The evidence
Browser fingerprinting has been measured, peer-reviewed, and found in the wild for over fifteen years. These are the studies the field is built on. All are free to read.
The founding study. Collected 470,161 fingerprints through the Panopticlick site and found 83.6% were unique — 94.2% when Flash or Java was present. The fingerprint carried about 18.1 bits of entropy: pick a browser at random, and roughly 1 in 286,777 others share its fingerprint. This is where "your configuration is identifying, like a cookie you can't delete" was first shown at scale.
The first proof that canvas fingerprinting — the same technique the mirror on the front page demos — was already deployed in the wild: over 5% of the top 100,000 websites were running it, mostly through a handful of third-party scripts. The paper also documented "evercookies," trackers that respawn after you delete them.
Princeton crawled the top one million sites and measured tracking as it actually exists — including the first documentation of audio fingerprinting (hashing how your hardware processes a silent tone). The takeaway: fingerprinting isn't hypothetical, it's infrastructure, concentrated in a small number of third-party companies embedded across the web.
Re-ran the uniqueness question six years after Eckersley with 118,934 fingerprints: 89.4% unique. The attributes had shifted — plugins died, canvas and WebGL rose — but the conclusion held. Their site still runs, so you can test yourself against a live dataset.
Science means including what doesn't fit. When researchers measured fingerprints on a general-audience French website — 2 million visitors, not privacy nerds who seek out test sites — only 33.6% were unique. Uniqueness depends on the crowd. But commercial fingerprinters don't rely on one snapshot: they combine fingerprints with IP, behavior, and time, and follow-up studies with more attributes pushed uniqueness back up. Fingerprinting is weaker than the scariest headline and stronger than the most comfortable one.
What the law says
Last updated: July 2026 · reviewed manually, not auto-generated
There is no US federal privacy law. The American Privacy Rights Act died in Congress without a vote and hasn't been reintroduced. What exists is a patchwork:
As of 2026, twenty states have comprehensive privacy laws in effect. Twelve require businesses to honor Global Privacy Control — a browser signal that opts you out of data sales automatically. Maryland's law is the strictest on paper, banning the sale of sensitive personal data outright. None of them meaningfully stop fingerprinting itself; they regulate what companies do with the data after collecting it.
Unusually broad: no revenue threshold, so it covers nearly any non-small business touching Texans' data. Requires opt-in consent for sensitive data like precise location and biometrics, and has honored GPC signals since January 2025. Enforcement is real — Texas won a $1.4 billion settlement from Meta and $1.375 billion from Google over data practices, and filed the first-ever lawsuit under a state privacy law against Allstate for harvesting location data from 45 million people through SDKs hidden in everyday apps. Catch: no private right of action. You can't sue; only the state AG can.
The reason cookie banners exist. Under GDPR, a fingerprint that can single you out is personal data, and processing it requires a legal basis — consent banners technically cover fingerprinting too. In practice, enforcement has focused on cookies, which is why fingerprinting persists as the quieter workaround.
The pattern across all of it: the law regulates the visible tracking. Cookies get banners, sales get opt-outs. The passive layer this site demonstrates — the data your browser volunteers before any consent question is asked — is largely still the wild west.
What actually works
In rough order of effect: Tor Browser makes everyone's fingerprint look identical, which is the strongest defense and the least convenient. Brave randomizes fingerprint values per-site. Firefox with resistFingerprinting does uniform values at some usability cost. Blocking third-party scripts (uBlock Origin) stops most fingerprinting code from ever loading. And enabling Global Privacy Control gives you the legal opt-out in the twelve states that must honor it. A VPN, on its own, changes your IP and nothing else on this page.