Browser Privacy Test 2026: What Chrome Really Blocks
A browser privacy test in 2026 produces uncomfortable results.Â
Running Chrome in incognito mode and testing it through the Electronic Frontier Foundation’s (EFF) Cover Your Tracks tool returns the same outcome most users would not expect: a unique fingerprint and weak protection against tracking. Private browsing does not change that result. Chrome continues identifying browsers through dozens of small characteristics, screen resolution, installed fonts, Graphic Processing Unit (GPU) behaviour, timezone, and rendering quirks. Combined, these create a stable identifier that persists even after cookies are deleted.
Google settled a $5 billion lawsuit in 2024 over tracking incognito users and agreed to delete collected data. The technical capability behind that tracking, however, remains built into the browser.
To understand how widespread the issue is, the same browser privacy test was run across Firefox, Safari, Edge, Brave, and Tor. The differences were significant.
What users think incognito mode does and what it actually does
A University of Chicago study surveyed 460 internet users about what private browsing protects against. Many believed it prevents Internet Service Provider (ISP) monitoring, employer tracking, malware, and location tracking. None of that is accurate. Private browsing deletes local history after the session ends. That is its core function.
ISPs still see traffic. Employers monitoring corporate networks can still inspect activity. Websites collect the same data. Logging into accounts saves activity regardless of private mode.
Chrome states this directly inside its incognito window: activity may still be visible to websites, employers or schools, and internet service providers. While third-party cookies have been restricted in some contexts since 2020, fingerprinting bypasses cookie controls entirely.
This browser privacy test focused on what browsers technically block versus what users assume they block.
Browser privacy test results: Six browsers compared
PrivacyTests.org provides automated measurements covering state partitioning, tracker blocking, and fingerprint resistance. Running a structured browser privacy test across major browsers revealed major gaps.
Chrome:
Failed most privacy benchmarks. Third-party cookies are not fully blocked by default in normal browsing. Fingerprinting protections are minimal. With approximately 66% market share, Chrome’s configuration sustains the broader tracking ecosystem.Â
Subscribe to our bi-weekly newsletter
Get the latest trends, insights, and strategies delivered straight to your inbox.
Edge:
Built on Chromium,Edge behaves similarly to Chrome. Optional tracking prevention settings exist but are not maximally enabled by default. InPrivate mode still collects non-personal telemetry.Â
Safari:
Blocks third-party cookies and uses Intelligent Tracking Prevention to reduce cross-site tracking. However, stronger protections primarily activate in private browsing. As a closed-source browser, independent auditing remains limited.Â
Firefox:
Passed most state partitioning tests. Blocks third-party cookies by default and isolates cookies through Total Cookie Protection. Open-source development enables external code review. Some fingerprinting exposure remains but is materially reduced.Â
Brave:
Passed all state partitioning tests. Blocks ads and trackers automatically. Uses fingerprint randomisation per session and per site, preventing the creation of stable cross-site profiles.Â
Tor Browser:
Offers the strongest anonymity by routing traffic through multiple relay nodes. Makes users appear uniform to websites. Trade-offs include slower performance and partial site incompatibility.Â
| Browser | Privacy Score | What Gets Blocked | What Still Tracks |
| Chrome | Failed majority | Limited third-party cookie controls | Fingerprinting, first-party cookies, ISP monitoring, login identity |
| Edge | Similar to Chrome | Optional tracking prevention | Similar to Chrome unless manually configured |
| Safari | Moderate | Trackers in private mode | Possible fingerprinting, limited verification |
| Firefox | Passed most | Third-party trackers isolated | Some fingerprinting, ISP/employer visibility |
| Brave | Passed all | Ads, trackers, fingerprint randomisation | ISP/employer monitoring, login tracking |
| Tor | Strongest | Fingerprinting, IP tracking, trackers | Slower speed, site blocking |
What a browser privacy test cannot prevent
Even high-performing browsers cannot solve everything. Network-level monitoring operates below browser controls. ISPs can see domains visited. Employers monitoring enterprise networks can inspect traffic regardless of browser choice. First-party cookies remain active because blocking them would break site functionality. Logging into platforms immediately identifies users, even within privacy-focused browsers.
