You visit an organic skincare brand’s website. You leave without buying anything. Within hours, ads for that brand follow you around the internet — on Instagram, on news sites, in your Gmail sidebar. You assume that’s just how the web works now.

It is. It didn’t have to be. And it shouldn’t be — least of all on a website that sells sustainability and care for the planet.

This post looks at how the surveillance economy actually works, audits four real ethical brands, explains why the EU is furious about it, and shows — practically — how to walk your website out of the machine. At the end, we’ll show exactly how The Green Directory is built differently.

The quiet economy most people can’t see

Loading a typical commercial website doesn’t just fetch a page from that company’s server. Silently, your browser is instructed to contact dozens of other servers you didn’t ask for and didn’t agree to: Google, Meta, TikTok, session recorders like Hotjar or Microsoft Clarity, email trackers like Klaviyo, retargeters like Criteo, “social proof” widgets like Yotpo.

Each request tells a third party your IP, browser fingerprint, the page, and the time. Combined across thousands of sites, those fragments become a behavioural profile — interests, habits, purchasing intent, location, sometimes even health concerns — sold in real time to the highest bidder.

Real-Time Bidding (RTB) auctions run hundreds of billions of impressions a day through ad exchanges and data brokers most people have never heard of — Xandr, PubMatic, OpenX, The Trade Desk, LiveRamp. Your browsing history, stitched together from thousands of sites, is their raw material. Google and Meta capture roughly half of global digital ad spend, but the ecosystem around them is enormous: one Google Tag Manager snippet is a door through which any script, from any vendor, can be loaded at any time — an entire surveillance stack behind a single tag.

We audited four ethical brands. Here’s what we found.

We ran a tracker audit on four well-known brands that market themselves on ethics and sustainability. We’ve anonymised them — the point isn’t to shame any one company; it’s that this is the norm.

Brand A — a century-old US soap and personal-care company, widely regarded as one of the most ethical brands on the planet. Their homepage contacts 20 separate third-party hosts: Google Tag Manager, Meta, TikTok, LinkedIn, Pinterest, YouTube, Klaviyo (17 script references), Attentive, Yotpo, Bazaarvoice, and several personalisation and A/B-testing vendors.

Brand B — a European ethical electronics manufacturer whose whole proposition is digital dignity. Their homepage loads from 25 domains: Google Tag Manager, Microsoft Clarity (session recording), TikTok, LinkedIn, VWO, Exponea, Zendesk, Trustpilot, Yotpo, Hotjar.

Brand C is the most ironic: a privacy-positioned search engine and browser, marketed heavily on environmental grounds. Their own homepage contacts Google Tag Manager, Google DoubleClick, Facebook, TikTok, YouTube, LinkedIn, and Instagram — the exact infrastructure their product claims to insulate users from.

Brand D — a European fair-trade chocolate company built on transparency — loads Klaviyo (10 references), Shopify Analytics, TikTok, and embeds from Facebook, Instagram, LinkedIn, YouTube, and Twitter/X. Fair-trade cocoa, unfair data practices.

We didn’t pick unusual cases. Every single one was routing visitor data through the exact surveillance networks their customers likely think they’re avoiding by shopping ethically in the first place.

Where does the data actually go?

• Google (Analytics, Tag Manager, DoubleClick, YouTube) — aggregates visits into behavioural profiles sold across the Google Display Network’s ~2 million sites.
• Meta (Facebook Pixel, Instagram embeds) — adds visitors to “custom audiences” any Meta advertiser can target.
• TikTok (ttq pixel) — feeds ByteDance’s ad targeting; a live foreign-intelligence concern for EU and US lawmakers.
• Klaviyo, Attentive, Listrak — cross-site identity graphs matching browsing behaviour to emails and phone numbers.
• Yotpo, Bazaarvoice — review networks that track users across every site using their widget.
• Criteo, AdRoll, Taboola, Outbrain — retargeting specialists that follow you around the web after you leave.
• Microsoft Clarity, Hotjar, FullStory, Mouseflow — session recorders that literally replay your mouse movements, clicks, scrolls, and (depending on config) form inputs.

One visit is never just one visit

Tracking pixels aren’t per-site. The Meta Pixel on an organic skincare site is the same Meta Pixel on a news site, a recipe blog, a symptom-checker, and a political newsletter. Google’s trackers are on roughly 80% of the top million websites; Meta’s on somewhere north of 30%. Each hit is tagged to the same identifier — you — built from overlapping signals the tracker fuses together:

• Third-party cookies, set on first contact and read back on every other site in the network.
• First-party cookies repurposed for tracking — GA4, Facebook’s Conversions API, Unified ID 2.0 — reconciled server-side via hashed emails.
• Logged-in identity. Logged into Google once and every tab, every search, every YouTube view, every Maps trip is attached to your account. Meta does the same with Facebook/Instagram.
• Email and phone hashing. Enter an email into a newsletter form — on any site using Klaviyo, Mailchimp, HubSpot, or “enhanced conversions” — and the SHA-256 hash becomes a cross-site join key.
• Browser fingerprinting. Screen, fonts, timezone, GPU, audio quirks, battery. Enough to identify most browsers uniquely, even with cookies fully disabled.
• Device and IP triangulation. Phone advertising ID (IDFA/GAID) + home IP + “probabilistic matching” stitch devices together.

