Public concern over web tracking is higher than ever. That concern has been mounting for well over a decade, but we’re no better off now than we were then — pervasive tracking and unbridled data collection is still the lay of the land all these years later. Websites and apps deploy trackers that follow us all over the web and share the information they collect with third parties. Our ISPs collect hordes of data every time we go online, then sell it off to the highest bidder.

As a result, consumers are increasingly turning to virtual private networks to help them evade these tracking practices. But what can you do when it’s the VPNs themselves that are doing the tracking? As with any app or online service, it’s important to do your research and make sure you choose a provider that actually takes your privacy seriously. Just because a VPN company boldly states that it cares about your privacy doesn’t mean it’s true.

VPNs are supposed to protect your privacy online and help you fight back against the machine hell-bent on exploiting your data for its own gain. And gaining privacy from tracking is one of the main reasons you should seek the help of a VPN. But it can be difficult to sort through the various ways VPNs might track you. Here’s what to know about the different trackers VPNs use, and how they separate the best VPNs from the ones you should avoid.

First-party trackers vs. third-party trackers

Not all trackers are the same. For example, there’s a crucial difference between first-party and third-party trackers. There’s a similarly vital distinction between trackers used on a VPN’s website versus the ones inside a VPN’s app. In both cases, the second option will have much greater implications on your privacy than the former.

First-party trackers, also known as cookies, are used and stored by the websites you visit. They’re used for things like remembering your preferences, geographic region, language settings and what you put in your shopping cart. They’re also used by website administrators to collect data as you visit their sites, helping them better understand your behavior and figure out what will keep you on their site longer and buying more of their products and services.

Basically, first-party trackers are there to provide you with a smoother experience as you visit the websites you frequent. It would be annoying to have to set all your preferences each and every time you visit a site and to have to re-add each individual item to your shopping cart every time you click away from your cart.

A VPN company may use first-party trackers on its website to save your settings, display account-specific information after you log in and see what marketing channel brought you to its site.

Third-party trackers are different in that they are created by entities other than the site you’re visiting. After a site puts these trackers on your computer via your browser, they follow you across the websites you visit. They are injected into a website using a tag or a script and are accessible on any site that loads the third-party’s tracking code. But the big difference is that they’re used to track your online behavior and make money from you, rather than improve your online experience.

In simpler terms, third-party trackers exist to help companies bombard you with targeted advertisements based on your online browsing activity. Targeted advertising is big business, and there are mountains of cash to be made at the expense of your digital privacy.

That said, Apple and Google have begun shifting their policies regarding the use of third-party trackers in their respective mobile app marketplaces and have provided users more transparency and a much greater element of control when it comes to restricting how apps are able to track them. Google even proposed a solution to eliminating the use of third-party trackers altogether. That proposal, however, turned out to be a failure after people began pointing out the ways in which Google’s proposed alternative would make it even easier for the company to track and identify you for targeted advertising. Google was forced back to the drawing board and ended up shelving the idea for at least two years. Still, the industry is slowly showing signs of progress.

If a VPN company is using third-party trackers on its website for marketing purposes or to enhance your experience on the site itself, the tracking is easy to block in most cases. But when a VPN tracks you on its app, the alarm bells should start going off. In-app trackers should make you seriously concerned about what that VPN is really up to (Spoiler: It’s to make money from sharing your data) and should ultimately steer you away from that VPN altogether.

Why would VPN companies need to track you through their apps?

Simple answer: They don’t. Their apps would function just as well for you whether they tracked you or not.

But many VPN companies will employ trackers in their apps regardless of how much they say they care about your privacy. Those VPNs put users’ privacy at risk so they can make as much money as possible. And what some of these VPN apps track and share with third parties is actually quite alarming. This is the biggest reason we advise you to avoid using free VPNs.

What data is being collected by these trackers and who is it shared with?

The scope of data collection will vary greatly from one VPN to another, and will differ in terms of whether the trackers are being deployed on the VPN’s website or within the app itself. But let’s focus on trackers embedded within VPN apps themselves.

There are VPN apps out there that will track and share things like your user ID, device or advertising ID, usage data and even your location. They track this information just to sell it on to third parties for targeted advertising purposes, making money at the expense of your digital privacy. Any VPN engaging in such activity should be avoided at all costs.

When we say your data is being shared with third-party entities, we mean entities like data brokers and advertisers that put profits ahead of ethics. That information is also being shared with sites like Google and Facebook, meaning that even if you don’t have a Facebook account and you’re doing your best to stay away from big tech data hogs, your data is still being shared with them.

Unfortunately, far too many VPN apps will track and share your data with all kinds of third parties. That’s why it’s crucial to scrutinize the data sharing practices of any VPN you’re considering. (We do this as part of our review process and thoroughly vet a VPN’s data policies before we recommend it to anyone.)

