What Is Device Fingerprinting and How Does It Work?
When advertising migrated from the offline world to the online one, it brought with it a capability that had never really existed before: individual-level ad targeting. Rather than relying on contextual cues — placing a boat ad in a boating magazine — advertisers could reach users based on their browsing behaviour, location, and a growing portfolio of other signals.
From the mid-2000s onward, that capability rested almost entirely on web cookies. Over time, though, cookies became less reliable. Users delete them regularly, browsers have progressively limited their use, and the rise of ad blockers made cookie-based tracking easier to detect and circumvent.
devices-470x246
To keep behavioural targeting viable and give advertising platforms a more durable way to identify users across the web, a different form of web tracking emerged: device fingerprinting.
What Is Device Fingerprinting?
Device fingerprinting — also referred to as canvas fingerprinting, browser fingerprinting, or machine fingerprinting — is a process that identifies a device or browser based on its specific, unique configuration. Unlike web cookies, which are stored client-side (on the user's device), device fingerprints are stored server-side in a database. The user never receives the identifier back; it lives entirely on the collecting party's infrastructure.
What Information Is Collected to Create a Device Fingerprint?
On top of session cookies, device fingerprinting draws on a wide range of data points transmitted with every web request sent to a server. Fingerprinting services typically build identifiers from some combination of the following:
- IP address
- HTTP request headers
- User agent string
- Installed plugins
- Client time zone
- Device characteristics: screen resolution, touch support, operating system, and language
- Flash data provided by a Flash plugin
- List of installed fonts
- Silverlight data
- List of MIME types
- Timestamp
| Browser Characteristic | Bits of identifying information | One in x browsers have this value | Value |
|---|---|---|---|
| Limited supercookie test | 0.37 | 1.3 | DOM Storage: No, IE userData: No |
| Hash of canvas fingerprint | 2.63 | 99.2 | f46922f259a12307f4c07fad3730512b |
| Screen Size and Color Depth | 5.9 | 59.55 | 1280x720x16 |
| Browser Plugin Details | 3.92 | 31.23 | mhjfbmdgcfjbbpaeojofohoefgiehjai; (application/pdf; pdf). Plugin 2: Native Client;. |
| Time Zone | 2.54 | 5.23 | -140 |
| DNT Header Enabled? | 0.31 | 1.56 | True |
| HTTP_ACCEPT Headers | 45.59 | 6161.91 | text/html, /; q=0.01 gzip, deflate, br en-GB,pl;q=0.9,en-GB;q=0.8,en;q=0.7,en-US;q=0.6 |
| Hash of WebGL fingerprint | 5.92 | 60.57 | 11fffee82a36eea5f6e361557098 |
| Language | 8.74 | 423.69 | en-GB |
| System Fonts | 1.69 | 35.17 | Arial, Arial Black, Arial Narrow, Book Antiqua, Bookman Old Style, Calibri, Cambria, Consolas, Courier, Courier New, Garamond, Georgia, Helvetica, Impact, Lucida Bright, Lucida Calligraphy, Lucida Fax, Lucida Handwriting, Lucida Sans, Lucida Sans Typewriter, Lucida Sans Unicode, Microsoft Sans |
Why Use Device Fingerprinting?
As consumers carry out more and more activities across multiple devices, connecting their behaviour into a coherent picture becomes increasingly difficult. Conventional tracking methods compound the problem:
- Cookies don't track mobile reliably. Cookie-based tracking has never offered a dependable solution for mobile usage.
- Cookies are easily deleted. A user who clears their browser history wipes out the tracking record along with it.
- Cookies are visible to ad blockers. Because cookie-based ad calls follow recognizable patterns, ad blockers can identify and suppress them — a growing concern given that ad blocker adoption has continued to climb year over year.
Device fingerprinting provides a fallback identification mechanism when cookies fail or are absent.
A practical example: A user browses travel sites, clicks a banner ad for an all-inclusive Paris holiday package, then closes the browser without booking — potentially clearing the associated cookies in the process. The next day, they navigate directly to the travel agency's website and complete the booking. Without cookies, the agency has no way to credit the original banner ad with the conversion. With device fingerprinting, however, it's possible to recognize that the same browser configuration was present during both sessions, and correctly attribute the booking to the original ad interaction.
How Does Device Fingerprinting Work?
The process begins when a user visits a website. A device fingerprint tracker — typically a JavaScript snippet — collects relevant device and browser attributes (browser version and type, OS, installed fonts, plugins, and so on).
The approach is conceptually similar to the detective board game Clue: no single data point conclusively identifies a person, but combining enough of them makes it possible to apply statistical analysis and narrow the field to a single individual.
Fingerprinting providers assemble these data points and generate a unique hash — the fingerprint itself. When used alongside cookies or other identifiers, tracking and attribution accuracy improves significantly.
There are real costs to this approach, though. Calculating the hash and storing all associated data is computationally intensive. Because the fingerprint is never distributed back to the browser (unlike a cookie), it must be retained server-side in a database, which demands substantial storage capacity. The upside for the collecting party is that this architecture makes the process almost impossible for end users to detect or block.