The result is a cross-site identity graph: one timeline, one persistent ID. The skincare homepage, the pregnancy article, the symptom check at 2am, the flight you priced to Lisbon, the job listing, the political commentary — same file, thousands of events long.

Your searches, tied in

Search queries are the most intimate data on the web — what people type when they think no one’s listening — and they’re wired straight into the same profile.

• Google & YouTube — every logged-in search, video and Gmail-linked interest feeds one profile sold across the Google Display Network, directly or as “Customer Match” / lookalike audiences.
• Microsoft / Bing & retail search — Microsoft Advertising pipes Bing and Edge data into Xandr and LinkedIn targeting; Amazon (third-largest ad network in the world) is built almost entirely on its search bar.
• Chrome & on-site search — characters typed into Chrome’s address bar reach Google before you press Enter. On-site search on brand sites is routinely forwarded to GA or Klaviyo and reused to retarget you elsewhere the next day.

The ad-tech plumbing

A single page view can, in under 300 milliseconds, be broadcast to 50–200 separate ad-tech companies via RTB:

• The auction layer — exchanges (Google AdX, Xandr, PubMatic, Magnite, Index Exchange), SSPs on the publisher side and DSPs (The Trade Desk, DV360, Amazon DSP) on the advertiser side. Winners and losers alike keep the data.
• The identity layer — DMPs/CDPs (LiveRamp, Oracle BlueKai, Salesforce, Adobe, Segment) and identity graphs (RampID, Unified ID 2.0, ID5) that outlive third-party cookies.
• The broker layer — enrichment brokers (Acxiom, Experian, Equifax, Epsilon) selling income, household, political, and medical inferences; location brokers (X-Mode/Outlogic, Veraset, SafeGraph, Gravy) selling GPS histories — clinics, places of worship, protests. US agencies have repeatedly been caught buying this to sidestep warrants.
• The follow-you-around layer — retargeters (Taboola, Outbrain, Criteo, AdRoll) and “brand-safety” vendors (IAS, DoubleVerify, MOAT) — another set of third parties copied into every impression.

Irish regulators investigating RTB under GDPR have called it “the biggest data breach ever recorded” — not because of a hack, but because normal operation leaks personal data to hundreds of unvetted third parties per page view, with no meaningful consent.

Who ultimately buys the data?

• Insurance companies — refining risk-pricing models, sometimes in ways that amount to de-facto discrimination.
• Employers and background-check services — buying “people data” from Acxiom, Experian, Equifax to supplement hiring.
• Political campaigns — the post-Cambridge-Analytica ecosystem didn’t disappear; it fragmented.
• Debt collectors and fraud scorers — pricing “risk” from device fingerprints and behaviour.
• Law enforcement and intelligence agencies — buying commercial data (especially mobile location) to acquire information that would otherwise require a warrant. Repeatedly documented for DHS, the IRS, the FBI, and military intelligence.
• Foreign state actors — via intermediaries. Flagged as a national-security concern in US Congressional hearings and EU policy papers.
• Hedge funds — “alternative data” is now a standard quant input.
• Private investigators, stalkers, abusers — where consumer-data markets exist, malicious buyers use them. Journalists have bought surveillance-grade datasets for a few hundred dollars.

Profiles flowing through this system are routinely cross-referenced with offline records — credit scores, loyalty-card purchases, voter files, property records, fitness-app signals — producing inference packages that are sold and resold. A 2019 Nature Communications paper estimated 99.98% of Americans could be re-identified in any dataset using just 15 demographic attributes. “Anonymous” is a marketing word, not a technical one.

Data residency: the part most people miss

Google, Meta, TikTok, Microsoft and most of the tracking stack are US or Chinese companies. When a European, South African, or Australian visitor loads a site with those trackers embedded, their personal data leaves their jurisdiction and enters the infrastructure of companies legally compelled to cooperate with their home governments’ intelligence services.

For US companies that means the CLOUD Act and FISA §702 — statutes under which US authorities can demand data held by US firms wherever it physically sits. The EU Court of Justice has ruled twice (Schrems I and Schrems II) that transferring EU personal data to the US violates EU fundamental-rights law. Each replacement framework has been cobbled together and criticised as failing to meaningfully fix the problem.

The Austrian, French, Italian, Danish, and Finnish data protection authorities have all ruled that Google Analytics, as typically implemented, is illegal under GDPR. In 2022 a German court ruled a site using Google Fonts without consent had violated a user’s rights. EU-facing green businesses running Google Analytics are arguably in breach of EU law today; South African and Australian visitors’ data is still routed into US jurisdiction they never agreed to. “Where does the data physically go, and under whose laws is it held?” is a question every sustainability-minded business should be able to answer — and embarrassingly few can.

