Back to blog

How to Stop Apps and Websites From Tracking You 2026

Apps and websites track you through cookies, fingerprints, ad IDs, and your IP. Here is the layer-by-layer playbook to shut nearly all of it down in an afternoon.

Author
ProxyHorizon Team
Published
July 4, 2026
11 min read
Expert-Verified
How to Stop Apps and Websites From Tracking You [year]

Every app you open and every page you load is quietly reporting on you. Location pings, ad identifiers, cookies, fingerprints, analytics beacons — the average smartphone hosts dozens of trackers, and the average website loads even more before you've read the first paragraph.

The scale is hard to overstate. Studies have found that the average app shares data with multiple third parties, the data broker industry built on this collection is worth over $280 billion, and a single evening of browsing can trigger hundreds of tracking requests. None of it requires your meaningful consent — just your inattention.

The good news: you can shut most of it down in an afternoon. This guide walks through exactly how tracking works and how to stop it, layer by layer — browser, phone, network, and habits — so you keep the services you love while starving the surveillance machine behind them. It's the practical companion to our explainer on why online privacy matters more than ever.

How Apps and Websites Track You in the First Place

You can't block what you don't understand, so start with the mechanics. Tracking today is a stack of overlapping techniques, each designed to survive when another is blocked.

Tracking MethodWhere It LivesWhat It Collects
Third-party cookiesBrowserCross-site browsing history
Browser fingerprintingBrowser/deviceUnique device signature
Mobile ad IDsPhone OSCross-app activity profile
App permissionsPhone OSLocation, contacts, mic, camera
Analytics & pixelsApps and pagesClicks, views, session behavior
IP addressNetworkLocation, identity linkage

Notice the pattern: tracking happens at four layers — browser, device, network, and account. Blocking one layer while ignoring the rest just shifts the collection elsewhere, which is why this guide works through all four.

Concept illustration of a shield blocking tracking signals from a website and a smartphone
Every blocked tracker is data that never reaches a broker — and the blocking starts in your browser.

Step 1: Lock Down Your Browser

The browser is where most web tracking happens, and it's the fastest layer to fix. Start by blocking third-party cookies — the classic cross-site tracker. Every major browser has this setting, and our guide on whether to accept cookies explains which cookie types are safe to keep.

Next, install a reputable content blocker. A strong ad and tracker blocker removes analytics beacons, tracking pixels, and ad-network scripts before they load — the single highest-impact change most people can make in five minutes.

Finally, consider the browser itself. Defaults matter more than settings you'll never change, and browsers differ enormously here — Firefox blocks trackers out of the box while Chrome requires deliberate hardening. Our Chrome vs Firefox privacy comparison breaks down which foundation serves you better.

Step 2: Defeat Browser Fingerprinting

Blocking cookies is not enough, because modern trackers identify you by your device's unique configuration — screen size, fonts, GPU, time zone — a technique called browser fingerprinting. It works in incognito mode and survives every cookie purge.

To resist it, use a browser with built-in fingerprint protection (Firefox's resistFingerprinting, Brave's randomization), keep extensions minimal (each one makes you more unique), and avoid rare fonts or unusual configurations. Techniques like canvas and WebGL fingerprinting are the hardest to beat — for high-stakes anonymity, purpose-built anti-fingerprinting browsers are the only complete answer.

For most people, the goal is not perfect invisibility but blending in: a common browser, common settings, and active anti-fingerprinting features defeat the bulk of commercial tracking.

Step 3: Stop Your Phone's Apps From Tracking You

Apps track more aggressively than websites because the operating system hands them richer data. Three settings changes cut off most of it.

Kill the advertising identifier. On iPhone, enable "Ask App Not to Track" prompts and deny them by default (Settings → Privacy & Security → Tracking). On Android, delete your advertising ID entirely (Settings → Privacy → Ads). This single ID is what links your activity across every app you use.

