AdTech and Privacy: How Digital Ads Track Indian Users

— and that's the thing nobody tells you when they explain how internet ads work. They make it sound like this clean, simple exchange: websites need money, advertisers need eyeballs, so ads fill the gap. Fair enough. But between you opening a webpage and that ad appearing in the corner, something genuinely unnerving happens, and it takes less time than it took you to read this sentence.

Alright, let me back up. You know how you searched for running shoes on Amazon last Tuesday and then saw sneaker ads on Instagram, on Times of India's website, inside that free game your kid plays, even on a recipe blog? That wasn't coincidence. That was an industry worth over Rs 70,000 crore in India alone doing what it's designed to do. Let's break down the machinery, because once you see how it works, you can't unsee it.

The Millisecond Auction You Never Agreed To

Every time you load a webpage — any webpage with ads — a process called Real-Time Bidding (RTB) kicks off. Your browser sends a bid request to an ad exchange. That request contains information about you: your rough location (often down to your neighbourhood), what kind of phone or laptop you're using, which websites you've visited recently, sometimes your age bracket and gender (inferred from your browsing), and a unique identifier that ties all this together. This packet of personal data gets broadcast — broadcast, not sent to one company, but sprayed out — to potentially hundreds of advertisers, all of whom get a few milliseconds to decide whether you're worth bidding on. The highest bidder wins, their ad loads, and you never knew any of this happened.

A single person in India might trigger 500 to 600 of these auctions per day, depending on how much they browse and which apps they use. Each auction shares their data with dozens of companies. Over a month, that's your personal information being sent to thousands of entities you've never heard of. There's a report from the Irish Council for Civil Liberties that called RTB "the largest data breach ever recorded." That's not hyperbole — it's a description of a system that works exactly as intended.

Cookies Were Just the Start

People have heard of cookies. There's been so much noise about cookie consent banners that most Indian internet users just click "Accept All" to make the popup go away — which is, of course, exactly what the banner was designed to achieve. But cookies are almost the least of your problems now. Let me walk you through the other mechanisms, because they're sneakier and harder to block.

Device fingerprinting is the one that bothers me most. Your browser leaks an absurd amount of information just by loading a page: screen resolution, installed fonts, graphics card model, browser version, operating system, time zone, language settings, even the way your hardware renders certain invisible graphics elements. Combine enough of these data points and you get a fingerprint that's unique to your device — maybe unique among millions. No cookies needed. You can clear your browsing data, use incognito mode, even switch browsers, and your fingerprint might still be the same because it's based on your hardware and system configuration, not anything stored locally.

A research group tested fingerprinting on Indian users in mid-2025 and found that over 92% of test subjects had unique fingerprints using just twelve browser attributes. The study wasn't huge — maybe 5,000 participants — but the point stands. Your browser is a nametag you can't take off.

Mobile advertising IDs are another beast. On Android — which accounts for roughly 95% of smartphones in India — every device comes with a Google Advertising ID (GAID). It's a unique string that apps use to track you across different applications. You downloaded a game, a news app, and a shopping app, and all three share data with ad networks using your GAID as the common thread. Google lets you reset this ID, and as of Android 12 you can actually delete it entirely (Settings, Privacy, Ads, "Delete advertising ID"). But here's the catch — most apps also collect your device's IMEI, Android ID, MAC address, or other hardware identifiers as backups. Resetting the GAID just forces them to fall back on those. It's a bit like changing your name while keeping the same face.

How Indian Users Get Tracked Differently

There are tracking patterns in India that you won't read about in articles written for American or European audiences. The Indian digital ecosystem has its own quirks, and adtech companies know them well.

UPI apps are a big one. India processes over 14 billion UPI transactions a month as of early 2026. That's an unfathomable amount of financial data. The major UPI apps — PhonePe, Google Pay, Paytm — all have privacy policies that allow them to use transaction data for "improving services" and "personalised experiences," which is marketing language for ad targeting. They might not sell your raw transaction data to third parties (some likely don't), but they use it internally to build profiles. Bought medicine at Apollo Pharmacy via Google Pay? Google now has a data point suggesting you might be interested in health products. Paid a tutor through PhonePe? Edtech ads incoming.

