Fingerprinting script fires before consent
Regulation
ePrivacy Directive — Cookie ConsentHow common
Less common than analytics or advertising violations, but increasingly prevalent as companies try to track users without cookies. Fingerprinting is harder to detect and harder to block.
What this means
A browser fingerprinting script collected device characteristics (screen resolution, installed fonts, WebGL renderer, etc.) before the visitor interacted with the cookie consent banner. This data was used to create a unique identifier for the visitor without any cookies.
Why this is critical
Fingerprinting is specifically called out by the EDPB (Guidelines 2/2023) as falling under ePrivacy Art. 5(3). The Directive covers “gaining access to information already stored” on the terminal — fingerprinting reads hardware and software characteristics that are stored on the device.
Fingerprinting is considered more invasive than cookies because:
- Users cannot clear their fingerprint the way they can clear cookies
- Fingerprinting works across browser sessions and in incognito mode
- It is designed to be invisible to the user
How to fix
- Identify fingerprinting scripts: look for calls to
canvas.toDataURL(),WebGLRenderingContext.getParameter(),AudioContextmethods, and font enumeration techniques - Gate behind consent: fingerprinting scripts must not execute before consent, just like any other tracking technology
- Consider whether fingerprinting is necessary: if you need fraud prevention, server-side approaches may be less invasive than client-side fingerprinting
Check your website for this violation
Free scan — no registration required. Results in 30 seconds.
Scan now