Have you ever noticed that if you do a Google search and later open the Amazon app, products related to your Google search are suggested?
The journalist and the digital nomad got it right.
Note the original claim: "The information stored in your browser helps the airline determine your demographic, geographical location, income and spending habits, to name a few".
Web browser "cookies" don't contain demographic information. Rather, they contain identifiers that can be matched among each other, matched with records of your activities on multiple Web sites and apps, and matched with identifying data from the accounts you create on Web sites and in apps. It's the matching of myriad small pieces of data, and the storage and sale of the profiles synthesized from them, that makes comprehensive tracking possible.
I'm not claiming that any particular airline definitely makes decisions based on purchased profile data, but as you can see, this degree of tracking and differentiation is completely feasible.
Though clearing cookies and using a VPN can reduce tracking, these measures cannot eliminate it. If you access two or more Web sites or apps from the same IP address, around the same time (note: no other household shares that IP address at that moment), and you have logged in to one of those Web sites or apps, your activities can be matched without interruption.
The vast majority of Web sites and apps rely on a third-party "analytics" service. The analytics service tracks every page you visit and every button you click within a particular site or app, the date and time, your current IP address, and an identifier (whose scope varies). A single analytics service handles many different sites and apps, and can freely match data between them. An individual site or app may sell your account information to the analytics service (or to its partner), contributing identifying information to round out the activity records that the analytics service has accumulated over time.
Another strategy involves sending you an e-mail with a tiny, hidden image. This allows matching your e-mail address (and thus, your identity) with the IP address from which the image is retrieved, around the time you read the message.
In Europe, the General Data Protection Regulation requires consent for tracking and the exchange of profile data. In the US, there are few legal constraints on tracking, the sale of profile data, etc.
Hasbrouck, mentioned in the article, is right to remind us that airline tariffs forbid price differentiation on the basis of profile data — but that there's no enforcement.