When browsers cracked down on cookies, some assumed fingerprinting was a clever way around the rules. Privacy regulators have made clear it is not. Fingerprinting is treated as a tracking technology like any other.
Why people thought it was a loophole
Cookie rules are well known: in many regions, a site must ask consent before using cookies for tracking. Cookies are stored on your device, so the rule is often described in terms of "storing or accessing information." Fingerprinting stores nothing — it reads traits your browser already exposes — so it looked, to some, like it sat outside the rule.
What the law actually says
Regulators closed that reasoning off directly. The relevant principle is not really about cookies as objects; it is about tracking people. Guidance from European data-protection authorities has stated plainly that fingerprinting used to identify or track a user falls under the same consent requirements as cookies. The test is the purpose — tracking a person — not the specific technical method.
Fingerprints can be personal data
There is a second layer. Under broad privacy laws like the GDPR, information that can single out an individual is personal data, and a fingerprint distinctive enough to recognise someone across visits can qualify. That brings obligations: a lawful basis to process it, transparency about doing so, and respect for individuals' rights over their data.
Why it matters
The practical effect is that "switch from cookies to fingerprinting" is not a compliance strategy. A site tracking users by fingerprint generally needs the same consent and the same transparency it would need for cookies. Enforcement and guidance continue to develop, but the direction is settled: the method does not change the obligation.
The takeaway
Device fingerprinting is not a legal blind spot. Privacy regulators treat it as tracking, judged by purpose rather than technique, and a distinctive fingerprint can itself be personal data. The rules follow what is being done to people — not which technology does it.