You Blocked the Cookies. You're Still Being Tracked — Browser Fingerprinting Explained

The cookie consent banner became the defining UI pattern of the modern web after GDPR enforcement began in 2018. Click "Reject All," feel satisfied, move on. What most users don't know is that the advertising and analytics industry had already moved on too — to fingerprinting, a tracking technique that doesn't use cookies, stores nothing on your device, and requires no consent under most current legal frameworks.

What Browser Fingerprinting Actually Is

Every browser reveals an enormous amount of information about itself and the device it's running on — not through any security vulnerability, but through the normal operation of web standards. Your browser reports its user agent string (browser name, version, OS), the fonts installed on your system, your screen resolution and color depth, your timezone, the plugins and extensions installed, how your GPU renders specific graphics operations (canvas fingerprinting), how your audio hardware processes specific waveforms (audio fingerprinting), and dozens of other attributes.

No single attribute uniquely identifies you. But combined, they form a fingerprint that is statistically unique in a large fraction of cases. Research by the Electronic Frontier Foundation's Panopticlick project found that the combination of browser, OS, screen resolution, timezone, and installed plugins made 83.6% of browsers uniquely identifiable. Modern fingerprinting systems use 50-100+ attributes and achieve considerably higher uniqueness rates.

Canvas and WebGL: The Most Powerful Signals

Canvas fingerprinting exploits the fact that different combinations of GPU, driver, OS, and font rendering produce slightly different pixel outputs when drawing the same shape or text. A fingerprinting script renders invisible text and shapes to an HTML5 canvas element, reads the pixel values back, and hashes the result. This hash is stable across sessions — it doesn't change when you clear cookies, use private browsing, or restart your browser — and is highly unique because GPU rendering pipelines vary at the hardware and driver level.

WebGL fingerprinting extends this to 3D rendering: scripts query the specific GPU renderer string (e.g., "ANGLE (Intel, Intel(R) UHD Graphics 620 Direct3D11 vs_5_0 ps_5_0)"), render WebGL scenes, and read back the resulting framebuffer. The combination of GPU vendor, model, driver version, and rendering output narrows the fingerprint further.

Why It's Legal (For Now)

GDPR and CCPA both define "personal data" as information that can identify a natural person. Fingerprints don't directly identify a person — they identify a device/browser combination. The Article 29 Working Party (now the European Data Protection Board) has stated that fingerprinting likely does constitute personal data processing under GDPR. But enforcement has been limited — regulators have been preoccupied with more obvious violations, and fingerprinting is technically complex to audit in enforcement proceedings.

The emerging legal risk is under GDPR Article 25 (data protection by design) and under national implementations that have begun treating fingerprinting as requiring consent. France's CNIL explicitly ruled in 2020 that fingerprinting requires consent. Germany's data protection authorities have taken similar positions. But implementation and enforcement lag behind the technology.

What Actually Reduces Fingerprinting

This is where the picture is more nuanced than "nothing works." Several approaches have real effect:

The Tor Browser normalizes the fingerprint deliberately — it makes every Tor user's browser report the same attributes, eliminating uniqueness. The cost is significant: JavaScript performance is reduced, many sites break, and the browsing experience is visibly degraded. But it's the only approach that comprehensively addresses fingerprinting at the protocol level.

Firefox's Fingerprinting Protection (enabled in strict mode via Enhanced Tracking Protection) applies fingerprint randomization — it introduces controlled noise into canvas, WebGL, and other high-entropy APIs, making the fingerprint unstable across sessions. This doesn't make you untrackable but breaks the stability that makes fingerprints useful for cross-session tracking.

Brave Browser uses a similar randomization approach, with the added step of blocking known fingerprinting scripts. Independent research has found Brave's fingerprint protection to be among the most effective in mainstream browsers.

Blocking JavaScript eliminates canvas and WebGL fingerprinting but breaks essentially every modern website.

The realistic position for most users: a mainstream browser with fingerprint protection enabled (Firefox strict mode or Brave) significantly reduces fingerprinting effectiveness without requiring Tor-level friction. It won't make you invisible to determined trackers, but it raises the cost of cross-session correlation enough to matter for advertising-grade tracking.