Clicking into Exposure: Uncovering Privacy Risks of Google Click Identifier in YouTube Ads
Authors: Ha Dao (Max Planck Institute for Informatics), Abhishek Shinde (Saarland University), Sana Athar (Max Planck Institute for Informatics), Devashish Gosain (Indian Institute of Technology Bombay)
Volume: 2026
Issue: 2
Pages: 92–107
DOI: https://doi.org/10.56553/popets-2026-0038
Abstract: YouTube is one of the largest video platforms on the web, with Google Ads deeply integrated into the viewing experience. While users may expect some level of tracking during ad delivery, the extent and mechanics of Google Ads tracking on YouTube, particularly the tracking behaviors triggered by user interactions with ads, remain underexplored. To address this gap, for the first time, we develop YT-AdTrack, a fully automated framework that measures tracking initiated by YouTube ads across 430 top-trending videos, three widely used browsers, and six geographic locations. In our baseline measurement campaign, YT-AdTrack strategically accepts cookie banners on YouTube, interacts with displayed ads, and subsequently accepts cookie banners on advertiser landing pages to capture downstream tracking behavior. Our findings show that every ad click consistently carries a unique Google Click Identifier, gclid, which is propagated through redirection chains and ultimately embedded in the advertiser’s landing page. We further observe that 64 (out of 76) advertisers persist this identifier as a first-party cookie, thereby transforming a short-lived click token into a durable user identifier. In addition, gclid values frequently leak across parties from advertisers, exposing them to both Google-controlled services and external third-party ad networks, which exacerbates the tracking nexus by extending well beyond standard conversion measurement. Strikingly, even when cookie banners are rejected, ad interactions remain consistently tagged: 55.4% of advertisers store gclidas a cookie, and 18.9% enable auto-tagging, which allows Googleto directly persist the identifier. This demonstrates that banner rejection does not safeguard users from gclid-based tracking. We find these behaviors to be consistent across browsers, with advertisers persisting the identifier in 76.4–84.2% of cases and Google directly storing it in over two-thirds of interactions. Similarly, across six geographic locations, gclid-based tracking persists, with advertisers storing it in 72.5–88.5% of cases and Google’s auto-tagging active in all locations. Overall, our analysis reveals that a single ad click can initiate durable cross-site tracking that persists across various banner choices, browser environments, and regional contexts.
Keywords: google click identifier, gclid, tracking cookies, web tracking, cookie banner, navigational tracking, cross-site tracking
Copyright in PoPETs articles are held by their authors. This article is published under a Creative Commons Attribution 4.0 license.
