Fingerprinting: definition and use cases

Fingerprinting is a technique used to identify a user based on the specific characteristics of their browser and device. With evolving regulations on data privacy and confidentiality, fingerprinting is becoming a top method for marketers looking to track people, especially with the increasing restrictions on third-party cookies.

👉🏼 This article aims to explain what fingerprinting is, how it works, and whether there are ways for users to escape it.

It is important to note that, for accuracy, fingerprinting actually identifies a specific browser on a device. A consumer using multiple browsers / devices will have multiple fingerprints. Yet, as with cookies, it is possible to try and match these different user profiles to track users on different devices and offer an omnichannel experience.

This method collects data transmitted by the browser to a web server during visits to a website or use of an application. Shared information includes the operating system, browser version, time zone, browser identifier (known as user agent) or device information such as screen size or fonts installed. Some information comes from browser plugins, while other information is generally accessible through APIs provided by the browser's JavaScript engine.

Combining this basic data generally creates a unique fingerprint for each user, distinguishing them from other web users.

Indeed, a study by the Electronic Frontier Foundation reveals that fingerprinting can uniquely identify over 90% of web users. This technique is not limited to computer use but also applies to smartphones and tablets, which also have distinctive attributes.

Fingerprinting is a method of tracking internet users that occurs without their consent and without easily allowing them to avoid it, raising significant issues related to privacy protection and data security.

The digital fingerprint is mainly used by companies to recognize a user on a website or application in an almost infallible way, without requiring their consent or offering them an easy way to refuse. This method captures and analyzes the user's browsing behavior, preferences, and online habits.

By almost certainly identifying the person behind the device, advertising actions are much more personalized and therefore more effective.

💡 Dynamic pricing illustrates the use of fingerprinting by companies well. This strategy adjusts product or service prices based on demand, supply, and especially the buyer's profile. For example, a person noticing an increase in train ticket prices with each new visit, despite rejecting cookies, is likely experiencing browser fingerprinting. The website uses their digital fingerprint to identify them and displays higher prices, aiming to stimulate an impulsive purchase.

⚠️ It should be noted that browser fingerprinting can also be used for security reasons by companies. Therefore, completely eliminating it might not be advisable. For instance, a website may need a digital fingerprint to authorize a banking transaction.

Unfortunately, the line between legitimate and illegitimate use remains somewhat blurry. If a user detects a script retrieving information about their device resolution, they cannot determine whether the website aims to adjust page content to the device's size or if it is part of a broader fingerprint collected for tracking purposes.

By default, a cookie - either first-party or third-party - expires at the end of a session. The expiration date can be controlled, but increasing legal restrictions are limiting this duration. In any case, a user can still delete their cookies.

Compared to cookies, fingerprinting offers a more durable identification solution for companies. It is unlikely that a user will change their browser characteristics, operating system, or IP address so the fingerprint stays unchanged. Cookies, on the other hand, can be easily deleted or blocked by the user or their browser. This is why the popularity of fingerprinting is growing among marketers, especially with the depreciation of third-party cookies on Mozilla and Safari and the new Privacy Sandbox experience on Google Chrome.

Unfortunately, there is no miracle method or technology to protect oneself from fingerprinting on the websites or applications you visit!

Fingerprinting is considered more invasive than third-party cookies, mainly because it does not require the user's consent to be implemented. This method relies on data communicated by the browser to a website or application, without the user having the option to refuse or even be informed in advance.

Unlike third-party cookies, which can be easily deleted, blocked, or controlled by the user or their browser, defending against fingerprinting is much more complex.

However, there are tricks to decrease the uniqueness of your digital fingerprint to make your identification less straightforward. For example, using a popular browser such as Chrome or Firefox (always with an up-to-date version) can help standardize your digital signature with that of other internet users.

Disabling features such as JavaScript, Flash, or HTML5 Canvas can also limit information collection. Adding extensions or using software dedicated to obscuring or modifying information transmitted by the browser - such as the 'user agent,' installed font types, or screen resolution - contributes to better control over what is shared online.

⚠️ However, be cautious... the more you try to combat fingerprinting, the more likely you are to be identifiable if you have a unique combination of settings and extensions.

Personal data corresponds to any information that might be linked to an identifiable individual. It does not only cover IP or email address, but also less specific information (browser version, screen resolution, etc.), which is the basis of fingerprints.

Then, when fingerprinting is used by companies for tracking internet users, it constitutes “personal data processing”. It is then covered by both the GPDR and the CCPA. These data privacy regulations require companies to be transparent about the data collection and data processing.

To be GDPR compliant, companies need to find a way to solicit user consent for a such tracking. To be CCPA complaint, it is required to let users opt-out of the sale or sharing of their personal data.

Mainstream browsers such as Apple, Mozilla, and Google are also developing solutions to restrict fingerprinting:

These efforts demonstrate that fingerprinting is a major issue in terms of online privacy and security. It is essential to educate oneself on this technique, how it works, and effective protection methods.

Fingerprinting, or digital fingerprinting on the internet, is a method used to identify a user based on the browser and equipment's specific characteristics. Its use is increasing among marketers to optimize their marketing performance, especially with the restrictions on third-party cookies.

Fingerprinting, especially when combined with other methods, can enhance user tracking effectiveness and help prevent the restrictions on cookies.

However, fingerprinting remains highly controversial considering its impact on users' security and privacy. Therefore, it does not appear to be a sustainable solution to mitigate the impact of the end of these well-known cookies. We recommend leveraging your first-party data as much as possible in your marketing tools, particularly through the use of conversion APIs.

If you have questions or comments about the restrictions on third-party cookies and its solutions (including fingerprinting), please do not hesitate to contact us.