What Browser Fingerprinting Actually Does
Every time a browser loads a page, it exposes a collection of technical details: screen resolution, installed fonts, GPU model, operating system version, language settings, and time zone. Individually, none of these data points identifies a person. Combined, they create a statistical profile so distinctive that it can single out a device among millions.
This is browser fingerprinting. Unlike HTTP cookies, fingerprinting does not store a file on the visitor's device. The identification happens server-side, by collecting and hashing together enough signals to produce a stable identifier.
That distinction matters for compliance. Many website owners assume that avoiding cookies means avoiding consent obligations. It does not.
Common Fingerprinting Techniques
Fingerprinting scripts probe a range of browser APIs. The most common techniques fall into several categories, each exploiting subtle hardware and software differences between devices.
Canvas Fingerprinting
A script draws a hidden image using the HTML5 Canvas API, then reads the pixel data back. The way the browser renders that image varies depending on the GPU, graphics driver, operating system, and font rendering engine. Two devices with different hardware will produce slightly different pixel values, even when drawing the same shape. The resulting hash acts as a device identifier.
WebGL Fingerprinting
WebGL fingerprinting takes a similar approach but targets 3D rendering. By asking the GPU to render a hidden 3D scene, the script captures differences in shader precision, texture handling, and rendering pipeline behaviour. The technique also reads the WEBGL_debug_renderer_info extension, which exposes the exact GPU model and driver version.
Font Enumeration
Every operating system ships with a default set of fonts, but users and applications add more over time. A fingerprinting script measures how the browser renders text in hundreds of font families. If a font is installed, the rendered width differs from the fallback. The resulting list of installed fonts is highly distinctive.
Audio Fingerprinting
The AudioContext API processes a short audio signal through the device's audio stack. Tiny differences in how the hardware and software handle floating-point arithmetic produce a unique waveform. The technique requires no microphone access and runs silently in the background.
| Technique | API Used | What It Reveals | Entropy Level |
|---|---|---|---|
| Canvas | Canvas 2D | GPU, driver, OS rendering | High |
| WebGL | WebGL / WebGL2 | GPU model, shader precision | High |
| Font enumeration | CSS measurement | Installed font list | Medium-High |
| Audio | AudioContext | Audio stack processing | Medium |
| Navigator properties | Navigator object | User agent, plugins, languages | Medium |
| Screen metrics | Screen API | Resolution, colour depth, pixel ratio | Low-Medium |
Why Fingerprinting Is a Privacy Risk
Cookies can be deleted. Browser storage can be cleared. A visitor who resets their browser gets a fresh start, at least in theory. Fingerprinting undermines that reset because the identifier is derived from the device itself, not from stored data.
This creates several problems. Visitors cannot inspect or remove a fingerprint the way they can delete a _ga or _fbp cookie. There is no browser setting labelled "clear my fingerprint." The tracking is invisible, and that opacity conflicts with the transparency requirements built into GDPR and the ePrivacy Directive.
The persistence of fingerprints also raises concerns about cross-site tracking. A fingerprinting service embedded on multiple websites can follow a visitor across those sites without any cookie synchronisation, building behavioural profiles that the visitor never agreed to.
What the ePrivacy Directive Says About Fingerprinting
Article 5(3) of the ePrivacy Directive does not mention cookies by name. It covers "the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user." Fingerprinting reads information already present on the device: GPU characteristics, font lists, screen properties. European regulators consistently interpret Article 5(3) as covering fingerprinting alongside cookies, local storage, and session storage.
The consent requirement applies unless the information is strictly necessary for a service the user has requested. Fraud detection may qualify for an exemption in some circumstances. Advertising and analytics fingerprinting do not.
GDPR Treatment of Fingerprints as Personal Data
Under GDPR, personal data means any information relating to an identified or identifiable natural person. Recital 30 explicitly references "cookie identifiers, internet protocol addresses and other identifiers such as radio frequency identification tags" as examples. A browser fingerprint that singles out a device, and by extension its user, meets this threshold.
Processing a fingerprint for tracking purposes therefore requires a lawful basis under Article 6. Consent is the only realistic option for advertising or analytics fingerprinting, since legitimate interest is difficult to argue when the processing is invisible to the data subject and no opt-out mechanism exists.
The CNIL has been particularly active on this point. The French regulator's guidelines on trackers explicitly treat device fingerprints alongside cookies, requiring the same level of informed, specific consent. CNIL considers that consent expressed through browser settings does not meet the GDPR standard because it is neither specific nor informed enough to cover fingerprinting.
Enforcement Actions Involving Fingerprinting
Regulators have moved beyond guidance into active enforcement. In 2023, the CNIL fined an ad-tech firm for fingerprinting users without obtaining valid consent, ruling that the practice constituted personal data processing under GDPR. The UK's ICO labelled Google's December 2024 decision to allow advertisers to use fingerprinting as "irresponsible," warning that the reversal would harm consumers.