Audit app permissions ruthlessly. Location, microphone, camera, and contacts should be granted only to apps that genuinely need them to function — and location should be "while using," never "always." A flashlight app does not need your contact list.

Prune what you don't use. Every installed app is a potential collector, even idle. Delete what you haven't opened in months, and prefer the web version of services whose apps demand excessive permissions.

Step 4: Hide Your Network Identity With a VPN

Everything above still leaves one identifier exposed: your IP address. Every site and app you connect to sees it, your ISP logs every domain you visit — even in incognito mode — and trackers use it to link your activity across devices on the same connection.

A trustworthy no-logs VPN fixes the network layer: it encrypts your traffic so your ISP can't log it, and replaces your IP so websites and apps can't use it as an identifier. Check what you're currently exposing with our free IP address tool, and for maximum-anonymity needs, see how VPNs compare to Tor.

Best VPNs for Blocking Trackers

A VPN only helps if the provider itself doesn't log you — and the best ones now block trackers and malicious domains at the network level, protecting every app on your device at once. These three are independently audited no-logs services. Compare more in our VPN directory.

1NordVPN

Countries:111+
Servers:6,400+
No-Logs:Yes
Devices:10 devices dev
Industry-leading speed with NordLynx protocol
Excellent security with audited no-logs policy
Massive server network across 111 countries
Advanced features like Threat Protection and Meshnet
Supports 10 simultaneous connections
Consistent unblocking of streaming services

Ideal as an all-rounder, NordVPN pairs audited no-logs policies with Threat Protection, which blocks trackers, ads, and malicious domains across your whole device — including inside apps, where browser extensions can't reach.

Fast servers keep the encryption invisible in daily use. For most people who want network-level tracker blocking without fuss, it's the dependable default.

2Proton VPN

Countries:91+
Servers:4,800+
No-Logs:Yes
Devices:10 devices dev
Best free VPN plan available (no data limits)
Fully open-source and independently audited
Swiss-based with strong legal privacy protection
Excellent security with Secure Core routing
No ads or tracking even on free plan
Built-in Tor support for maximum anonymity

Best for privacy purists, Proton VPN is open source, independently audited, and Swiss-based, with NetShield filtering that blocks trackers and malware at the DNS level. Its genuinely usable free tier makes it the easiest zero-risk start.

Secure Core routing adds protection against network surveillance. For users who want maximum trust in the provider itself, it sets the standard.

3Surfshark

Countries:100+
Servers:3,200+
No-Logs:Yes
Devices:Unlimited dev
Unlimited simultaneous connections
Extremely affordable long-term pricing
Feature-rich with CleanWeb, MultiHop, and more
RAM-only server infrastructure
Great streaming and torrenting performance
Independently audited no-logs policy

Best value for households, Surfshark allows unlimited simultaneous connections, so every phone, laptop, and tablet in the house gets CleanWeb tracker and ad blocking on one plan.

Audited no-logs policies and solid speeds despite the low price. For covering many devices affordably, it's the standout pick.

Step 5: Clean Up Your Accounts and Habits

The final layer is behavioral, because logged-in tracking defeats every technical control. When you browse while signed into a Google or social account, your activity ties directly to your real identity regardless of cookies or IP.

Turn off ad personalization in your Google, Meta, and other major accounts — the toggles exist, they're just buried. Review and delete stored activity history where offered. Sign out of accounts you don't actively need, or contain them in a separate browser profile so their tracking can't follow your general browsing.

Finally, share less on purpose. Every form field you skip, every optional permission you deny, and every account you don't create is data that never needs protecting.

How to See What Is Already Tracking You

Before and after you lock things down, it helps to measure. Both major phone platforms now ship a built-in audit trail that shows exactly which apps are collecting what — most people have simply never opened it.

On iPhone, enable the App Privacy Report (Settings → Privacy & Security → App Privacy Report). It logs every sensor access and every domain each app contacts, so you can see precisely which apps phone home to ad networks and how often. On Android, the Privacy Dashboard (Settings → Privacy) shows a timeline of which apps used your location, camera, and microphone in the last 24 hours — sudden accesses from apps you were not using are your cue to revoke.

