Over the last decade, the internet has become cluttered with layers of intrusive cookie popups. They are a UX disaster, often using dark patterns - for example hiding the ‘reject’ button deep within the navigation or omitting it entirely - to trick the user into approving tracking cookies.
In theory, these popups exist to give users control over how the website uses their data, but in practice they are overly complicated, poorly implemented, and fundamentally flawed. Cookie tracking should be managed at the browser level, not the website level.
Fortunately, the era of the tracking cookie is coming to an end, with most browsers now blocking third-party cookies by default.
However, a more insidious, unavoidable and illegal tracking method is on the rise; browser fingerprinting.
Browser fingerprinting is one of the most persistent and opaque tracking techniques on the internet. Unlike cookies, which can be blocked or deleted, fingerprinting collects subtle details about a user’s browser and device—such as screen resolution, installed fonts, and how graphics are rendered—to create a unique identifier. This allows websites and advertisers to track users across sessions without their knowledge or consent.
Traditionally, fingerprinting has been frowned upon beyond security applications, largely because users cannot control it. This makes it difficult to align with data protection laws requiring transparency and consent. However, Google’s recent policy shift has effectively legitimised its use for advertising, raising concerns about its long-term impact on online privacy.
What’s driving this change? While Google has spent years positioning itself as an advocate for privacy, pushing cookie deprecation and its Privacy Sandbox framework, the reality is more strategic. Google’s dominance in online advertising is being challenged, not just by regulators but by emerging AI-driven search models from OpenAI, Perplexity, and others. In response, Google appears to be tightening its grip on user data while making it harder for competitors to operate within its ecosystem.
How Browser Fingerprinting Works
Each time you visit a website, your browser shares information about your system, your operating system, browser version, screen resolution, installed fonts, and even subtle details like how your device renders graphics or processes audio. When combined, these data points create a fingerprint unique enough to track individual users across sessions.
Common fingerprinting techniques include:
- Canvas Fingerprinting – Uses the HTML5 <canvas> element to detect variations in how different devices render graphics.
- WebGL Fingerprinting – Gathers details from a device’s graphics processing unit (GPU) to create a unique profile.
- Audio Fingerprinting – Analyses how a device processes sound waves, leveraging differences in sound drivers and CPU architectures.
- Behavioral Fingerprinting – Tracks user actions such as mouse movements, typing patterns, and scroll behaviour.
Google’s 2025 Policy Shift
In early 2025, Google made a controversial reversal on browser fingerprinting. After years of advocating against it, the company now permits fingerprinting-based tracking within its Privacy Sandbox framework. While Google argues that this move enhances privacy by providing a more “controlled” environment for advertisers, it also conveniently consolidates Google’s control over online tracking, while limiting competition.
This shift is particularly notable given the rise of AI-powered search engines like OpenAI’s ChatGPT and Perplexity, which are challenging Google’s dominance in search. With users increasingly turning to AI-driven alternatives, Google is under pressure to protect its advertising revenue. Allowing fingerprinting helps Google maintain detailed user profiles, even as traditional tracking methods like cookies fade away.
The Rise of Fingerprinting in Digital Tracking
Originally, browser fingerprinting was used for fraud prevention and bot detection. Banks and security firms still rely on it to verify legitimate users and detect anomalies. However, it has since been adopted by advertisers, analytics firms, and data brokers to track users without consent.
A 2021 study of the Alexa Top 100,000 websites found that nearly 10% of the sites used scripts to generate fingerprints, often without informing users. With growing restrictions on cookies, especially following Google’s phased deprecation of third-party cookies, browser fingerprinting has become an attractive alternative for advertisers looking to maintain cross-site tracking capabilities.
The Broader Privacy and Competition Concerns
Browser fingerprinting raises serious legal and ethical questions, particularly around:
- GDPR Compliance – The EU’s data protection laws require transparency and consent for data collection. Unlike cookies, fingerprinting operates passively, often without explicit permission.
- Anonymity vs. Persistent Tracking – Many companies claim fingerprinting does not identify individuals but only devices. However, research shows that these fingerprints can be linked across sessions and websites, creating persistent user profiles.
- Market Power – By embedding fingerprinting within its own ecosystem, Google creates further barriers for competitors who rely on independent tracking or advertising solutions.
- Regulators are increasingly scrutinising Google’s position in the advertising market, and this latest shift could fuel further investigations into its dominance.
Can Users Protect Themselves?
Defending against fingerprinting is difficult, but there are ways to reduce exposure:
- Privacy-Focused Browsers – Firefox (with “resistFingerprinting” enabled), Brave, and Tor offer protection against fingerprinting.
- Script Blockers – Extensions like NoScript or uBlock Origin can limit the execution of fingerprinting scripts.
- Anti-Fingerprinting Tools – The EFF’s Cover Your Tracks tool can reveal how unique your browser fingerprint is.
- VPNs with DNS Filtering – Most modern VPN providers, such as MullVad or NordVPN, offer settings that block known fingerprinting scripts using a DNS sinkhole, preventing tracking scripts from loading.
What’s Next?
Google’s shift on fingerprinting is another reminder that privacy moves by tech giants are rarely altruistic. As competition in search intensifies, expect Google to push even harder on regulatory fronts - not just in the name of privacy, but to maintain control over how user data flows within its ecosystem.
For businesses and regulators, the challenge is now twofold: ensuring data protection laws keep pace with evolving tracking techniques, while also addressing how dominant players shape the market in ways that restrict competition. Whether fingerprinting becomes the new standard for tracking or faces regulatory pushback remains to be seen - but it’s clear that the battle for control over user data is far from over.
