What is Browser Fingerprinting? Is it GDPR Compliant? | CHEQ

CHEQ acquires Ensighten

Learn More

As we settle from the initial shock of the “cookie apocalypse,” the marketing and advertising world has turned to explore new technologies to replace third-party cookies. One of them is browser fingerprinting, which differentiates users based on the technical characteristics of the web browser they’re using.

In this article, we’ll look at what browser and device fingerprinting is, how it works, what it’s used for, whether it’s a viable alternative to third-party cookies, if it’s GDPR-compliant, and how to navigate tracking in the post-cookie era.

What Is Browser Fingerprinting?

When consumers browse the internet, their device (e.g., laptop, smartphone) shares specific information with the browser, such as operating system, screen size, and IP address, so it can display a website correctly.

When site owners collect enough information about the software and hardware configurations and parse it correctly, they are able to create a browser or device fingerprint and use that fingerprint to identify and track individuals based on their online behaviors. Factors like screen size, fonts installed on a computer, choice of web browser, browser configurations and extensions, and user behavior can all be combined to create unique IDs that are leveraged to inform audience targeting, marketing personalization, fraud prevention, cybersecurity, and more. And all of this is achieved without using persistent identifiers like cookies.

How Does Browser Fingerprinting Work?

Browser fingerprinting is typically carried out using scripts or APIs that run in the background of the browser browser. These scripts collect various attributes of the user, their device, and their behavior, and complie them into a digital fingerprint, or a “hash.” Below are a few of the most common methods of browser fingerprinting.

Canvas fingerprinting

Most websites build using HTML5, which uses an element called canvas to draw graphics on a webpage. Canvas fingerprinting exploits this element to force the browser to draw an image, invisible to the user, during a site visit. Depending on device or browser configurations, such as the fonts installed, GPU settings, graphics drivers, or graphics car, the way that this image will render varies slightly from device to device, giving the site owner a reliable way to create a unique hash for the user. Canvas fingerprinting is one of the most wide-spread methods for browser fingerprinting and is actively blocked by some privacy-focused browser.

WebGL fingerprinting

WebGL (short for Web Graphics Library) is a JavaScript API which, like HTML Canvas, is used to render 2D and 3D images on a webpage. And just like canvas fingerprinting, WebGL fingerprinting causes the browser to draw an image in the background which is used to record device information and record a hash.

Audio fingerprinting

What Canvas and WebGL do for images, audio fingerprinting does for audio. In an audio fingerprinting use case,  the fingerprinter leverages a web audio API to measure how a device produces sound, and uses information such as audio drivers and hardware to create a unique hash to identify the user.

What Data is Collected for Browser Fingerprinting?

Various methods of browser and device fingerprinting collect a huge range of different data, all of which is combined to create a unique hash to identify the user. Below are some of the most common pieces of data collected in popular fingerprinting techniques.

  • IP address
  • User-agent string
  • Installed fonts
  • Installed hardware
  • Cookie settings
  • Screen resolution
  • OS version
  • HTTP header attributes
  • Language settings
  • Browser extensions
  • Keyboard layout
  • Audio fingerprinting data
  • Browser privacy
  • HTML canvas fingerprinting data

What is Browser Fingerprinting Used For?

While browser fingerprinting may seem nefarious to the untrained eye, there are legitimate use cases for the technology, primarily in the cybersecurity industry.

Browser fingerprinting techniques were first created in order to identify, track, and block devices associated with suspicious or illicit activity, and the technique is still leveraged for that purpose across the web. For example, CHEQ Paradome uses some fingerprinting techniques among the thousands of tests that the platform uses to identify and block bots, bad actors, and invalid traffic from customer websites. These visits could be botnets, web scrapers, hackers using VPNs, or click farms committing ad fraud.

For security purposes, fingerprinting is especially effective because it is often able to bypass evasion measures like VPNs that bad actors may use to disguise their activity. For example, a bot using a headless browser may claim to be a user on a mobile device, but it can be given away by the browser used, the version of the browser, or even the extensions installed.

