What Is Browser Fingerprinting? How Websites Track You Without Cookies (2026)
You cleared your cookies. You switched to private browsing. You even tried a VPN. And yet the website still knew it was you. Browser fingerprinting is why - and it works by reading signals from your device that you cannot delete, clear, or turn off.
What Is Browser Fingerprinting?
Browser fingerprinting is a tracking technique that identifies you by combining technical details about your browser and device into a unique profile. Your GPU model, installed fonts, screen resolution, audio hardware, timezone, and language settings are all read silently by websites - no permission prompt, no cookie banner, no storage on your device.
Each individual signal is not unique. Millions of people have a 1920ร1080 screen. Millions use Chrome on Windows. But when you combine 13 or more signals together, the resulting fingerprint is statistically unique for 83โ90% of users, according to research from AmIUnique.org and the EFF's Panopticlick project.
Unlike cookies, fingerprinting leaves no trace on your device. There is nothing to clear, nothing to block with standard privacy settings, and nothing that resets when you close your browser.
Cookies vs. Fingerprinting: The Key Difference
| Cookies | Fingerprinting | |
|---|---|---|
| Stored on your device? | Yes | No |
| Can you delete it? | Yes | No |
| Blocked by incognito mode? | Partially | No |
| Blocked by cookie banners? | Yes (if compliant) | Rarely |
| Requires consent under GDPR? | Yes | Yes - but often ignored |
| Survives browser reset? | No | Yes |
The 13 Signals That Make Up Your Fingerprint
Here are the main vectors websites use to fingerprint your browser, ranked by how much identifying information each one contributes - measured in entropy bits.
Your browser's identity card. It reports your exact browser name, version number, operating system, and CPU architecture. A single string that narrows you to a very small group.
The website draws invisible shapes on a hidden canvas element and reads back the pixel data. Your GPU and OS render these slightly differently, creating a hash unique to your hardware. You see nothing happening.
The exact set of fonts installed on your system is surprisingly unique. Design tools, games, and work applications all install custom fonts. The combination is often one-of-a-kind.
WebGL exposes your exact GPU model and driver version to every website. No permission is required. Your graphics card is effectively signing every page you visit.
A silent tone is processed through your audio hardware using the Web Audio API. The tiny numerical differences in how your chip handles it create a unique signature - completely invisible and inaudible.
Your screen width, height, color depth, and device pixel ratio profile your monitor setup. Multi-monitor and high-DPI configurations are especially distinctive.
The languages your browser is configured to use. Multilingual users with uncommon language pairs can be nearly uniquely identified from this single vector alone.
Your browser reports your real timezone even behind a VPN. A mismatch between your IP geolocation and timezone is a classic VPN detection signal.
Your OS family (Windows, macOS, Linux). Mismatches with the user agent string reveal browser spoofing attempts.
The number of CPU cores and amount of RAM your device exposes. Combined with other signals, this narrows your device to a small group.
Test Your Browser Fingerprint
See your actual exposure score, entropy breakdown, and the exact signals that make your browser unique. Runs entirely in your browser - no data collected.
Scan My Browser โHow Websites Actually Use Your Fingerprint
The most common uses are ad tracking, fraud detection, and paywall enforcement. Ad networks build profiles of your browsing behavior across thousands of sites and use fingerprinting to link those sessions together even when you clear cookies. Banks and payment processors use fingerprinting as a fraud signal - a sudden change in fingerprint can trigger a verification challenge.
News sites and streaming platforms use fingerprinting to enforce article limits and free trial periods. Clearing cookies resets the counter; fingerprinting does not.
More troublingly, data brokers purchase fingerprint-linked browsing profiles and combine them with offline data to build comprehensive personal dossiers. A 2025 investigation found that some brokers could link anonymous browsing sessions to real names and addresses through fingerprint data alone.
Is Browser Fingerprinting Legal?
Under GDPR, fingerprinting constitutes processing of personal data because it creates a unique identifier. This means it requires a lawful basis - almost always consent - and must be disclosed in the privacy policy. In practice, most websites outside the EU fingerprint without consent or disclosure.
Under CCPA and CPRA in California, browser fingerprints qualify as unique personal identifiers, giving California residents the right to opt out of their sale. Most other US state privacy laws passed since 2023 include similar provisions.
The EU's ePrivacy Directive specifically covers browser fingerprinting and requires consent, but enforcement has been inconsistent. The upcoming ePrivacy Regulation, still in progress as of 2026, is expected to tighten this significantly.
How to Reduce Your Browser Fingerprint
The Paradox of Anti-Fingerprinting
There is a cruel irony at the heart of fingerprinting defense: some measures designed to protect your privacy can make you more distinctive. Enabling Do Not Track, for example, is set by only about 12% of users - meaning having it on is itself a fingerprinting signal.
Similarly, using an uncommon browser or heavily customizing your privacy settings can make your fingerprint more unique rather than less. The most effective defense is not to customize your way to uniqueness but to blend in by using browsers specifically designed to standardize all users' fingerprints - like Tor.
How to Test Your Own Fingerprint
The best way to understand your exposure is to see it directly. TrustScan's Browser Fingerprint Analyzer runs 13 tracking vectors against your browser, calculates your entropy score, and shows you exactly which signals are most identifying - along with specific steps to reduce them.
It runs entirely in your browser. Nothing is collected or transmitted. You can re-scan after changing browsers or settings to compare your exposure.
See your fingerprint exposure score, entropy breakdown, and the exact signals tracking you โ
Test My Browser Fingerprint โThe Bottom Line
Browser fingerprinting is the tracking technique that works after everything else fails. It does not use cookies. It does not require your email address. It cannot be cleared, blocked by standard browser settings, or defeated by a VPN alone. And it is used by thousands of advertising networks, analytics platforms, and data brokers right now.
Understanding what it is - and testing your own exposure - is the first step to making informed decisions about which browser you use and what you do in it.
Cybersecurity professionals building free privacy tools for the 2026 compliance landscape.