You walked into a store. You didn't sign in to anything. You didn't connect to their Wi-Fi. You didn't use their app. You paid cash.
They still tracked you.
Not by name. Not by face. By the device in your pocket — which has been broadcasting a unique identifier since the moment you walked through the door. By the time you left, they knew which departments you visited, how long you lingered in each one, and which displays you walked past twice.
They don't know you. But they know you.
This article covers the identifiers built into every phone — what they are, who reads them, and how they get attached to a data broker profile that follows you for years. It ends with one setting you can change today that removes the most useful tool advertisers have.
Your phone is a sensor array in a glass rectangle. GPS, accelerometer, gyroscope, Bluetooth, Wi-Fi radio, cell radio — all of them generating data, all of the time. Most of that data never leaves your device. But the identifiers those radios broadcast? Those leave constantly, whether you want them to or not.
The uncomfortable part is that "they don't know your name" is not the protection most people think it is. A profile that knows your device's unique ID, your home location, your work location, your gym, your doctor's office, your political donation destinations, and your shopping habits — that profile is you. The name is just a label. The data is the person.
Data brokers figured this out fifteen years ago. The identifiers are how they stitch together everything they collect into a single profile that follows your device across every context.
The IMEI — your phone's serial number
Every phone has an IMEI: International Mobile Equipment Identity. It's a 15-digit number burned into the hardware at the factory. It never changes. It cannot be changed. It identifies your specific device globally and uniquely.
Your carrier knows your IMEI. When you make a call, send a text, or use mobile data, your IMEI is part of the transaction. This is how carriers can block stolen phones — the IMEI gets flagged and the device stops working on any network.
The problem is that your IMEI doesn't stay between you and your carrier. Cell site simulators — sometimes called stingrays — are devices that impersonate cell towers and capture IMEIs from every phone in range. Law enforcement uses them. So do others. And when you connect to any network that logs device identifiers, your IMEI can end up in that log.
The advertising ID — the one you can turn off
Your phone also generates an advertising ID: a string of letters and numbers that advertisers use to track you across apps. On Android it's called the GAID (Google Advertising ID). On iPhone it's called the IDFA (Identifier for Advertisers).
Unlike the IMEI, the advertising ID is designed to be resettable. Apple and Google both added this as a concession to privacy concerns — you can reset it, which breaks the link to your existing profile and starts a fresh one. Or on iPhone, you can deny apps permission to read it entirely.
The catch is that the default setting on most phones is to allow it. And most people never change the default.
When an app reads your advertising ID, it can share that ID with data brokers and ad networks. Those networks compare it against their existing records. If they've seen that ID before — and they almost certainly have — they attach everything from this session to everything they already know.
The MAC address and store Wi-Fi
Here's the one that surprises most people.
Every Wi-Fi radio in your phone broadcasts a MAC address — a hardware identifier used to communicate on networks. Even when you're not connected to Wi-Fi, your phone periodically broadcasts probe requests: small signals that say "is my known network here?" Those signals include your MAC address.
Any Wi-Fi receiver in range can log that broadcast. Stores, malls, airports, and stadiums use networks of Wi-Fi sensors to track exactly this — not to give you internet access, but to map foot traffic. They know how many unique devices entered, which path each one took, and how long each spent in different zones.
Modern phones use MAC address randomization to limit this — your phone generates a fake MAC address for probe requests. But the moment you connect to a network, your real MAC address is used for that connection. When you join the store's "free" Wi-Fi, you hand them your real MAC address, your advertising ID if apps have permission to share it, and confirmation that your device is physically present at that location at that time.
That data point goes to a broker. The broker adds it to your profile. Later, ads for products you browsed in that store follow you online. This is not a coincidence.
"Free Wi-Fi" is not a courtesy. It is a data collection mechanism. The store is not paying for your internet access out of generosity — they are trading bandwidth for behavioral data.
The sensor layer
Beyond identifiers, your phone's sensors generate data that apps can request access to:
Location is the obvious one. But location at GPS precision — not just city, but which aisle of which store at which time — is enormously valuable and routinely sold.
The accelerometer and gyroscope track how you're moving and holding your phone. Combined with location data, they can tell whether you're walking, driving, or standing still — and roughly what you're doing.
Bluetooth works like Wi-Fi for tracking purposes. Retail beacons broadcast Bluetooth signals, and your phone logs which ones it detects. Stores use this for precision indoor positioning that GPS can't achieve.
App permissions are how the sensor layer gets unlocked. Every time you grant an app access to your location, contacts, microphone, or camera, you're opening a data pipeline. "Allow once" is always safer than "always allow." And apps you haven't opened in six months don't need any permissions at all.
There's one thing on this list you can actually eliminate today: your advertising ID.
On iPhone: Settings → Privacy & Security → Tracking → turn off "Allow Apps to Request to Track." This prevents apps from accessing your IDFA entirely.
On Android: Settings → Privacy → Ads → "Delete advertising ID." On newer Android versions this removes it completely. On older versions, choose "Opt out of Ads Personalization."
That's it. One setting. The IMEI stays — it's hardware. The MAC address randomization is already on by default on modern phones, so leave that alone. But the advertising ID is the thread that ties your cross-app behavior together into a profile, and you can cut it right now.
As for store Wi-Fi: don't use it unless you need it. Your carrier's data costs a few cents. Your behavioral profile, handed to a broker who will hold it for years, costs considerably more.