However, because browser fingerprinting is such an effective identifier, and because traditional persistent identifiers like the third-party cookie are slowly-but-surely being phased out, the technique has also garnered attention from the digital advertising industry. While there’s no data on how widespread use of fingerprinting is in digital advertising–Google has banned the technique on its platform–there are stories of ad tech vendors using fingerprinting to get around tracking restrictions, and the technique has been suggested as a replacement for the soon-to-be defunct third-party cookie.

How to Block Browser Fingerprinting

For privacy-conscious users, browser fingerprinting presents a challenge to overcome, and unfortunately, there is no good solution for blocking device fingerprinting.

Because the data collected to create these identifiers is essential to the operation of most websites, users can’t just turn them off in browser settings and move on without fundamentally breaking their browsing experience. And because hashes are not stored on the user device like a tracking cookie, they are much harder to block and delete.

Normal privacy tools like ad blockers and VPNs are able to hide some data, like IP address, location, and sometimes even the browser used,  but there is a plethora of information given in every interaction with a webpage, and there is always the possibility that a hash can be created using other data. To make matters worse, simply using an ad blocker or VPN actually adds another identifier into the mix!

Privacy-focused browsers like Firefox and Brave can also help protect users from fingerprinting by blocking third-party requests to companies and technologies known to participate in fingerprinting.

Is Browser Fingerprinting a Viable Alternative to Third-Party Cookies?

Like third-party cookies, browser fingerprinting is easy to implement, and it’s also surprisingly accurate. For example, having just 18 pieces of information is enough to identify a user from a pool of 246,417 tests conducted over 45 days.

Browser fingerprinting also allows you to correlate a visitor’s activities within and across sessions, track them in a cross-domain context, and identify pseudonymous users by associating browser configurations with email and other identifying data.

You can accomplish many targeting and personalization objectives, such as delivering dynamic content, serving geolocalized web pages, or redirecting visitors to appropriate resources. You can also identify returning customers and offer promotions or discounts to cultivate loyalty.

So for marketers, there’s a lot to like.

But while browser fingerprinting can replace many functions of third-party cookies, it also has some shortcomings. The information has a short shelf life, and you could miss the mark if you use stale data.

More importantly, browser fingerprinting has a similar downside as third-party cookies—people don’t like being tracked. More users have adopted privacy-centered browsers (e.g., Brave or Firefox) that disable JavaScript and frankly, using fingerprinting to track users despite their clear indication that they don’t want to be tracked is not a good look. Furthermore, the practice can easily run afoul of various privacy laws like the GDPR and CPRA.

Is Browser Fingerprinting Compliant with the GDPR and CCPA/CPRA?

Let’s take a step back and consider how the GDPR defines personal data.

Any information that might be linked to an identifiable individual is considered personal data by the GDPR. The definition covers not only the ‘usual suspects’ like IP and email address but also less specific features such as the combination of browser characteristics, which is the basis of fingerprinting techniques that allow advertisers to identify an individual indirectly.

When you use browser fingerprinting for tracking website visitors, it constitutes “personal data processing” and is covered by the GDPR. In fact, the law aims to protect consumers against covert data collection made possible by techniques such as browser fingerprinting—even though the law doesn’t mention specific methods explicitly to remain technologically neutral.

So while GDPR does not ban the use of browser fingerprinting explicitely, it does require companies to be transparent about the data collection process and ask for consent when personal data processing is involved–and that can be very tricky with a technique like fingerprinting.

If you use browser fingerprinting techniques on your website or web app, you should implement a solution that can solicit consent in a manner compliant with the GDPR. For example, allow users to choose whether they permit or reject such tracking.

According to the Commission Nationale de l’Informatique et des Libertés (CNIL), “the development of alternative [sic] to third-party cookies must not be made at the expense of the Internet user’s right to protection of their personal data and privacy.”” As such, tracking must rely on the informed choice of the visitor.

For their part, California regulators have made clear that fingerprinting falls squarely under the definition of Cross-Context Behavioral Advertising, and that the data used to create hashes in considered personal data under the CCPA, and now the CPRA. As such, it is required to let users opt-out of the sale or sharing of that data.