The present disclosure provides a secure, user-transparent, and highly efficient content provider-specific identifier (“CPSID”), sometimes referred to as a “read-only cookie” (“ROC”). These content provider-specific identifiers may be generated by the client device and encrypted with a public key of the content provider, preventing third parties from indirectly identifying matches, and obviating the need for provider-side cookie matching tables and resource-intensive tracking communications. The generation of content provider-specific identifiers may be controlled by user policies, such that identifiers are only created for content providers with compliant terms of service (ToS), e.g. retrievable from a predetermined address within the domain; content providers that are on a whitelist (e.g. for which the user has explicitly provided consent); and/or content providers that are not on a blacklist (e.g. for which the user has explicitly refused consent).