You cleared your cookies. You switched to private browsing. You even tried a VPN. And yet the website still knew it was you.
Browser fingerprinting is why - and it works by reading signals from your device that you cannot delete, clear, or turn off.
What Is Browser Fingerprinting?
Browser fingerprinting identifies you by combining technical details about your browser and device into a unique profile. Your GPU model, installed fonts, screen resolution, audio hardware, timezone, and language settings are all read silently - no permission prompt, no cookie banner, no storage on your device.
Each individual signal is not unique. Millions of people have a 1920×1080 screen. Millions use Chrome on Windows. But when you combine 13 or more signals together, the resulting fingerprint is statistically unique for 83–90% of users, according to research from AmIUnique.org and the EFF's Panopticlick project.
Unlike cookies, fingerprinting leaves no trace on your device. There is nothing to clear, nothing to block with standard privacy settings, and nothing that resets when you close your browser.
Cookies vs. Fingerprinting: The Key Difference
| Cookies | Fingerprinting | |
|---|---|---|
| Stored on your device? | Yes | No |
| Can you delete it? | Yes | No |
| Blocked by incognito? | Partially | No |
| Blocked by cookie banners? | Yes (if compliant) | Rarely |
| Requires GDPR consent? | Yes | Yes - but often ignored |
| Survives browser reset? | No | Yes |
The 13 Signals That Make Up Your Fingerprint
Here are the main vectors websites use, ranked by how much identifying information each contributes (measured in entropy bits):
🔖 User Agent String - 10.5 bits (High)
Your browser's identity card. Reports your exact browser name, version, OS, and CPU architecture. A single string that narrows you to a very small group.
🎨 Canvas Fingerprint - 8.5 bits (High)
The website draws invisible shapes on a hidden canvas element and reads back the pixel data. Your GPU and OS render these slightly differently, creating a hash unique to your hardware.
🔤 Installed Fonts - 7.5 bits (High)
The exact set of fonts on your system is surprisingly unique. Design tools, games, and work applications all install custom fonts. The combination is often one-of-a-kind.
🔺 WebGL / GPU Renderer - 7.2 bits (High)
WebGL exposes your exact GPU model and driver version to every website without any permission required. Your graphics card is effectively signing every page you visit.
🔊 Audio Fingerprint - 5.4 bits (High)
A silent tone is processed through your audio hardware using the Web Audio API. The tiny differences in how your chip handles it create a unique signature - completely invisible and inaudible.
📐 Screen Resolution - 4.8 bits (Medium)
Your screen width, height, color depth, and device pixel ratio. Multi-monitor and high-DPI configurations are especially distinctive.
🌍 Browser Language - 4.2 bits (Medium)
The languages your browser is configured to use. Multilingual users with uncommon language pairs can be nearly uniquely identified from this single vector.
⚙️ Hardware Profile - 3.1 bits (Medium)
CPU core count and RAM. Combined with other signals, this narrows your device to a small group.
🕐 Timezone - 3.8 bits (Medium)
Your browser reports your real timezone even behind a VPN. A mismatch between your IP geolocation and timezone is a classic VPN detection signal.
How Websites Actually Use Your Fingerprint
The most common uses are ad tracking, fraud detection, and paywall enforcement.
Ad networks build profiles of your browsing behavior across thousands of sites and use fingerprinting to link those sessions together even when you clear cookies. Banks use fingerprinting as a fraud signal - a sudden change in fingerprint triggers verification challenges.
News sites and streaming platforms use fingerprinting to enforce article limits and free trial periods. Clearing cookies resets the counter; fingerprinting does not.
More troublingly, data brokers purchase fingerprint-linked browsing profiles and combine them with offline data. A 2025 investigation found that some brokers could link anonymous browsing sessions to real names and addresses through fingerprint data alone.
Is Browser Fingerprinting Legal?
Under GDPR, fingerprinting constitutes processing of personal data because it creates a unique identifier. This means it requires a lawful basis - almost always consent - and must be disclosed. In practice, most websites outside the EU fingerprint without consent.
Under CCPA and CPRA, browser fingerprints qualify as unique personal identifiers, giving California residents the right to opt out of their sale. Most US state privacy laws passed since 2023 include similar provisions.
The EU's ePrivacy Directive specifically covers fingerprinting and requires consent, but enforcement has been inconsistent.
How to Reduce Your Browser Fingerprint
→ Switch to Brave Browser (highest impact)
Brave actively randomizes canvas, WebGL, audio, and font fingerprinting vectors on every page load. The only mainstream browser with built-in fingerprint randomization that changes per session.
→ Use the Tor Browser (maximum anonymity)
Tor makes every user appear identical by standardizing all fingerprinting vectors. Trade-off: significantly slower browsing.
→ Firefox with Strict Mode (good balance)
Firefox's Enhanced Tracking Protection in strict mode blocks known fingerprinting scripts and restricts font enumeration.
→ Install CanvasBlocker (partial)
A Firefox extension that randomizes canvas fingerprinting output. Effective against canvas tracking but leaves WebGL and audio untouched.
The Paradox of Anti-Fingerprinting
There is a cruel irony at the heart of fingerprinting defense: some protective measures can make you more distinctive.
Enabling Do Not Track, for example, is set by only about 12% of users - meaning having it on is itself a fingerprinting signal. Using an uncommon browser or heavily customizing privacy settings can make your fingerprint more unique rather than less.
The most effective defense is not customization but standardization - using browsers designed to make all users appear identical, like Tor.
Test Your Own Fingerprint
The best way to understand your exposure is to see it directly.
TrustScan's Browser Fingerprint Analyzer runs 13 tracking vectors against your browser, calculates your entropy score, and shows exactly which signals are most identifying - with specific reduction steps.
It runs entirely in your browser. Nothing is collected or transmitted. Free, no account required.
The Bottom Line
Browser fingerprinting is the tracking technique that works after everything else fails. It does not use cookies. It cannot be cleared by standard browser settings. It is not defeated by a VPN alone. And it is used by thousands of advertising networks and data brokers right now.
Understanding what it is - and testing your own exposure - is the first step to making informed decisions about your browser and your privacy.
Originally published at trustscan.dev. TrustScan is a free privacy and security toolkit - 100% client-side, no data collected.
Top comments (0)