, and the slow realisation that attention itself had become a commodity.
If you want to understand how we got from anonymous web browsing to a world where your every click is timestamped, categorised, and sold to a data broker in Dublin, you have to go back to the server logs.
Server Logs: The Earliest Form of Web Tracking
Long before cookies existed, every web server kept a log. It recorded who visited, when, from which IP address, and which pages they requested. This was not sinister in origin; it was practical. If your server crashed, the logs told you why. If a particular page was throwing errors, the logs were where you looked first. But administrators quickly noticed something else: the logs were a remarkably detailed portrait of user behaviour.
By the mid-1990s, early web analytics were born out of these raw text files. Tools like Analog and Webalizer crunched through server logs and produced rudimentary traffic reports. How many people visited today? Which pages were most popular? Where did they come from? These questions, seemingly innocent, were the embryonic form of the audience measurement industry that would eventually grow into something worth hundreds of billions of pounds globally.
The limitation was that IP addresses are shared. A university might have hundreds of students appearing under a single IP. A dial-up user gets a different one every time they connect. The logs could tell you that someone visited, not that the same someone had been back seventeen times. That problem needed a different solution.
The Cookie: A Small File That Changed Everything
In 1994, a Netscape engineer named Lou Montulli invented the HTTP cookie, originally to solve a shopping basket problem. If a user added items to a cart on one page, the server had no way to remember that on the next page; the web was stateless by design. A small file stored on the user’s machine, passed back and forth with each request, solved this elegantly. We have a whole separate piece on how cookies were invented, but the critical point here is what happened next.
Advertisers noticed the cookie almost immediately. If a single advertising network served banners on multiple websites, it could drop one cookie and read it across every site it appeared on. Suddenly you could track a user from a news site to a sports site to a shopping site, building a profile of their interests without them ever knowing. By 1996, DoubleClick had turned this insight into a business model. Third-party tracking cookies had arrived, and the web would never be the same.
The first public outcry came in 1996, when a Financial Times journalist revealed that websites were storing information on users’ machines without consent. Most people had no idea. The browser makers added cookie warnings, then cookie controls, then options to block third-party cookies. None of it stuck in any meaningful way. The defaults always favoured the trackers.
The Rise of Data Brokers and Behavioural Profiling
Through the late 1990s and into the 2000s, the tracking ecosystem grew more elaborate. Web beacons appeared: tiny invisible images, often a single pixel, embedded in pages and emails. When your mail client loaded that pixel, the sender’s server logged that you had opened the message, noted your IP address, and recorded the time. Email marketers adopted this almost universally. Many still use it today.
Alongside this, an entire industry of data brokers quietly emerged. These companies collected information from loyalty card schemes, electoral rolls, public records, magazine subscriptions, and, increasingly, online behaviour. Acxiom, Experian, and Equifax were among the largest; all three have had significant operations in the UK. By the mid-2000s, a single data broker might hold hundreds of data points on millions of British consumers: their rough income, home ownership status, family composition, purchasing habits, political leanings. None of this had been explicitly consented to. It had simply been inferred, compiled, and sold.
The social media era accelerated everything. When Facebook launched its social plugins in 2010, the Like button appeared on millions of external websites. If you were logged into Facebook and visited any of those sites, Facebook knew. You had not clicked anything. You had not agreed to anything. Your browsing history was simply being harvested as a side effect of a button designed to make sharing feel frictionless.
Fingerprinting: Tracking Without Cookies
As browsers slowly improved their cookie controls and users grew (marginally) more privacy-aware, the tracking industry adapted. Browser fingerprinting emerged as a remarkably effective alternative. By querying dozens of browser properties simultaneously, including screen resolution, installed fonts, time zone, graphics card details, and browser version, a tracker can generate a near-unique identifier for your device without storing anything at all. No cookie is set. Nothing is written to your machine. You cannot clear it, because there is nothing to clear.
Research published by the Electronic Frontier Foundation found that over 80% of browsers could be uniquely identified through fingerprinting alone. Techniques like canvas fingerprinting, which renders an invisible image and reads the minute hardware-dependent variations in how your browser draws it, refined this further. The history of online privacy is, in many ways, the history of this cat-and-mouse game: users and regulators close one door, and the tracking industry quietly opens another.
GDPR and the Regulatory Backlash
The regulatory response was slow to arrive, but when it did, it arrived with considerable force. The General Data Protection Regulation, which came into effect across the EU and, at that point, the UK on 25 May 2018, was the most significant overhaul of data protection law in a generation. It established explicit consent as the legal basis for processing personal data, granted individuals the right to access and delete their data, and introduced fines of up to 4% of global annual turnover for serious breaches.
In the UK, the GDPR was absorbed into domestic law through the Data Protection Act 2018 and is now administered by the Information Commissioner’s Office (ICO). Since Brexit, the UK operates under what is effectively a tailored version of the regulation, though substantial alignment with EU standards has been maintained. The cookie consent banners that now carpet every website you visit are a direct consequence of this legislation; a blunt, often poorly implemented, but legally required acknowledgement that tracking requires permission.
Enforcement has been uneven. Google was fined 150 million euros by French regulators in 2022 for making cookie rejection deliberately difficult. British regulators have issued their own notices and investigations. The advertising industry has lobbied extensively, argued that privacy and personalisation are incompatible, and proposed various technical alternatives, including Google’s ill-fated Privacy Sandbox initiative, which drew scepticism from regulators and publishers alike.
Where We Are Now
The history of online privacy traces a line from a university engineer’s server log to a global regulatory and commercial battleground. What began as a technical necessity became a surveillance architecture, then a business model worth more than many national economies, and finally a political question about who owns the record of your daily life.
The tools have changed beyond recognition. The underlying tension has not. Every advance in tracking has eventually met resistance; from the first cookie warnings in 1996 to the GDPR consent banners of today. Whether the next generation of privacy-preserving technologies will genuinely shift power back to users, or simply relocate the data collection to somewhere less visible, remains one of the more important unresolved questions of our digital age.
Frequently Asked Questions
When did online tracking first begin?
Online tracking in its simplest form began with server log files in the early 1990s, which recorded IP addresses and page requests. Third-party tracking cookies, which could follow users across multiple websites, emerged from around 1996 onwards when advertising networks like DoubleClick began exploiting the technology.
What is browser fingerprinting and how does it work?
Browser fingerprinting identifies your device by querying dozens of technical properties simultaneously, such as screen resolution, installed fonts, and graphics card details, to generate a near-unique identifier. Because nothing is stored on your machine, it cannot be cleared like a cookie and is considerably harder for users to block.
What did GDPR actually change about online privacy in the UK?
The GDPR, absorbed into UK law through the Data Protection Act 2018, requires explicit user consent before personal data can be collected for tracking purposes, and gives individuals rights to access or delete their data. It is enforced in the UK by the Information Commissioner’s Office, which can issue fines for serious breaches.
What are data brokers and are they legal in the UK?
Data brokers are companies that collect, compile, and sell detailed profiles on individuals, drawing on public records, loyalty schemes, online behaviour, and other sources. They are legal in the UK but must comply with data protection law; individuals have the right to request what data is held about them and to ask for it to be deleted.
Why do websites still track you even after you reject cookie consent?
Some websites use non-cookie tracking methods such as browser fingerprinting, which do not require consent under current interpretations of the law, while others implement consent banners that are deliberately designed to make rejection difficult. Regulators including the ICO have acknowledged this problem and have issued enforcement action against the most egregious examples.
Leave a Reply