What is device fingerprinting, and how does it work?
Whenever you go online, your device quietly shares small pieces of information about itself: its model, operating system, language, time zone, network type, and even the sensors it uses. On their own, these details don’t seem important. But when combined, they can form a unique digital signature that identifies your device wherever it connects.
In this guide, we’ll explain what device fingerprinting is, how it works behind the scenes, why it’s used, and what it means for your privacy. Plus, we’ll give you a few practical ways to reduce how much your device gives away.
What is device fingerprinting?
Device fingerprinting is the process of collecting different details about your device to create a unique profile. This can include hardware specs (like screen resolution or graphics card), software details (operating system, browser version, installed fonts or plugins), and even behavioral patterns (such as typing speed or mouse movements). Because this takes place silently in the background, most people don’t realize this information is being collected.
By combining these data points, companies and advertisers can reliably recognize your device whenever it connects. Unlike cookies, which can be deleted, a fingerprint cannot be easily removed.
In practice, device fingerprinting is used in a variety of ways: to stop fraud in banking and e-commerce, to track users across websites for targeted advertising, and to personalize online experiences. These applications are what make fingerprinting both powerful and controversial, and why its legality is a subject of debate.
Learn more: Device fingerprinting is a more advanced form of browser fingerprinting. While browser fingerprinting focuses mainly on passive browser attributes, device fingerprinting goes further. It actively uses JavaScript on the client side and collects additional data points to create more stable, unique identifiers.
How does device fingerprinting work?
To understand how fingerprinting works behind the scenes, it helps to break the process down into three main stages.
1. Data collection and identifier creation
A small script embedded in the webpage or app collects attributes, such as:
- Browser type and version
- Operating system and language settings
- Screen resolution and color depth
- Installed fonts and plugins
- Time zone and local time
- Hardware details like GPU or CPU type
- Network information (e.g., IP address, connection type)
Once gathered, they’re processed and combined (often hashed) into a single identifier: a unique device ID. Depending on the implementation, this process may merge browser, hardware, and system details into one distinct fingerprint representing the user’s environment.
2. Comparison and recognition
Once a fingerprint is created, it’s compared against stored identifiers.
- First-time visitors: The fingerprint is saved to the database.
- Returning visitors: The new fingerprint is compared to the saved one to verify whether it matches.
If the fingerprint matches an existing trusted profile, the system might streamline login or checkout. If it differs significantly, some systems use this comparison to decide whether additional authentication is needed, helping reduce fraud risks.
3. Continuous adaptation
Device fingerprints evolve over time: software updates, new networks, or browser changes can alter the collected data. To maintain accuracy, systems use approximate or adaptive matching, allowing for small variations in device attributes when judging whether users are legitimate.
This dynamic approach enables fingerprinting to remain useful for both fraud prevention and security analytics without relying solely on cookies.
Is device fingerprinting legal?
The legality of device fingerprinting depends on the region and the purpose for which it’s used.
Please note: Information in this section is provided for general awareness and does not constitute legal advice.
GDPR implications
Device fingerprinting is not explicitly illegal, but it falls under strict data protection frameworks because it involves collecting information that can identify or single out a user. Under the General Data Protection Regulation (GDPR), data such as IP addresses or cookie identifiers are considered personal data since they can indirectly identify an individual.
Legal basis for processing
Under Article 6 of the GDPR, processing personal data is lawful only if at least one of the following conditions applies:
- The user has given explicit consent for their data to be processed for a specific purpose.
- Processing is necessary for the performance of a contract, compliance with a legal obligation, or the protection of vital interests.
- Processing is necessary for legitimate interests pursued by the controller, provided these interests do not override the user’s fundamental rights and freedoms.
In practice, fingerprinting for fraud detection or network security can rely on legitimate interest, while fingerprinting for marketing, analytics, or behavioral profiling generally requires prior user consent.
Transparency and user control
Under Articles 5 and 7 of the GDPR, personal data must be processed lawfully, fairly, and transparently. Data controllers must inform users about what data is collected and for what purposes.
Consent must be freely given, informed, specific, and revocable. Fingerprinting carried out silently or without user knowledge violates these transparency and consent principles.
The ePrivacy Directive 2002/58/EC, Article 5(3), also requires consent for storing or accessing information on a user’s device for purposes beyond what is strictly necessary to deliver the service. The European Data Protection Board has clarified that device fingerprinting falls under this rule, even if no data is stored on the device.
U.S. jurisdictions
In the U.S., several privacy laws regulate the collection and use of data that can identify or be linked to a consumer or household.
Under California Civil Code, this includes identifiers like IP addresses, online identifiers, and device-related information, as well as Internet or other electronic network activity information, such as browsing history and interactions with websites or applications.
The Virginia Consumer Data Protection Act (VCDPA) defines personal data as any information “linked or reasonably linkable to an identified or identifiable natural person” and grants consumers the right to opt out of processing for targeted advertising, sale, or profiling
The Colorado Privacy Act (CPA) defines personal data as information “that is linked or reasonably linkable to an identified or identifiable individual” and grants consumers the right to opt out of the processing of personal data for targeted advertising, sale, or profiling.
Unlike the GDPR’s opt-in model, which requires user consent before any data is collected, most U.S. privacy laws use an opt-out approach. This means companies can process personal or device-related data by default, but they must clearly disclose their practices and provide users with accessible ways to opt out of data sales, sharing, or targeted advertising.