Enforcement remains harder than with cookies. A regulator auditing cookie compliance can open browser developer tools and see every cookie a site sets. Fingerprinting scripts are more difficult to detect and prove, which partly explains why enforcement actions have focused more heavily on cookie violations to date.
That gap is narrowing. The EDPB's coordinated enforcement framework and tools like the EFF's Panopticlick (now Cover Your Tracks) make fingerprinting detection more accessible, and regulators are investing in technical audit capabilities.
How Browsers Are Fighting Back
Browser vendors have taken different approaches to fingerprinting protection, ranging from outright blocking to statistical noise injection.
Safari
Apple's Intelligent Tracking Prevention (ITP) has evolved to include anti-fingerprinting measures. Safari restricts access to high-entropy data points and injects noise into values returned by APIs like Canvas, making the fingerprint unstable across sessions. Safari 26 enables Advanced Fingerprinting Protection by default across all browsing modes.
Firefox
Firefox ships with Enhanced Tracking Protection enabled by default. In strict mode, it blocks known fingerprinting scripts identified through the Disconnect list. Firefox also restricts certain APIs and standardises values that would otherwise leak identifying information.
Chrome
Chrome has historically offered the weakest fingerprinting protections among major browsers. Google initially condemned fingerprinting in 2019 but reversed course in December 2024, announcing that advertisers could use fingerprinting for tracking. The Privacy Sandbox framework does not directly address fingerprinting. Chrome's approach remains permissive compared to Safari and Firefox.
Brave and Tor
Brave randomises fingerprinting values by default, generating different canvas and WebGL hashes on each session. Tor Browser takes the most aggressive stance: it blocks canvas reads entirely, disables WebGL by default, limits available fonts, and standardises screen dimensions through letterboxing.
| Browser | Default Fingerprinting Protection | Approach |
|---|---|---|
| Safari 26 | Yes | Noise injection, API restriction |
| Firefox (strict) | Yes | Script blocking, API standardisation |
| Brave | Yes | Value randomisation per session |
| Tor | Yes | API blocking, value standardisation, letterboxing |
| Chrome | No | Minimal protections |
What This Means for Your Website
If your site uses a fingerprinting service, or if a third-party script embedded on your site performs fingerprinting, you carry compliance obligations. The fact that fingerprinting does not use cookies does not exempt it from consent requirements under Article 5(3) of the ePrivacy Directive or from GDPR's rules on personal data processing.
Running a cookie scan is a useful first step, but a standard scan detects cookies and storage objects, not fingerprinting scripts. You should also audit your third-party scripts for canvas, WebGL, and AudioContext calls that have no visible purpose on the page. Ad-tech tags, fraud prevention tools, and some analytics libraries include fingerprinting components that may not be obvious.
Your cookie policy should disclose any fingerprinting activity alongside cookie usage. The consent mechanism must cover fingerprinting if it is used for non-essential purposes. A cookie banner that only mentions cookies but relies on fingerprinting in the background fails the transparency test.
Frequently Asked Questions
Is browser fingerprinting legal under GDPR?
Fingerprinting is not prohibited outright, but when used for tracking or advertising, it constitutes personal data processing that requires a lawful basis. Consent is the most appropriate basis for non-essential fingerprinting under both GDPR Article 6 and ePrivacy Article 5(3).
Does browser fingerprinting require cookie consent?
Yes. The ePrivacy Directive covers access to information stored on a user's device, which includes the hardware and software characteristics read during fingerprinting. The same consent standards that apply to non-essential cookies apply to fingerprinting.
Can users block browser fingerprinting?
Partially. Browsers like Safari, Firefox (strict mode), Brave, and Tor offer built-in protections that inject noise or block fingerprinting APIs. No browser eliminates fingerprinting entirely, but these measures reduce the accuracy and persistence of fingerprints.
How is fingerprinting different from cookies?
Cookies store a file on the user's device that can be viewed and deleted. Fingerprinting reads existing device characteristics without storing anything, making it invisible to the user and impossible to "clear" through browser settings.
What did the CNIL say about browser fingerprinting?
The CNIL treats fingerprinting identically to cookies in its tracker guidelines. The French regulator requires informed, specific consent before any fingerprinting for analytics or advertising, and has taken enforcement action against companies that fingerprinted without consent.
Does Google Chrome protect against fingerprinting?
Chrome offers minimal fingerprinting protection compared to other major browsers. Google reversed its anti-fingerprinting position in December 2024, allowing advertisers to use fingerprinting techniques. Safari, Firefox, and Brave provide stronger default protections.
Take Control of Your Cookie Compliance
If you are not sure which tracking technologies your site uses, start with a free scan. Kukie.io detects and categorises cookies and storage objects on your site, giving you a clear picture of what runs before and after consent, so your visitors get a genuine choice and you stay on the right side of the law.