In the browser, your content blocker’s counter tells the story per site: open a few pages you visit daily and note how many trackers it stops. Store privacy labels — Apple’s App Store privacy cards and Google Play’s data-safety section — also reveal what an app declares it collects before you install it, which makes them a useful pre-install filter rather than an afterthought.

These tools turn tracking from an invisible abstraction into a concrete list you can act on. Run the audit once before applying this guide and once after, and the difference — hundreds of contacts dropping to a handful — is the clearest proof your defenses are working.

Mind-map of the four anti-tracking layers: browser, phone, network, and accounts
The four layers of anti-tracking defense — each stops what the others miss.

Which Protection Stops Which Tracking?

Here's the full defense map — match each layer you've secured against what it actually stops.

ProtectionStopsDoes NOT Stop
Third-party cookie blockingCross-site cookie trackingFingerprinting, IP tracking
Content/tracker blockerPixels, beacons, ad scriptsIn-app tracking, IP exposure
Anti-fingerprinting browserDevice-signature trackingLogged-in tracking
Ad-ID reset / ATT denialCross-app profilingPermissions you granted
No-logs VPNIP tracking, ISP loggingCookies, fingerprints, logins
Signed-out browsingAccount-linked trackingNetwork-level collection

No single tool covers everything — that's by design on the trackers' side. But the layers above overlap enough that together they block the overwhelming majority of commercial surveillance.

Common Mistakes That Keep You Trackable

Most people who "did everything" and still see eerily targeted ads made one of these five errors.

1Trusting Incognito Mode to Stop Tracking

Private browsing only prevents your own browser from saving history — websites still see your IP, your fingerprint still identifies your device, and your ISP still logs every domain. Treat incognito as a clean local slate, never as anti-tracking. The network and fingerprint layers need their own tools.

2Blocking Cookies but Staying Logged In

If you're signed into a platform while browsing, it doesn't need cookies to track you — your account is the tracker. Blocking third-party cookies while staying logged into Google or Meta everywhere is fighting with one hand tied. Sign out or isolate those accounts in a separate browser profile.

3Granting "Always" Location to Convenience Apps

Weather, shopping, and delivery apps routinely request always-on location they don't need. Each grant is a continuous location diary sold onward to brokers. Set location to "while using" at most, and deny it entirely to apps whose core function doesn't require it.

4Using a Free VPN That Sells Your Data

A VPN routes all your traffic through its provider, so an untrustworthy one is a tracker with root access. Many free VPNs monetize by logging and selling exactly the browsing data you're trying to hide. Use only independently audited no-logs providers — a legitimate free tier from an audited provider is fine; a mystery free VPN is not.

5Doing It Once and Never Again

Apps re-request permissions after updates, new accounts default to personalization on, and trackers evolve around blocks. Privacy is maintenance, not a one-time setup. Re-audit permissions and settings every few months, and treat each new app install as a fresh decision.

Best Practices for Staying Untracked

  • Layer your defenses — cookie blocking + tracker blocker + anti-fingerprinting + VPN together cover what each misses alone.
  • Deny by default — reject tracking prompts, skip optional fields, and grant permissions only when a feature actually breaks without them.
  • Isolate your identities — keep logged-in accounts in one browser profile and general browsing in another.
  • Prefer private-by-default tools — a privacy browser and audited VPN protect you even when you forget to think about it.
  • Verify, don't assume — check your exposure with our IP tool, and compare protection options in our side-by-side comparison tool.