Vernacular content platforms are another Indian-specific vector. Apps like Dailyhunt, Josh, ShareChat, and the dozens of regional news aggregators serving Hindi, Tamil, Telugu, Marathi, and other language audiences tend to be more aggressive with ad SDKs than their English-language counterparts. A 2025 audit of 50 popular Indian vernacular apps found an average of 11 third-party tracking SDKs per app. Some had over 20. The ads served on these platforms are often from lower-quality ad networks with even less transparency about data handling.

Then there's telecom-level tracking. This one's murkier and harder to pin down. Some Indian ISPs have historically injected tracking headers into HTTP traffic — unique identifiers added to your web requests before they leave the ISP's network. Jio, Airtel, and Vi have all faced allegations of this at various points. HTTPS traffic (which is most traffic these days) should be immune to header injection, but DNS queries — which reveal every site you visit — travel in plain text by default. Your ISP sees them all unless you've set up encrypted DNS, which most Indian users haven't. The ISPs can sell aggregated browsing patterns to advertisers, and their privacy policies generally allow it.

What Can You Actually Do About It

I want to be honest here: you can't fully escape adtech tracking without completely changing how you use the internet. You can reduce it, though. Significantly. Here's what works, in roughly descending order of impact.

Switch your browser to Firefox and set Enhanced Tracking Protection to Strict. Firefox blocks third-party cookies, fingerprinting scripts, cryptominers, and known tracking content by default in Strict mode. It won't catch everything, but it blocks more than Chrome, which is built by the world's largest advertising company and behaves accordingly. Install uBlock Origin alongside Firefox. It's not just an ad blocker — it blocks tracking scripts, malicious domains, and a bunch of other junk. The performance difference alone is noticeable; pages load faster when they're not trying to contact 40 ad servers simultaneously.

On your Android phone, delete your advertising ID. Go to Settings, then Privacy, then Ads, and choose "Delete advertising ID." Not all Android skins put this in the same place — Samsung buries it under a different menu — but it's there. On iOS, go to Settings, Privacy, Tracking, and toggle off "Allow Apps to Request to Track." Apple deserves credit for making this easy, even if their motivations are partly competitive.

Set up encrypted DNS on your phone and router. Android makes this easy: Settings, Network, Private DNS, and enter a provider like dns.quad9.net or one.one.one.one. This stops your ISP from seeing your DNS queries. Better yet, use NextDNS, which lets you create custom blocklists that filter out tracking domains at the DNS level. It's free for the first 300,000 queries per month, which is plenty for most people.

Be more careful about which apps you install. Every free app on your phone likely includes ad SDKs from companies like Facebook Audience Network, Google AdMob, InMobi, or MoPub. Each of those SDKs collects data independently. Fewer apps means fewer trackers. If an app is free and ad-supported, you're paying with your data — sometimes more than the paid version would have cost. Where a paid or open-source alternative exists, it's usually worth it. This is especially true for apps in categories where privacy matters most — health apps, period trackers, finance tools, note-taking apps. A free period tracking app with three ad SDKs knows intimate details about your menstrual cycle and is sharing that data with advertising networks. A paid or open-source alternative like Drip keeps the same data on your device and sends it nowhere.

Use a content blocker at the network level if you can. Pi-hole on a Raspberry Pi, or AdGuard Home, filters tracking domains for every device on your home Wi-Fi. This catches stuff that browser extensions miss — smart TV telemetry, app-level tracking, IoT device pings, even some in-app ads. Setup requires some comfort with networking, but there are step-by-step guides in Hindi and English on YouTube that'll walk you through the whole process in an afternoon. The investment is a Raspberry Pi (around Rs 4,000-5,000) and a couple of hours. After that, it runs silently on your network and blocks trackers for every device automatically, including devices that don't support browser extensions like smart TVs and IoT gadgets.

The Consent Banner Problem

India doesn't have a cookie consent regime like Europe's GDPR. The DPDPA 2023 requires informed consent for data processing, but the implementing rules are still being finalised in early 2026, and how they'll apply to adtech specifically is anyone's guess. What we have right now is a patchwork: some Indian websites show consent banners because they serve European users and need GDPR compliance; most don't bother at all.

