Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
FingerprintJS is a browser and device identification library that generates a stable visitor identifier without relying on cookies. It is widely used for fraud prevention, account takeover protection, and bot detection. Because it processes a combination of browser, device, and network signals to single out individual users, it is treated as a high risk identification technology under the GDPR and the ePrivacy Directive and requires informed consent in the European Union.
FingerprintJS is a commercial browser identification platform offered by FingerprintJS, Inc. (Chicago, United States). It exposes a JavaScript SDK that collects a wide set of browser and device signals to produce a stable visitorId. The open source FingerprintJS library returns a fingerprint hash computed entirely in the browser, while the FingerprintJS Pro service uses server side processing to deliver higher accuracy and to deduplicate identifiers across sessions, devices and incognito windows. FingerprintJS is mainly used for fraud detection, account takeover prevention, payment risk scoring, bot mitigation and anti scraping.
FingerprintJS reads a combination of stable browser signals: User Agent, installed fonts, canvas and WebGL rendering, audio context, screen resolution and color depth, time zone, language headers, platform, hardware concurrency, device memory, plugins, touch support, math and DOM features. FingerprintJS Pro also processes the visitor IP address, behavioural signals and persistence vectors (localStorage, IndexedDB, Service Worker storage) to maintain identity across cookie wipes. The resulting visitorId is a probabilistic identifier that is treated as personal data under the GDPR because it can single out a specific natural person.
Even though FingerprintJS does not strictly need cookies, it falls within the scope of Article 5(3) of the ePrivacy Directive: reading information from a user terminal for the purpose of identification requires prior informed consent, unless the access is strictly necessary to deliver a service explicitly requested by the user. EDPB Guidelines 2/2023 confirm that fingerprinting techniques are treated like cookies for consent purposes. Anti fraud use cases can sometimes rely on the strict necessity exemption, but the threshold is narrow: the identification must be limited to security, proportionate to the risk, and not used for marketing, analytics or profiling.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
For most commercial deployments, the lawful basis is consent (Art. 6(1)(a) GDPR) combined with the ePrivacy consent requirement. For pure security use cases (fraud prevention on a login or checkout flow that the user has explicitly initiated), some controllers rely on legitimate interest (Art. 6(1)(f) GDPR) backed by a documented Legitimate Interest Assessment. Even in that scenario, transparency is mandatory: users must be informed in the privacy notice about device fingerprinting, the data collected, the retention period and their right to object.
By default, FingerprintJS Pro processes data in the United States. Customers based in the European Union should configure the EU region endpoint to keep visitor identification data within the EEA. Transfers to the United States are covered by Standard Contractual Clauses under Article 46(2)(c) GDPR and require a Transfer Impact Assessment that takes into account FISA 702 and Executive Order 14086. The Data Processing Addendum offered by FingerprintJS sets out the controller and processor obligations and references the SCCs.
To deploy FingerprintJS in a GDPR friendly way: gate the SDK behind your consent management platform so the script only loads after consent is granted (or only on security sensitive flows when relying on legitimate interest); enable the EU region for FingerprintJS Pro; document the processing in your Record of Processing Activities; carry out a DPIA when fingerprinting is combined with automated decisions or large scale profiling; sign the FingerprintJS Data Processing Addendum and retain a copy of the SCCs; update your privacy policy with a clear description of the device fingerprinting technology, the retention period of the visitorId, and the user rights including the right to object and the right to erasure.
Websites using FingerprintJS must obtain user consent under GDPR regulations.