The concern is real

VPNs are often quick to claim that the data they’re tracking and sharing with third parties is anonymized and not identifiable or tied to your personal information. That sounds great, but something like a device ID can still be used to identify you personally when other data points tied to your online behavior and interactions with the app are matched to that ID. It doesn’t actually take that much to connect the dots and identify you online.

Researchers have shown that 99.98% of users could be re-identified in any anonymized dataset using only 15 data points. The more data points an app is collecting about you, the easier it is for others to identify you online, even if the data being collected isn’t necessarily personally identifiable information.

Find out what data they’re collecting and tracking

Luckily, it’s becoming easier and easier to see what VPN companies are collecting and tracking when you use their apps. For one, reputable VPNs are getting increasingly transparent about what data they collect and what kinds of trackers they may or may not be implementing on their sites and apps. VPNs know that their reputations rely on actually walking the walk when it comes to protecting user privacy. So transparency is key.

On top of that, since Apple introduced its App Tracking Transparency functionality in its App Store, you now have a much clearer picture of any application’s tracking practices. You can now see if any app you’re looking to download wants to track you and share your data with third parties and you can easily deny those permissions. Google introduced similar functionality with its recent Android 12 release.

In addition to scrutinizing a VPN app’s tracking practices, you’ll want to scour its privacy policy to see what kinds of trackers it uses, what data it collects and who it shares that data with. If you notice that a provider you’re looking at is sharing user data with an abundance of third parties, or if the provider isn’t up front or totally transparent about its practices, then it’s best to move along and find something else.

When you do your research, you’ll see that the best VPNs don’t resort to such unscrupulous tracking practices. Part of our review process includes vetting the data collection practices of each provider. Though the VPNs we recommend, like Surfshark, NordVPN and ExpressVPN, may collect certain types of connection data when you use their apps, they don’t deploy in-app trackers.

While these VPNs may deploy cookies on their websites, they’re transparent about exactly what those cookies are there for and how they help improve website functionality and aid in advertising their services across the web. Their third-party trackers can also be blocked via your browser settings.

Always check a VPN’s privacy policies, and their apps in the App Store and the Play Store to learn more about the trackers they deploy on their websites and apps. The important thing to keep in mind here is that the apps of our recommended VPNs will not track you like the apps of some other less-than-trustworthy VPNs.

How to fight back against tracking

If you don’t want your VPN app to track you, you’ll want to take a few precautions.

With Apple’s App Tracking Transparency in place, iOS apps have to get your explicit permission before they are able to track you. If you deny that permission, the app developer won’t have access to your device’s advertising ID and won’t be able to track you or share that ID with third parties.

You can even deny any and all apps on your iOS device from even asking you if they can track you in the first place. All you’d need to do is head over to your settings menu and disable tracking. Similarly, if you’re an Android user, you can manage your app permissions to limit tracking on an app-by-app basis by navigating to your Privacy Dashboard.

Keep in mind that even if you deny an app access to your advertising ID, that doesn’t necessarily prevent it from sharing other data with third parties. A new bit of investigative research from Top10VPN showed that 85% of the top free VPNs in Apple’s US App Store will still share your data with third-party advertisers even after you’ve explicitly denied their requests to track you. Even if they don’t have access to your advertising ID — according to Top10VPN’s research — these free VPN apps still track and share information like your IP address, device name, language, device model and iOS version with advertisers without your consent. This is all information that can be used to identify you, and the research is a pointed reminder of why we recommend staying away from free VPNs.

If you’re concerned about VPN companies using trackers on their websites and sharing data with third parties, then you can use a privacy-focused browser like Brave or Firefox, or use a tool like the Duck Duck Go’s browser extension to your current browser. Options like these will help you to easily prevent websites from tracking you as you browse the web. If you’re not willing to part ways with your existing browser or install an extension, there are various settings you should change to protect your privacy and limit tracking.

Next steps

Websites and apps will routinely do whatever they can to track your activity across the internet to churn as much money out of the targeted ad machine as possible. But the tide is finally turning as people have begun to realize exactly how invasive the practice is and how detrimental it can be to our digital privacy.

More and more options are available to defend against tracking practices, and VPN companies are becoming increasingly transparent with consumers with regards to how they approach the subject and many are ditching tracking altogether. Unfortunately, many VPN companies still continue the practice and are sharing all kinds of tracking data with third parties. If you’re an iOS user, just take a look through the VPNs available in the App Store and take a peek at their «nutrition label» and you’ll see what we mean.

If you already have a VPN app installed on your device, check to see if it’s tracking you and sharing your data with third parties. If it is, it’s time to wipe it from your device for good and never look back, because it’s compromising your privacy rather than protecting it — which is the opposite of what a VPN should be doing.