People search “can websites track me with a VPN?” because they turned the VPN on and still felt followed. The short answer is yes. A VPN can hide one network clue, but websites can still track through browser fingerprints, cookies, account state, consent memory, and shipping context that make the session look familiar.
EFF’s Cover Your Tracks helps explain the browser side. A site can still read a bundle of characteristics that make a session look distinctive enough to reconnect later. If the browser, fonts, timezone, canvas behavior, language, and other hints keep lining up, then changing the network path does not automatically make the session feel new. The site may not know a street address, but it may still have enough context to treat the visit like it came from the same general person or place as before.
That is one reason VPN users still feel exposed. Another is that some location clues live above the network layer. Timezone, browser language, store locale, shipping ZIP, prior consent state, and account history can all reinforce a rough geographic story. In app contexts, GPS or operating-system permissions can expose even more than a browser-only shopper expects. The VPN did not fail so much as the rest of the session kept telling a coherent story.
Sites can also preserve continuity through boring-looking metadata. Google’s Analytics URL-builder documentation is explicit that campaign parameters exist to collect acquisition context. If a click arrives with source, medium, and campaign tags, the visit starts with a structured breadcrumb trail before the person has typed anything into a form.
MDN’s cookie documentation explains the persistence step. Once page scripts can read and write cookie state, a site can convert what arrived in the URL or session into longer-lived first-party memory. That means a shopper may think “I changed my VPN, so I reset the story,” while the site thinks “the same browser just resumed a known path.”
Account state makes the gap even wider. If the person is signed in, using the same email, or continuing from the same app ecosystem, then changing network path alone does very little. The recognition stack is not broken because the strongest identifiers are elsewhere.
That is why the right privacy question is not only “did I hide my IP?” but “which clues still make this session look local, familiar, or worth profiling?” A VPN can be worth having. It just should not be mistaken for the full anti-tracking answer.
Cloak’s lane here is practical: reduce cheap continuity signals, shrink repeatable identifiers, and make the session legible enough that users stop having to guess which layer betrayed them this time.