Have you ever searched for something on Amazon, only to notice dozens of ads for that very thing all over Facebook? Or perhaps you started shopping online somewhere, decided to not complete your purchase, then got an email from that site telling you there are still items in your cart. Or maybe you bought something at the grocery store, only to see that item you purchased advertised to you on Facebook that day.

We’re all concerned about our privacy on the web to some extent – some of us more than others. It’s easy to feel like big businesses are invading our personal lives when we can’t even go to the store and buy something without Google or Facebook keeping tabs on it.

With privacy being a big proponent of keeping the web free and open, why do businesses like Facebook want to know what we’re doing when we’re NOT using Facebook? Simple: retargeting and remarketing

What is “retargeting”?

Retargeting is a way to get users of a particular website or app to do something after leaving the app or website. In other words, you browse Amazon for something, leave the website, but then see Amazon ads for that thing you were looking for on Facebook.

The “goal” here is to keep you engaged with Amazon regardless of where you are on the web. In this case, Amazon pays Facebook for its retargeting.

What is “remarketing”?

Remarketing is similar in principle: engage with the users who have left your website or app. However, the goal with remarketing is almost exclusively executed via e-mail; in other words, you’ve already engaged with the company in such a way that you would be willing to share your e-mail address, and have agreed to receive email communications from the company.

These are the scenarios where you’ve joined Amazon, and they send you “Recommended products” via e-mail, or you’ve joined Facebook and they send you friend suggestions and recent posts to your inbox. It could even be that you signed up for an online newsletter.

What is the difference between “retargeting” and “remarketing”?

Aside from the fact that one is via email, and the other is on other websites, the primary difference is how this is all accomplished.

With remarketing, you’ve typically agreed to receive communication from the company, and you’ve provided them your e-mail. Sometimes, you don’t even realize you’ve agreed to it.

You know those “I’ve read and agree to the terms of service” and “I’d like to receive updates and discounts from XYZ company” checkboxes you probably overlook thinking, “Well, I can’t really join if I don’t agree, so…agree.” Yeah, those.

Those boxes are usually automatically checked, and are designed to be somewhat less noticeable than other parts of a registration form. Statistically, fewer people are likely to uncheck something that’s already checked than those who are willing to check a box that’s unchecked. In other words, businesses know that, in the moment, you’re less likely to opt-out in the process of registration.

But at the end of the day, from a purely legal standpoint, you agreed to it.

However, with retargeting, you don’t have a say in the matter. Well, for the most part anyway.

You do not need to agree to be included in retargeting campaigns

From a purely legal standpoint, the websites you visit do not belong to you; they belong to the businesses that run them. They’re there for you to access, but you don’t control or have a say in what that company publishes on their website.

So, a company has the right to place retargeting ads on their site in order to make a profit. The idea behind retargeting is to serve you ads that are relative to your online (and sometimes offline) behavior, making it more likely for you to click on them. And if you do click on them, the website gets a cut of the profits, the retargeting service gets a cut, and the company being advertised is one step closer to getting you to buy.

Now, this is a bit of a generalization, because different countries have different privacy laws and are required to notify you that they use cookies for those specific purposes. However, the sites that do notify you tell you that “buy visiting this website, you agree to our use of cookies”. Meaning, if you don’t want to be served retargeting ads, don’t go to that website.

Sounds scary, right? That someone can track what you do on all these different websites in order to serve you ads?

Don’t get too freaked out; it’s important to understand how it all works.

How does retargeting work?

For this example, let’s pretend you’re a business interested in retargeting, and that you decided to go to Facebook for their retargeting services. (Do note that this is an example and purely hypothetical and based on my own experiences dealing with remarketing and retargeting tools.)

A couple things will happen:

Before you’ve even done anything, Facebook has a cookie on all its users devices. This cookie is basically a random string of numbers and letters used as a unique, anonymous identifier that represents you. It doesn’t contain any actual information about you, but it can be tied to you through Facebook’s backend processes.

You’re going to send user activity to Facebook. Doing this is actually really easy – there’s a simple piece of code you’ll drop on every page of your website, often called a “tracking pixel.” This code points to functionality that is actually hosted by Facebook, on Facebook’s servers. That’s all you need to do (at least, that’s all you need to do to start tracking; there’s all kinds of demographic settings, budget, ad designs, etc., you’ll want to work on, but that’s beside the point).

Facebook’s pixel ties users’ activity to the unique ID. In other words, a when user visits your website, the pixel tells Facebook that “User we7rwe7retw99s8g visited this website”.

Facebook targets ads for your business to the user who matches that unique ID. Hence retargeting.

But this is just one of the several ways people use retargeting. Retargeting can stretch to offline activity – like shopping at your favorite grocery store.

You mean websites can track what I do even when I’m not online?!

You betcha, and it’s quite a complicated process. But I’ll try to simplify it.

You know how Safeway, CVS, and other stores have memberships? These memberships typically get you exclusive discounts, reward you for shopping, etc. However, there is a unique account ID for each one of these memberships, and you can bet that ID and the purchase history is sold to advertisers. Don’t believe me?

Ever hear of Datalogix? It’s a company acquired by Oracle back in 2014 that does just this – it buys purchase histories from grocery stores, then partners with advertisers and retargeting services – like Facebook – to share that purchase history anonymously and serve you ads based on what you’ve purchased. It can also be used to determine the influence of ads by detecting if you saw an item in an ad then decided to go out to the store to buy it.