Fingerprinting was designed to bypass cookie restrictions. Research from Texas A&M found that fingerprinting is used for real-time ad targeting even after cookies are cleared. Under the GDPR and the California Consumer Privacy Act (CCPA), cookie consent mechanisms exist. Fingerprinting, however, often operates passively and without the same consent prompts.
Historical examples, such as the National Security Agency’s (NSA) Evercookie, demonstrate that persistent tracking methods evolved long before advertisers popularised fingerprinting techniques.
Google’s reversal on third-party cookies
Chrome initially announced plans to phase out third-party cookies. In April 2025, that plan was reversed. Third-party tracking continues to be the norm for most web users. Google introduced Privacy Sandbox as an alternative framework, describing it as privacy-conscious. Critics argue it consolidates tracking mechanisms within Google’s ecosystem rather than eliminating them.
Firefox, backed by a non-profit foundation, adopted a different strategy by blocking trackers by default. Total Cookie Protection launched in 2022. HTTPS enforcement in private mode has been active since 2021. Brave adopted fingerprint randomisation. Rather than blending all users into identical profiles, it prevents the creation of consistent tracking identifiers.
Safari’s ecosystem strategy relies partly on hardware uniformity across Apple devices, reducing fingerprint uniqueness. Safari 26 is expected to expand default fingerprint protections.
Can websites detect private browsing?
Yes. Private browsing is not invisible to websites.
Certain browser APIs behave differently in incognito mode. The FileSystem API, storage quotas, and IndexedDB behaviour can signal whether a session is private. These technical differences allow websites to infer browsing mode even without cookies.
Publishers such as The New York Times have used detection methods to restrict access from private sessions. Subscription platforms often require standard browsing mode to limit circumvention of article limits.
Browser vendors have attempted to reduce the detectability of incognito mode. Chrome implemented changes to limit detection through storage APIs. However, detection methods typically re-emerge. The technical gap between private and normal sessions is difficult to eliminate entirely without redesigning browser architecture.
This means private browsing protects local history, but not anonymity from website-level inspection. Now it earns its space.
How to run a browser privacy test in your organisation
Before relying on browser marketing claims, organisations should conduct a structured browser privacy test across deployed configurations.
- Run EFF’s Cover Your Tracks to measure fingerprint uniqueness.
- Use PrivacyTests.org to verify tracker blocking.
- Inspect network traffic during incognito sessions to understand ISP visibility.
- Validate default privacy settings rather than assuming features are enabled.
- Test enterprise applications against stricter privacy browsers before deployment.
Uniform corporate browser images may unintentionally create distinctive fingerprint patterns. Standardised fonts, plugins, and extensions can increase trackability.
Switching browsers should only occur if:
- Current deployments fail required protections,
- Alternatives do not break critical applications,
- Compliance requirements justify migration.
Privacy requires layers
No single browser guarantees complete anonymity. Domain Name System (DNS) queries can leak metadata. Transport Layer Security (TLS) handshakes reveal domains. Hypertext Transfer Protocol (HTTP) headers expose configuration details. Effective privacy requires layered controls: privacy-focused browsers, encrypted DNS, Virtual Private Networks (VPN), and careful authentication practices.
Each layer introduces friction. VPNs require subscriptions. DNS encryption needs configuration. Script blockers can break sites. Most users prioritise convenience. Many organisations do the same. Chrome dominates because it is pre-installed, compatible, and requires minimal configuration. Privacy alternatives demand effort and policy decisions.
The browser privacy test results are clear: browser choice affects exposure levels. It does not eliminate tracking entirely.
Distilled
Chrome underperforms in structured browser privacy tests. Firefox and Brave provide stronger protections, though neither eliminates network-level visibility. Tor offers maximum anonymity at the cost of usability. Safari sits between ecosystems, stronger in private mode but limited by closed-source verification.
Browser privacy tests are freely available and take minutes to run. Organisations standardising on browsers without testing their real-world behaviour risk privacy gaps. The broader pattern suggests that convenience often outweighs privacy unless incentives change. Until then, tracking persists. Browser choice matters. Not absolutely — but materially.
