Companies use a technique called data aggregation to combine information from multiple platforms and sources to build a unified behavioural profile of an individual. This process begins by collecting data points from websites, mobile apps, social media, e-commerce platforms, and search engines. Unique identifiers, such as device IDs, IP addresses, email logins, or social media handles, are used to match a user across these platforms. Even if a user doesn’t log in on every site, tracking mechanisms like cookies and fingerprinting can link the activity. Once linked, data from online purchases, browsing history, and even offline interactions (like loyalty cards or in-store sensors) are compiled. Data brokers then sell or share this enriched profile with advertisers, insurance companies, or political campaigns. This allows them to target users with personalised messages or pricing. Users are often unaware of how deeply connected their digital behaviour is across services, making it difficult to control or understand the full scope of surveillance.

Device fingerprinting is a method used to track users without relying on cookies. It works by collecting unique characteristics of a user’s device and browser settings—such as screen resolution, operating system, installed fonts, time zone, language preferences, and even the way the browser renders pages. These combined features form a "fingerprint" that is statistically unique enough to identify and track a user as they browse the internet, even across different websites and sessions. Unlike cookies, which can be deleted or blocked by users, fingerprinting is much harder to prevent because it does not require storing anything on the user’s device. It operates silently in the background, and users typically have no control over it. This makes fingerprinting more invasive and persistent than cookies, raising serious privacy concerns. It’s particularly problematic in privacy-sensitive contexts, such as health research or political activity, where anonymity is crucial. Many users are unaware that this form of tracking even exists.

Personal behavioural data is considered significantly more valuable than demographic data because it provides real-time insights into a user’s interests, intentions, and actions. While demographic data includes static attributes like age, gender, or occupation, behavioural data tracks dynamic patterns such as the websites visited, time spent on pages, search terms used, interactions with content, purchases, and app usage. This enables companies to predict future behaviour with greater accuracy and personalise experiences more effectively. For instance, knowing a person is 25 years old is less useful than knowing they’ve visited three mortgage comparison sites in the past hour. Behavioural data also allows for continuous refinement of user profiles through machine learning, making targeting more precise over time. As a result, advertisers are willing to pay more for access to behavioural insights, especially when they can influence decisions at the right moment. The immediacy, depth, and predictive power of behavioural data make it a critical asset in the data economy.

While anonymisation is often used as a privacy safeguard, it is not always effective in fully protecting personal behavioural data. Anonymisation involves removing or altering identifiers such as names, email addresses, and user IDs. However, behavioural data often contains patterns that are unique to individuals—such as browsing sequences, location trails, and time-based interactions—that can be used to re-identify them with high accuracy. Studies have shown that combining a small number of data points (like a postcode, birth date, and gender) can re-identify most individuals in a dataset. Even when data is pseudonymised—where identifiers are replaced with fake values—linking the dataset to other sources can undo the protection. In the context of behavioural data, repeated actions and sequences can act like digital fingerprints. As computational methods improve, so does the risk of re-identification. Therefore, while anonymisation reduces risk, it is not a guarantee of privacy, especially when data is shared or sold to third parties.

Smart home devices—such as voice assistants, smart thermostats, security cameras, and connected appliances—constantly collect data to function efficiently and adapt to user preferences. They gather a wide range of behavioural information including voice commands, daily routines, temperature preferences, movement patterns, and even sleep cycles. This data is processed locally or sent to cloud services for analysis and storage. These devices can infer not only when someone is home or away but also what they’re doing and with whom. The risks include unauthorised access (e.g. hacking), data breaches, or misuse of data by the manufacturer. Additionally, always-on microphones and cameras can pick up sensitive conversations or personal activities, sometimes inadvertently. There are also concerns about third-party access, such as law enforcement or advertisers requesting this data. Because smart devices often have limited user interfaces, it’s difficult for users to review or manage their data. This creates a low-visibility, high-risk environment for behavioural surveillance inside private homes.