The ethical dissonance

A customer visits a B-Corp-certified organic clothing brand because they care about supply-chain justice and environmental impact. They are, by definition, a values-led consumer. The brand welcomes them — and simultaneously hands their visit to Meta, whose business model has been credibly linked to teenage mental-health crises and political manipulation; to TikTok, whose algorithm has been the subject of child-safety hearings in multiple countries; to Google, fined repeatedly by the European Commission for anticompetitive practice.

The customer paid a premium to avoid sweatshops. They did not consent to having their browsing funnelled into the Big Tech monopolies whose business models are widely recognised as corrosive to democratic and ecological stability. You can’t advertise yourself as an alternative to extractive industry while running your shop on the extractive-industry tech stack.

How to de-Google and de-Meta your website

Removing third-party surveillance from a website is much more achievable than most owners assume. For most small and mid-sized sites it’s a weekend’s work. Here’s the checklist we followed — biggest wins first.

1. Replace Google Analytics with self-hosted Matomo

Matomo is a mature open-source analytics platform that runs on your own server — visitors, pages, referrers, conversions, no data sent to Google. GDPR-compliant by default and widely used across the EU public sector. Plausible and Fathom are solid lightweight European alternatives.

2. Self-host your web fonts

Every hit to fonts.googleapis.com sends your visitor’s IP and browser to Google. Most Google Fonts are open-licence — download and host them from your own domain. Tools like google-webfonts-helper make this trivial. This is what triggered the German Google Fonts court ruling.

3. Replace Google Maps with OpenStreetMap

For almost every “show a location” use case, OpenStreetMap with Leaflet is a drop-in replacement: free, community-maintained, and it doesn’t phone Google on every map view. We switched our entire mapping backend — the UX is identical, the privacy profile is dramatically better.

4. Remove the Meta Pixel and every social pixel

Meta, TikTok, LinkedIn Insight Tag, Pinterest, Twitter, Snap — all do the same thing. If you’re not running paid campaigns on a platform, there’s no reason for its pixel to exist on your site. If you are, consider whether the targeting is worth the ethical cost, and look at server-side conversion APIs that send specific events rather than ambient browsing data.

5. Remove session recording

Hotjar, Microsoft Clarity, FullStory, Mouseflow record visitor sessions by design. Unless you’re actively using recordings for product research, remove them — they carry the highest privacy cost of anything on this list.

6. Self-host icon fonts and JS libraries

Font Awesome, jQuery, Bootstrap — if they load from a CDN, they’re a third party. File sizes are tiny and HTTP/2/3 makes the performance impact negligible. This is what makes “every asset loads from our own domain” actually true.

7. Audit what’s left

Open your site, open devtools’ Network tab, reload. Every request that isn’t to your own domain is a third party. For each: what is it, why is it here, does our privacy claim still hold with it loaded? Most sites find a long tail of forgotten embeds — old Twitter widgets, removed review services whose JS is still injected, a chat tool from a marketing experiment two years ago.

8. Publish a real privacy promise

Not boilerplate — a specific, verifiable statement of what your site does and does not do. Name what you’ve removed. Invite readers to open the network tab and check. The point of going privacy-first is to let it become part of the brand, not to bury it in legalese.

How The Green Directory does it

We run the site you’re reading under exactly the rules above.

• No Google Analytics, Tag Manager, or gtag. Traffic is handled by a self-hosted Matomo instance on our own server.
• No Google Fonts. Lato and Playfair Display are self-hosted from our domain.
• No Google Maps. Every map — homepage, listing pages, country pages — uses OpenStreetMap via Leaflet.
• No Meta, TikTok, Pinterest, Twitter/X, LinkedIn, or Snapchat pixels.
• No session recording. Your mouse movements are your own.
• No CDN dependencies. Font Awesome, jQuery, JavaScript — everything loads from thegreendirectory.net.
• No advertising networks, retargeting, or data brokers. There is no exit door through which your data leaves this site to be sold.

That’s not a slogan — it’s a measurable technical claim. Open devtools, watch the Network tab, and see where every request goes. They all go to us.

The green web is possible. It exists where people build it. If you run a sustainability-focused business, the invitation is simple: run the audit on your own site — you may be surprised at what you find — and then fix it. Your customers will notice, regulators will notice, and most importantly, it will be true when you say your values are reflected in every part of how your business operates, including the parts they can’t see.

We also offer this as a service. If you’d like help auditing your own website, removing trackers, migrating to ethical analytics (Matomo / Plausible), or replacing Google Fonts and Google Maps with self-hosted and OpenStreetMap alternatives, visit our Privacy Audit & Consulting page — including a free 30-minute network scan of your site. If you run a green business and want a listing, get in touch.

Author: C