The banners that do exist are textbook dark patterns. The "Accept All" button is bright and prominent. The "Manage Preferences" link is small, grey, and leads to a maze of toggles that default to "on." Rejecting all tracking often requires 15 clicks and knowledge of what phrases like "legitimate interest" mean. Nobody does this. The system is designed to extract consent, not inform users, and it works beautifully at that job.

Some privacy advocates are hoping that when the DPDPA rules finally land, they'll include specific guidance on consent design that eliminates these manipulative patterns. I'd like to believe that too. I'm genuinely not sure it'll happen, though. The adtech industry has a lot of money and a lot of lobbying power, and "purpose limitation" and "meaningful consent" are concepts that, if enforced strictly, would break most of the digital advertising ecosystem in India. Whether any regulator is willing to pick that fight is an open question — one I don't think anyone can confidently answer right now.

The Scale of What's Being Built About You

Here's something that might make this more concrete. A data broker — one of the companies that aggregates and sells user profiles — typically has between 1,500 and 3,000 data points on each individual in their database. That's not an exaggeration; it comes from FTC investigations into American data brokers, and the Indian market operates with many of the same players. Those data points include things you'd expect (age, location, device type) and things you wouldn't (estimated income bracket, likelihood of having a chronic illness, whether you're a "heavy spender" or "budget conscious," your probable political affiliation based on media consumption, whether you've recently been searching for divorce lawyers or fertility clinics).

In India, the data broker ecosystem is less documented than in the US or Europe, partly because we don't have the equivalent of GDPR's transparency requirements that forced some of this into the open. But the underlying machinery is global. Ad exchanges like Google's and Meta's operate identically in India as they do elsewhere. The same tracking SDKs embedded in American apps are in Indian apps. InMobi, one of India's largest adtech companies, operates a demand-side platform that serves ads based on behavioural profiles across thousands of apps — it's right here, homegrown, doing exactly what the global adtech giants do.

The aggregation is what makes this so powerful and so invasive. Any single data point — you visited a health website, you bought running shoes, you're in Mumbai — is relatively harmless on its own. But when thousands of data points are combined across your browsing history, app usage, purchase behaviour, and location patterns over months or years, the resulting profile is startlingly intimate. It can predict things about you that you haven't told anyone: a health condition you're researching, a financial difficulty you're experiencing, a relationship that's in trouble. These predictions aren't always accurate — they probably aren't, honestly — but they're accurate enough for advertisers to bid on, and they're stored in databases you can't access, audit, or delete.

Can You Opt Out Entirely?

No. Not without completely changing how you use the internet. And I think being honest about that is better than pretending the tools I've described above make you invisible. They don't. Firefox with uBlock Origin blocks a lot. Encrypted DNS prevents your ISP from logging your queries. Deleting your advertising ID removes one tracking vector. But fingerprinting still works. First-party tracking (where the website itself, not a third party, collects data) isn't blocked by most tools. And if you use any Google or Meta service — Gmail, YouTube, Instagram, WhatsApp — those companies have enough first-party data to build detailed profiles without any third-party tracking at all.

The realistic goal isn't invisibility. It's raising the cost and reducing the accuracy of tracking. Every layer of defence you add makes your profile less complete, less precise, and less valuable to advertisers. Going from "completely exposed" to "partially obscured" is a meaningful improvement, even if it's not perfect. Think of it like locking your front door: a determined burglar can still break in, but the lock stops the opportunists, and most threats are opportunistic.

What I do know is this: the gap between how tracking works and how much Indian users understand about it is enormous. Most people I talk to still think ads are targeted based on what they search for, full stop. They don't know about RTB auctions, fingerprinting, cross-app ID linking, or ISP-level data collection. Closing that knowledge gap won't fix the system, but it might change what people demand from the companies and regulators who could. And honestly, whether that's enough... I can't tell you. The adtech industry has survived every privacy regulation thrown at it so far. GDPR slowed it down in Europe, briefly. It adapted. Apple's App Tracking Transparency hurt Meta's revenue for a quarter. It adapted. The machinery is resilient, well-funded, and deeply embedded in how the internet pays for itself. Whether Indian users and Indian regulators can meaningfully push back against something this entrenched is genuinely uncertain, and I'd be lying if I told you I knew which way it'll go.