Application and benefits of device fingerprinting
Enhanced security measures
Device fingerprinting plays an important role in fraud prevention across industries like banking, e-commerce, and fintech, where detecting suspicious activity early helps protect user accounts and transactions.
This technique is widely adopted by financial platforms, where risk-based authentication ensures that logins from trusted devices remain frictionless, while unfamiliar or high-risk attempts trigger adaptive security checks. Social and gaming services use similar logic to verify new device logins.
More advanced systems extend fingerprinting into continuous authentication, verifying that the device and its environment remain consistent throughout a user session. If anomalies arise (like a sudden change in location, hardware signature, or browser context), the system can automatically suspend activity or prompt reauthentication.
Marketing and e-commerce applications
Device fingerprinting provides measurable value in marketing and e-commerce by helping businesses understand user behavior, personalize experiences, and measure engagement without relying on cookies. Because fingerprint data is stored server-side, it remains persistent even when users clear cookies or switch browsers, making it a reliable alternative for analytics and campaign tracking.
Use cases in e-commerce
E-commerce platforms use device fingerprinting to recognize returning shoppers, streamline checkout, and deliver personalized recommendations.
For example, when a returning customer uses a familiar device, the system can securely prefill preferences or loyalty details, improving both conversion rates and satisfaction while keeping transactions safe.
Retailers also use fingerprinting to balance personalization with fraud prevention.
Device fingerprinting in adtech
In advertising, fingerprinting enables cross-device tracking, helping brands connect user interactions across desktop, mobile, and smart TV environments. Some advertisers use it to fill the gaps left by cookies.
For instance, if a user clicks an ad on a laptop but completes the purchase on a phone, the system can attribute both actions to the same user journey, providing clearer insight into which channels drive conversions.
Advertising companies can use fingerprinting to maintain coherent audience profiles, avoid repetitive ad exposure, and improve the accuracy of performance data used for targeting and frequency capping.
How to reduce device fingerprinting
You can’t completely block device fingerprinting, since it relies on your hardware and system settings (things your browser or apps need to function). But if you want to limit unwanted or invasive fingerprinting, you can take steps to reduce how much information your device reveals online.
Use privacy-focused browsers and apps
Browsers like Tor, Brave, or Firefox are designed to reduce tracking signals that fingerprinting relies on. Pairing them with privacy-protective apps helps further limit data shared with websites or advertisers.
Learn more: Read our article about the types of web browsers to decide which one you should use.
Limit cross-site and app tracking
When device data is collected, it’s often cross-referenced with cookies or app trackers to build detailed profiles. Disabling cross-site tracking in your browser or mobile settings reduces how much data can be tied to your device.
Connect through a VPN
A VPN can’t block fingerprinting entirely, but it hides your IP address and location, making it harder to connect your device fingerprint to you personally. With trusted providers like ExpressVPN, your traffic is encrypted and mixed with that of many other users, making fingerprinting data far less useful.
Learn more: No single tool can guarantee anonymity, but combining the right ones can help. Read about how privacy and anonymity differ and how to strengthen each.
Device fingerprinting vs. cookies: Key differences
Cookies and device fingerprinting can both be used for analytics, personalization, and ad targeting, but they differ in how signals are collected, where identifiers live, and how much control users have.
| Device fingerprinting | Web cookies | |
| Data collected | Details about your browser, operating system, hardware, and even how your device renders graphics (user agent, fonts, canvas/WebGL, etc.). | Key-value data written by a site, such as session IDs, preferences, or analytics and ad identifiers. |
| Where it’s stored | Fingerprints are built and stored on the server side, not on your device. | Cookie data lives on your device, inside the browser. |
| Blocking and prevention | Hard to block completely. Modern browsers try to reduce fingerprinting accuracy, but it can’t be fully eliminated. | Easy to manage: users can block, clear, or delete cookies anytime in their browser settings. |
| Privacy impact | High: users can’t easily view or reset their fingerprint, and it tends to be highly distinctive. | Varies: essential cookies have low impact, while tracking or third-party cookies can have a medium to high impact, but are visible and manageable. |
| Typical uses | Fraud detection and account security; with consent, also analytics, ad tracking, and cross-device measurement | Session management and logins; with consent, analytics, personalization, and advertising |
| Uniqueness and persistence | Usually very unique and survives cookie deletion, making it long-lasting. | Persists until it expires or is deleted; much easier to reset. |
Learn more: Read our detailed guide on cache vs. cookies.
FAQ: Common questions about device fingerprinting
Is Google allowing device fingerprinting?
Yes, Google allows organizations using its advertising products to use device fingerprinting techniques, a move criticized by regulators like the U.K.'s Information Commissioner's Office (ICO).
What industries commonly use device fingerprinting?
Device fingerprinting is widely used in finance, e-commerce, and marketing. For advertisers, the main goal is to improve ad campaign analytics and tracking, especially as users move between multiple devices and browsers. Fraud prevention is a large driving force behind the adoption of device fingerprinting in the financial sector, where innovations are constantly being made to protect users and customers.
How accurate is device fingerprinting?
Device fingerprinting is very accurate because it combines many device, browser, and network details into a unique ID. It can usually recognize the same device even after minor changes.
Take the first step to protect yourself online. Try ExpressVPN risk-free.
Get ExpressVPN