Frequently Asked Questions

Complete invisibility is unrealistic for anyone using normal apps and services, but you can block the overwhelming majority of commercial tracking. Layered defenses — third-party cookie blocking, a tracker-blocking extension, anti-fingerprinting settings, a reset or denied mobile ad ID, tight app permissions, and a no-logs VPN — each close a different channel. What remains is mostly first-party analytics on services you deliberately use while logged in. For most people, that trade-off is the practical definition of stopping tracking.
Yes, meaningfully. Denying the App Tracking Transparency prompt blocks the app’s access to your device’s advertising identifier and, by policy, forbids linking your data with third-party sources for advertising. It is not absolute — apps can still fingerprint devices or track you within their own service — but studies showed ad-tracking data flows dropped sharply after Apple introduced it. Deny the prompt by default, and pair it with tight permissions for the strongest effect on iOS.
If you only do one thing, install a reputable tracker-blocking extension in a browser with third-party cookies disabled — it removes the pixels, beacons, and ad scripts responsible for most everyday web tracking in one stroke. The close second is denying app tracking prompts and deleting your mobile advertising ID, which breaks cross-app profiling on your phone. Both take minutes. From there, a no-logs VPN closes the network layer, which nothing browser-side can reach.
They can, through browser fingerprinting — combining your screen size, fonts, GPU, time zone, and dozens of other signals into a unique device signature that needs no cookie at all. Fingerprinting survives incognito mode and cookie purges, which is why cookie blocking alone is insufficient. To resist it, use a browser with built-in fingerprint protection, keep your configuration common rather than exotic, and minimize extensions. Sites can also track you by IP address unless you mask it with a VPN.
A VPN stops network-level tracking: it hides your IP address so it can’t be used as an identifier, and it encrypts traffic so your ISP can’t log the services you use. Several VPNs also block known tracker domains device-wide, which reaches inside apps where browser extensions can’t. What a VPN cannot do is stop an app you’re logged into from recording your in-app activity, or override permissions you granted. Think of it as one essential layer — the network one — not a complete shield.
Usually one of three reasons. First, logged-in tracking: platforms you sign into track you through your account, no cookies needed. Second, fingerprinting: your device signature may still identify you if your browser doesn’t resist it. Third, historical data: ad systems keep profiles built before you locked things down, and it takes time for their signals to decay. Sign out or isolate accounts, enable anti-fingerprinting, turn off ad personalization inside your Google and Meta settings, and the targeting fades over weeks.
They overlap heavily but aren’t identical. Ad blockers focus on removing visible advertisements; tracker blockers focus on stopping the invisible analytics scripts, pixels, and beacons that report your behavior — many of which load with no visible ad at all. The best modern blockers do both from shared filter lists. For privacy purposes, make sure whatever you install explicitly blocks trackers, not just ads, and prefer well-audited, open-source options over unknown extensions that could themselves collect data.
Yes. The advertising ID is the single identifier that lets different apps link their data about you into one cross-app profile, and Android lets you delete it outright under Settings, then Privacy, then Ads. Once deleted, apps see only a string of zeros. This is stronger than merely resetting it, which just starts a fresh profile. Combined with denying unnecessary permissions and pruning unused apps, it removes the backbone of mobile ad tracking with no loss of functionality.
Tracking isn’t just about secrets — the profiles built from your data are used to set prices you see, decide which offers and information reach you, and can surface in contexts you never agreed to, from insurance to employment screening. Breaches also leak broker databases regularly, turning harmless data into fraud material. The setup in this guide takes an afternoon, costs little or nothing, and doesn’t degrade daily browsing — inexpensive insurance for control over your own information.

Conclusion: Privacy Is a Stack, Not a Switch

Stopping apps and websites from tracking you isn't one setting — it's four layers working together. Lock down the browser, cut off your phone's ad identity, mask your network with a trustworthy VPN, and keep your logged-in accounts contained. Each layer stops what the others can't.

Start with the five-minute wins: block third-party cookies, install a tracker blocker, and deny app tracking prompts. Then work through permissions, fingerprinting, and the network layer as time allows. An afternoon of setup starves years of collection.

Ready to close the network layer? Pick an audited no-logs provider from our VPN directory, and keep building your defenses with our guides on handling cookie banners and understanding browser fingerprinting.