Quick answer: Browser fingerprinting collects device characteristics (screen size, fonts, WebGL renderer, timezone, etc.) to create a unique identifier — without using cookies. Under GDPR, fingerprinting is considered personal data processing and requires explicit consent, just like cookies. Most website owners don't realize they're doing it through third-party scripts.
What Is Browser Fingerprinting?
Browser fingerprinting is a tracking technique that identifies users by collecting a combination of device and browser attributes. Unlike cookies (which store data on the user's device), fingerprinting works entirely server-side, making it invisible to users and impossible to delete.
A single attribute (like screen resolution) isn't unique. But when you combine 20+ attributes, the resulting fingerprint is unique for over 95% of browsers, according to research by the Electronic Frontier Foundation (EFF).
What Data Does Fingerprinting Collect?
| Category | Data Points | Uniqueness |
|---|---|---|
| Browser | User-Agent string, installed plugins, Do Not Track setting, language preferences | Medium |
| Screen | Resolution, color depth, device pixel ratio, viewport size | Medium |
| Graphics | WebGL renderer, GPU vendor, canvas fingerprint (drawing a hidden image) | High |
| Audio | AudioContext fingerprint (processing audio signals) | High |
| System | Timezone, installed fonts, OS version, CPU cores, available memory | High |
| Network | IP address, connection type, WebRTC local IPs | Very High |
| Behavior | Typing patterns, mouse movements, touch gestures, scroll behavior | Very High |
Canvas Fingerprinting: The Most Common Technique
Canvas fingerprinting works by instructing the browser to draw a hidden image using the HTML5 Canvas API. Because different devices render the same drawing instructions slightly differently (due to GPU, drivers, font rendering, and anti-aliasing), the resulting pixel data creates a unique hash.
This technique is used by many popular third-party scripts — often without the website owner's knowledge. Our supply chain audit can help you identify which scripts on your site use canvas fingerprinting.
Who Uses Fingerprinting?
- Ad networks: To track users across sites without cookies (especially after cookie consent rejections)
- Fraud prevention: Banks and payment processors use fingerprinting to detect bot attacks and account takeovers
- Analytics platforms: Some "cookie-free" analytics tools use fingerprinting as a substitute
- CAPTCHAs: Services like reCAPTCHA collect fingerprint data to distinguish humans from bots
- DRM systems: Streaming services use fingerprinting to enforce device limits
Is Browser Fingerprinting Legal Under GDPR?
Yes, but only with consent. The legal framework is clear:
- ePrivacy Directive (Article 5.3): Any access to information stored on a user's device (which fingerprinting does via JavaScript APIs like Canvas, WebGL, AudioContext) requires prior consent, unless strictly necessary for the service
- GDPR (Article 4): A browser fingerprint that can single out an individual ispersonal data, even without a name or email. Recital 30 explicitly mentions "online identifiers such as device fingerprints"
- GDPR (Article 6): Processing requires a legal basis — for fingerprinting used in tracking/advertising, the only viable legal basis is explicit consent
What Regulators Have Said
- CNIL (France, 2020): Fined a company for using canvas fingerprinting without consent, calling it "equivalent to a cookie"
- ICO (UK): States that fingerprinting falls under PECR and requires consent, just like cookies
- EDPB (2024 Guidelines): Confirmed that browser fingerprinting is covered by both the ePrivacy Directive and GDPR
- Belgian DPA: Has explicitly listed device fingerprinting as a technology requiring prior consent under cookie regulations
Fingerprinting vs Cookies: Why Fingerprinting Is Worse for Privacy
| Feature | Cookies | Browser Fingerprinting |
|---|---|---|
| Visibility to user | Visible in browser settings | Invisible — no user-facing control |
| User can delete | Yes | No — cannot be cleared |
| Blocked by browser | Yes (incognito, settings) | Partially (only advanced browsers resist) |
| Survives cookie clearing | No | Yes — persists across sessions |
| Cross-device | No (device-specific) | No (device-specific but more persistent) |
| Legal status (GDPR) | Regulated — consent required | Regulated — consent required |
| Detection difficulty | Easy to audit | Requires JavaScript analysis |
How PrivacyChecker Detects Fingerprinting
PrivacyChecker's scanner analyzes the JavaScript loaded on your pages and detects common fingerprinting techniques:
- Canvas fingerprinting: Detects calls to
toDataURL(),getImageData(), and hidden canvas elements - WebGL fingerprinting: Identifies WebGL renderer and vendor queries via
getParameter() - AudioContext fingerprinting: Detects
AudioContextandOfflineAudioContextabuse patterns - Font enumeration: Identifies scripts that probe for installed fonts via width measurement techniques
- Known fingerprinting libraries: Detects FingerprintJS, ClientJS, and other common libraries
- Third-party script analysis: Cross-references third-party domains with known fingerprinting providers
How to Stop Fingerprinting on Your Website
- Audit your third-party scripts: Use PrivacyChecker to scan your site. Many fingerprinting scripts come embedded in analytics, ad, or fraud-detection tools you may have installed unknowingly
- Add fingerprinting to your consent banner: If you legitimately use fingerprinting (e.g., for fraud prevention), declare it in your cookie/consent banner and require opt-in consent
- Use Content Security Policy: Implement a strict CSP header to control which third-party scripts can execute on your pages
- Replace fingerprinting analytics: Switch to privacy-friendly analytics that don't rely on fingerprinting or cookies
- Review vendor DPAs: If a vendor uses fingerprinting, ensure they have aData Processing Agreement that covers this
- Add the Permissions-Policy header: Use the
Permissions-Policyheader to disable browser APIs likecamera,microphone,geolocation, andinterest-cohortthat fingerprinting scripts exploit
The Exception: Fraud Prevention
Fingerprinting for fraud prevention may have a legal basis under GDPR's "legitimate interest" (Article 6(1)(f)) — but only if:
- The processing is strictly necessary for fraud detection (not marketing)
- You've conducted a Legitimate Interest Assessment (LIA)
- You disclose it in your privacy policy
- The data is not shared with third parties for advertising purposes
- You implement data minimization — only collect what's needed for fraud detection
Frequently Asked Questions
Does incognito mode prevent fingerprinting?
No. Incognito mode only prevents cookie storage and browsing history recording. Your browser fingerprint remains the same in incognito mode because it's based on device characteristics, not stored data. Only browsers with anti-fingerprinting protections (like Tor, Brave, and Firefox with enhanced protection) actively resist fingerprinting.
Is FingerprintJS legal to use on my website?
FingerprintJS (and similar libraries) are legal tools, but using them for tracking or identificationrequires GDPR consent. Their "Pro" version is specifically designed for fraud detection and may qualify under legitimate interest — but you must still disclose it and conduct a LIA.
Does PrivacyChecker detect fingerprinting scripts?
Yes. PrivacyChecker scans your website for fingerprinting techniques including canvas, WebGL, AudioContext, and known fingerprinting libraries. It flags them as compliance issues if no consent mechanism is detected.
Can Google Analytics fingerprint users?
Google Analytics 4 does not use traditional fingerprinting, but it collects enough signals (IP address, user agent, screen resolution, language) that some DPAs consider it equivalent to profiling. Check our GA4 legality guide for the latest status by country.