Skip to main content

Is Fingerprint GDPR compliant?

FingerprintJS, our open-source library, is GDPR compliant because it is stateless and doesn’t store any data. It’s a JavaScript function that generates a hash from only publicly available browser information. However, depending on how you use FingerprintJS data, you may need user consent, which is outside the scope of this guide. Fingerprint Identification (our commercial product) is also GDPR compliant, but it’s important to understand the details behind it.

Data controller vs data processor

Fingerprint Identification is a SaaS product offered as a client-server API system. Under GDPR, there are two roles: “data controllers” and “data processors.” A data controller is a website or app that decides to collect and store user data. A data processor is a third-party service that receives, stores, and processes data from the controller. Examples of data controllers are sites like eBay, Wikipedia, and YouTube. Data processors include services like DigitalOcean, AWS, and Google Cloud. Fingerprint Identification is a data processor, while a website using its API is a data controller. For example, Dropbox uses Fingerprint Identification to prevent account abuse and improve security. Dropbox is the data controller, and Fingerprint is the data processor. As a data controller, Dropbox must follow GDPR rules and collect and use the data correctly according to GDPR guidelines. As a data processor, Fingerprints must also follow GDPR and handle the data it gets from data controllers correctly, according to GDPR guidelines.

What obligations does Fingerprint have as a data processor?

Fingerprint must delete personal information it receives from a data controller when requested. See Data Deletion for more information. It depends on your use case and how you are using Fingerprint:
  • Attribution and personalization: If you use Fingerprint for things like attribution or personalization, you’ll likely need to get user consent, similar to how you handle cookies.
  • Fraud prevention and security: If you use Fingerprint for fraud prevention, this usually falls under “Legitimate interest” according to GDPR, so explicit user consent isn’t needed. You can check the European Commission’s definition of legitimate interest for more details.
Instead of identifying visitors automatically on page load, you can choose to explicitly trigger the Fingerprint identification request only in specific circumstances. For example, only after the visitor grants consent by clicking “Accept” on a cookie consent banner. The Fingerprint JavaScript agent only stores cookies and other metadata in the browser during the identification request. See Identify visitors on demand for more information.

What about CCPA compliance?

When using Fingerprint, you are responsible for CCPA compliance as the business, and Fingerprint acts as a Service Provider, processing Personal Information only as needed to provide the service. We do not sell or share data outside the scope of our agreement. You must inform consumers about data processing and handle consumer rights requests. Fingerprint supports compliance by helping with data deletion and protection. For more details, see our CCPA Data Processing Addendum.

Can you use Fingerprint to track visitors across the internet?

No, Fingerprint is primarily designed for fraud prevention in the same-site context. The visitor ID is scoped to each Fingerprint workspace, not the internet at large. If two Fingerprint customers identify the same browser or device, they will receive different visitor IDs. This intentionally makes Fingerprint unsuitable for creating a global visitor activity graph across unrelated sites as you might do with third-party cookies.

Can you use Fingerprint for marketing attribution?

Yes, you can use Fingerprint for marketing attribution and personalization in the context of your business. It works well for identifying visitors on the same website, or multiple websites you control, even across domains. For example, you can use Fingerprint to link a purchase to an email campaign or observe user interactions across your landing page and web application.

Can you identify visitors across multiple domains you own?

Yes, you can generate the same visitor ID for the same browser or device on multiple domains you control. To do so, configure the JavaScript agent on each website with a public API key from the same Fingerprint workspace. If you need to query the Fingerprint Server API by domain name, you can use linked IDs to associate a domain with each identification event. To ensure maximum accuracy when using proxy integrations, each website needs to proxy requests through its own domain or subdomain.