DPIA considerations
FingerprintJS combines dozens of browser and device signals (canvas, audio, WebGL, fonts, screen, plugins, network) to derive a persistent visitorId that re identifies users even after cookie deletion or in private browsing. Key DPIA points: (1) device fingerprinting is explicitly covered by Article 5(3) of the ePrivacy Directive and by EDPB Guidelines 2/2023, so prior informed consent is required before any signal is read; (2) the visitorId qualifies as personal data under Recital 30 GDPR because it singles out a natural person across sessions; (3) Pro plans transfer data to the United States by default, which requires SCCs and a Transfer Impact Assessment, or selection of the EU region; (4) the technology may defeat user expectations about cookie deletion and private browsing, raising fairness and transparency obligations under Art. 5(1)(a) GDPR; (5) high risk to rights and freedoms typically triggers a mandatory DPIA under Art. 35 GDPR, especially when fingerprinting is combined with profiling or automated decision making for fraud scoring.
Sample consent text
We use FingerprintJS to detect fraudulent activity and protect your account. FingerprintJS reads technical signals from your browser and device (such as screen size, fonts, audio context and graphics fingerprint) to generate a unique visitor identifier. This identifier and the related signals are transferred to FingerprintJS, Inc. in the United States or in the European Union depending on configuration. You can withdraw your consent at any time through our cookie settings.
Third-party domains contacted
api.fpjs.iofpnpmcdn.neteu.api.fpjs.iometrics.fpjs.iocdn.fpjs.ioCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| _iidt | localStorage / first party persistence | Up to 1 year | Stores the FingerprintJS Pro visitor identifier on the client to maintain identity across sessions and reduce reliance on cookies. |
| visitorId (cached) | IndexedDB | Up to 1 year | Caches the latest FingerprintJS visitorId returned by the API to limit unnecessary calls on subsequent page loads. |
| fpjs_* | Local Storage | Persistent | Internal configuration and cache values used by the FingerprintJS Pro Agent (region selection, integration version, last identification timestamp). |
FingerprintJS uses cookies for user preferences — inform visitors with a consent banner.
No standard cookies are set by the open source library, which computes a fingerprint hash in the browser. FingerprintJS Pro may write to localStorage, IndexedDB and Service Worker storage to maintain the visitorId across sessions. Even without cookies, these persistence mechanisms fall under Article 5(3) ePrivacy and require consent.
Yes, in the European Union prior informed consent is required in most cases because reading device signals to single out a user is covered by Article 5(3) ePrivacy. EDPB Guidelines 2/2023 confirm that fingerprinting techniques are treated like cookies for consent purposes. A narrow strict necessity exemption may apply to security only use cases.
For marketing, analytics or general identification, the legal basis is consent (Art. 6(1)(a) GDPR). For pure fraud prevention on flows that the user has explicitly initiated, controllers may rely on legitimate interest (Art. 6(1)(f) GDPR) supported by a documented Legitimate Interest Assessment and a clear privacy notice.
By default, yes. FingerprintJS Pro processes data in the United States unless the EU region endpoint is selected. International transfers are governed by Standard Contractual Clauses under Art. 46(2)(c) GDPR. EU customers should activate the EU region and complete a Transfer Impact Assessment for any remaining transfers.
A DPIA under Art. 35 GDPR is strongly recommended and often mandatory: device fingerprinting is on most supervisory authorities lists of operations requiring a DPIA, especially when combined with profiling, automated decision making, or large scale processing for fraud scoring.
Gate the SDK behind your consent management platform, select the EU region for FingerprintJS Pro, sign the Data Processing Addendum and the SCCs, document the processing in your RoPA, run a DPIA, and update your privacy notice with a dedicated section on device fingerprinting, the visitorId retention period and user rights.
Privacy preserving alternatives include first party session cookies for authenticated flows, hCaptcha or Cloudflare Turnstile for bot protection, and risk based authentication relying on server side signals only. Other commercial fingerprinting vendors (SEON, Sift, ThreatMetrix) raise the same legal questions and require the same compliance steps.
Add a dedicated entry listing FingerprintJS as a fingerprinting technology, the categories of signals collected, the controller and processor relationship with FingerprintJS Inc., the retention period of the visitorId, the data transfer mechanism, and a direct link to withdraw consent through your consent management platform.