What is Browser Fingerprinting? Is it GDPR Compliant?

January 19, 2022 - Jeff Edwards

As we settle from the initial shock of the "cookie apocalypse," the marketing and advertising world has turned to explore new technologies to replace third-party cookies. One of them is browser fingerprinting, which differentiates users based on the technical characteristics of the web browser they're using.

In this article, we'll look at how browser fingerprinting works, whether it's a viable alternative to third-party cookies, if it's GDPR-compliant, and how to navigate tracking in the post-cookie era.

What Is Browser Fingerprinting and How Does It Work?

When consumers browse the internet, their hardware (e.g., laptop, smartphone) shares specific information with the browser, such as operating system, screen size, and IP address, so it can display a website correctly. 

When you collect enough information about the software and hardware configurations and parse it correctly, you can identify and track individuals based on their online behaviors. You can also use log files to identify visitors to a network or website.

Browser fingerprinting leverages a combination of browser configurations and visitor behaviors to create user IDs to inform audience targeting, marketing personalization, fraud prevention, cybersecurity, and more.

GDPR Enforcement Actions are Up 70% Year-over-Year. Get the Report.

There are different methods for browser fingerprinting, such as browser hash, cookie hash, and device hash. You can implement this technique by adding a JavaScript snippet to a website or web app. This code will allow you or a third-party vendor to extract and store the browser data. 

Browser fingerprinting helps advertisers obtain granular information of each parameter within the browser configuration, including the default language, operating system, keyboard layout, navigator properties, web browser extensions, user agent, sensors, audio context analysis, CPU class, touch support, and more.

The combination of these various characteristics can paint a picture of the users—detailed enough to act as an ID for advertisers to track them across the web, analyze their behaviors, and deliver targeted content based on their activities.

By gathering the information and storing it on a server, a website can track visitors' browsing habits without using persistent identifiers stored on their computers, such as cookies. 

Is Browser Fingerprinting a Viable Alternative to Third-party Cookies?

Similar to third-party cookies, browser fingerprinting is easy to implement. It's also surprisingly accurate. For example, having just 18 pieces of information is enough to identify a user from a pool of 246,417 tests conducted over 45 days.

Browser fingerprinting also allows you to correlate a visitor's activities within and across sessions, track them in a cross-domain context, and identify pseudonymous users by associating browser configurations with email and other identifying data.

You can accomplish many targeting and personalization objectives, such as delivering dynamic content, serving geolocalized web pages, or redirecting visitors to appropriate resources. You can also identify returning customers and offer promotions or discounts to cultivate loyalty.

While browser fingerprinting can replace many functions of third-party cookies, it also has some shortcomings. The information has a short shelf life, and you could miss the mark if you use stale data.

Meanwhile, browser fingerprinting has a similar downside as third-party cookies—people don't like being tracked. More users have adopted privacy-centered browsers (e.g., Brave or Firefox) that disable JavaScript and even anti-fingerprinting browsers or browser spoofing tools to evade being fingerprinted. 

Is Browser Fingerprinting GDPR-compliant?

Let's take a step back and consider how the GDPR defines personal data.

Any information that might be linked to an identifiable individual is considered personal data by the GDPR. The definition covers not only the "usual suspects" such as IP and email address but also less specific features such as the combination of browser characteristics, which is the basis of fingerprinting techniques that allow advertisers to identify an individual indirectly.

When you use browser fingerprinting for tracking website visitors, it constitutes “personal data processing” and is covered by the GDPR. In fact, the law aims to protect consumers against covert data collection made possible by techniques such as browser fingerprinting—even though the law doesn't mention specific methods explicitly to remain technologically neutral.

How To Make Browser Fingerprinting GDPR-compliant

While GDPR does not ban the use of browser fingerprinting, it does require companies to be transparent about the data collection process and ask for consent when personal data processing is involved. 

If you use browser fingerprinting techniques on your website or web app, you should implement a solution that can solicit consent in a manner compliant with the GDPR. For example, allow users to choose whether they permit or reject such tracking.

According to the Commission Nationale de l'Informatique et des Libertés (CNIL,) "the development of alternative [sic] to third-party cookies must not be made at the expense of the Internet user’s right to protection of their personal data and privacy." As such, tracking must rely on the informed choice of the visitor. 

Whether you use browser fingerprinting or other third-party cookie alternatives, consent management is the key to ensuring GDPR-compliance. Learn more about our Consent Management Platform to see how we can help you deliver rich and relevant digital experiences in a regulated environment.

Learn more about tracking technologies in our Data Privacy and Compliance Glossary. 

Jeff Edwards

Jeff Edwards

Jeff Edwards is a tech writer and analyst with six years of experience covering compliance, information security, and IT. Jeff previously worked as a reporter covering Boston City Hall.

Learn more about Ensighten and our solution

Online skimming blog

Learn why third-party components on your website could be leaving you vulnerable to online skimming attacks

Read Now

Web skimming webinar

Learn more about how online skimming attacks happen and how you can protect against them

Watch Now

Online demo

See the Ensighten solution in action to learn how we can help protect your website against online skimming

Book Now