Now, this isn’t a situation where Datalogix could outright tell someone what you’re buying. In fact, Datalogix claims to keep all the activity information anonymous. In fact, Facebook anonymizes your personal information (i.e, name and email) when communicating with Datalogix’s infrastructure.

At the end of the day, though, Facebook – and all other companies that partner with Datalogix – can theoretically see your offline purchase history. Realistically, in order to do that, it would take a ton of work and resources simply due to the vast number of Facebook users that exist, but it’s technically possible for Facebook to see what you buy offline.

And it doesn’t stop there.

Retargeting by IP

There are countless services that utilize IP for marketing. Demandbase is a tool used by businesses to determine what businesses visit a website. It ties public IP addresses to registered businesses by collecting data submitted to businesses that use their services. That’s just one example.

Sometimes, IP addresses are simply tied to user databases, or “customer relations management” systems. For example, if you use Facebook at home and at work, those public IP addresses from both locations can be tied to your account.

Many people fear that Facebook can use voice recognition to target specific ads to you, and as often as people think that’s happening, it’s probably not.

Recently, someone on Facebook mentioned they were having a conversation with someone in person, and they were talking about a specific website this person had never heard of. Several minutes later an ad for that website was on that persons Facebook feed. Creepy right? Well let’s put it into perspective.

Two people are talking in person – both have phones, both have Facebook, both are connected to the same Wifi network, and therefor share the same public IP address. One person in the conversation visits the website frequenty, the other does not. However, due to the activity being associated with the IP address – not just the user – just about anyone on that wifi connection could potentially see an ad for that website. Especially if their interests are generally similar.

Make sense?

Well, I don’t want anyone tracking my information like that!

Don’t worry – you have a way out…sort of. Datalogix allows you to opt out of being tracked by their service at all, while Facebook has its own opt out instructions.

But that’s just two out of millions of online services.

How do I keep my information private?

You’ll need to understand that when you access the web, it’s impossible to keep EVERYTHING entirely anonymous. Your activity is tracked, period. However, it’s possible minimize if not completely block the amount of information collected that can be used to identify you online.

1. Opt out of everything.

This will take some work. Go to the privacy policy of every website you frequently visit, and find the “opt out” section. If they don’t have one, but have an email or phone number, call and ask how you can opt out. If they offer no options, consider not visiting that website anymore.

Yes, this can take a long time, but most major businesses offer this kind of thing, so consider using it.

2. Get an Adblocker.

Most major browsers offer the use of extensions, and one extension you can download and use for free is an ad blocker. Most of them will not only block ads, but they’ll block tracking pixels, social sharing icons, and other marketing tactics that could be used to collect information about you. Note that usually not everything is blocked like this, so you’ll need to check the settings of your adblocker and enable the settings that best suit the level of privacy you require.

3. Join a VPN

There are many virtual private networks that can anonymize all your data. Believe it or not, your internet service provider (I’m talking the Comcasts and AT&T’s of the world) can track everything you do and see online. VPNs can anonymize your activity from them. However, they don’t block cookies, they don’t prevent you from willingly sharing your email with companies, and they don’t stop remarketing or retargeting entirely. They’re just one tool used to help keep personally identifiable information away from the Big Brother.

HideMyAss is a great one, but there are many out there. Do your research and find one that best suits your needs.

4. Be careful what you do and what you share

Read everything in every form you fill out, uncheck boxes you’re not comfortable with, and research alternatives that don’t guarantee a level of privacy you deserve. Snopes is one website I rarely visit because they refuse to let users read their content unless they allow ads and retargeting pixels to fire.

At the end of the day, the line is where you draw it.

Let’s step back for a moment and take a look at what this all really means.

When you shop at Safeway, do you permit them to know what you buy from them? What about where you parked your car? Or perhaps the different aisles you walked through and how much time you spent at the store? What about your credit card information?!?!

Well, in order for a grocer to run their business, they need to keep track of items you purchased. In order to issue refunds, they need to know your credit card number to verify the refund and add funds back to the card. Security cameras are all over the parking lot and throughout the store, so they know where you’ve walked, where you parked your car, and how much time you spent in the store. Oh, they also know your name, because it’s written on your card and kept with your receipt. Oh and God forbid you pay with a check, now they have your bank account and routing numbers. You have the option to opt-out of some of this by walking to the store, wearing a mask, and only paying with cash, but who’s really gonna do that?

All of this is “normal” stuff. We are just so used to it, we don’t pay attention. We allow big businesses to collect our information so we can automate parts of our lives we’d rather not pay attention to, so we can live our lives more conveniently. It’s frustrating not having enough cash to buy the things you need, so we use a debit or credit card.

Every transaction includes the transmission of data that can potentially be tied back to you. It’s up to you to participate in those transactions – on or offline.

In summary

We all need to be cautious; it’s unethical for a business to share personally identifiable information with a third party without my consent or knowledge. I do believe larger businesses like Facebook, Google, Datalogix, and the like should be more public and vocal about how they use our information, and be clear about what’s kept private.

It’s also up to me to set my own boundaries and take the necessary steps to ensure my data is kept private, and that the I choose to only interact with businesses who meet that standard.