Fingerprints can also be enriched over time. By identifying patterns of similar fingerprints originating from similar sources, it becomes possible to link a single user's identity across multiple devices — enabling cross-device attribution even without a shared login.
There is ongoing industry debate about the use of device fingerprinting in combination with cookies to construct what some call a "supercookie" or "evercookie" — a persistent identifier that survives ordinary privacy-clearing measures.
What Is My Device Fingerprint?
A device fingerprint is the collected set of attributes that identifies a particular device or browser. Determining whether fingerprinting is active on a given website is generally difficult for ordinary users.
Several tools exist for those who want to inspect or limit their own fingerprint exposure:
- Panopticlick (EFF) and AmIUnique audit browsers and generate reports on how identifiable a device fingerprint is.
- Privacy Badger, Do Not Track Me, and Ghostery offer browser-level protections against non-consensual tracking.
- The Tor Browser provides more robust protection against fingerprint-based tracking.
There is an irony worth noting here: the more privacy-focused browser extensions a user installs, the more unique their browser configuration becomes — and the more identifiable they are through fingerprinting. Privacy Badger, Do Not Track Me, Ghostery, and similar tools paradoxically increase the distinctiveness of the browser's configuration, making that particular combination of settings stand out.
Possible Use Cases of Device Fingerprinting
Even when many users share the same device model, their individual configurations diverge quickly — different browsers, plugin sets, system fonts, and hardware variations mean the number of identical fingerprints in the wild is vanishingly small. Two users with the same laptop model are very unlikely to produce the same fingerprint.
Device fingerprinting is most commonly associated with advertising, but it has several legitimate applications that have nothing to do with marketing:
Analytics and Ad Tracking
The most common application is analytics. In a web analytics context, device fingerprinting provides an accurate way to identify and count unique (returning) visitors. AdTech vendors also use it to build user profiles for personalized ad targeting across the web.
Preventing Credit Card and Bank Fraud
Financial institutions use device fingerprinting to detect anomalies in online banking sessions — for example, identifying whether a session has been hijacked mid-flow. It also helps flag credit card fraud: even if a fraudulent request comes through a proxy, uses a different card number or cardholder name, or spoofs an IP address, the underlying device fingerprint may still match previous fraudulent activity, making the request stand out.
Combating eCommerce Fraud
In eCommerce, device fingerprinting helps determine whether an order originates from a known fraudster. Legitimate customers tend to have consistent, predictable fingerprints. Orders that deviate significantly from established patterns, or that match fingerprints already associated with fraud, can be flagged for review or cancellation.
The Impact of GDPR on Device Fingerprinting
GDPR's treatment of personal data creates real complexity for fingerprinting. Even though a device fingerprint doesn't capture obviously personal information like a name or email address, it still falls within the regulation's definition of personal data. The underlying principle is that fingerprint data relates to an individual and can be used to identify them — directly or indirectly.
Under GDPR, personal data encompasses any information that could be used to identify an individual — not necessarily to establish their full identity, but simply to recognize them as a returning or distinct person. That framing brings both cookies and device fingerprints into scope.
GDPR Article 4 defines personal data as any information relating to an identified or identifiable natural person, including identification via online identifiers such as cookies, device IDs, and IP addresses. Device fingerprints qualify under that definition in most practical scenarios.
It is worth noting that GDPR is technology-agnostic. It doesn't single out device fingerprinting specifically; rather, it sets general rules for tracking users online, regardless of the technical method employed.
Can Device Fingerprinting Be Legal Under GDPR?
Processing personal data under GDPR is permissible when it satisfies one of six lawful bases. For device fingerprinting, the two most relevant are legitimate interest and consent.
To rely on legitimate interest, an organization must demonstrate that the processing doesn't override the rights and freedoms of the individuals whose data is being processed. In practice, that test is most easily met in specific, bounded contexts — fraud prevention and identity theft protection being the clearest examples. Relying on legitimate interest to justify fingerprinting for advertising or marketing is unlikely to hold up under scrutiny.
If the intended use is advertising or marketing, explicit user consent is required.
The ePrivacy Regulation — which accompanies and complements GDPR — reinforces this position. According to the Article 29 Working Party, fingerprinting is covered by the ePrivacy Directive and requires user consent in most cases, even where the fingerprint data does not constitute personal data per se.
For organizations deploying device fingerprinting, the practical compliance path is straightforward in principle: assess whether a legitimate interest genuinely applies (and document that assessment), or obtain informed user consent before collecting and processing fingerprint data.
Summary
Cookies are losing their grip on web tracking due to deletion, browser restrictions, and ad blocker interference. Device fingerprinting — which collects a combination of browser, device, and network attributes and stores a unique hash server-side — offers a more durable identification method precisely because it is invisible to end users and nearly impossible to block.
That durability comes with regulatory weight. Under GDPR and the ePrivacy Directive, fingerprint data is personal data in most real-world contexts, and processing it for advertising requires explicit consent. For fraud prevention and identity protection, legitimate interest may apply — but only with a documented and defensible rationale.
For any organization considering device fingerprinting, the starting point should always be legal basis, not technical capability.