Guides
Sign Up

Privacy and compliance

Overview of Fingerprint's regulatory compliance and how we ensure secure and responsible visitor identification.

Suggest Edits

Is Fingerprint GDPR compliant?

FingerprintJS (our source-available library) is stateless and GDPR compliant because it doesn't store data. It's a JavaScript function that creates a hash from public browser details. However, how you use the data from FingerprintJS might require user consent, which is outside the scope of this guide.

Fingerprint Identification (our commercial product) is also GDPR compliant, but it’s important to understand the details behind it.

Data controller vs data processor

Fingerprint Identification is a SaaS product offered as a client-server API system. Under GDPR, there are two roles: “data controllers” and “data processors.” A data controller is a website or app that decides to collect and store user data. A data processor is a third-party service that receives, stores, and processes data from the controller.

Examples of data controllers are sites like eBay, Wikipedia, and YouTube. Data processors include services like DigitalOcean, AWS, and Google Cloud.

Fingerprint Identification is a data processor, while a website using its API is a data controller. For example, Dropbox uses Fingerprint Identification to prevent account abuse and improve security. Dropbox is the data controller, and Fingerprint is the data processor.

As a data controller, Dropbox must follow GDPR rules and collect and use the data correctly according to GDPR guidelines.

As a data processor, Fingerprints must also follow GDPR and handle the data it gets from data controllers correctly, according to GDPR guidelines.

What obligations does Fingerprint have as a data processor?

Fingerprint must delete personal information it receives from a data controller when requested. Fingerprint meets this requirement and supports both automatic and manual data deletion requests.

Do I need to have a GDPR consent management banner if using Fingerprint?

It depends on your use case and how you are using Fingerprint:

  • Attribution and personalization: If you use Fingerprint for things like attribution or personalization, you’ll likely need to get user consent, similar to how you handle cookies.
  • Fraud prevention and security: If you use Fingerprint for fraud prevention, this usually falls under “Legitimate interest” according to GDPR, so explicit user consent isn’t needed. You can check the European Commission’s definition of legitimate interest for more details.

What about CCPA compliance?

When using Fingerprint, you are responsible for CCPA compliance as the business, and Fingerprint acts as a Service Provider, processing Personal Information only as needed to provide the service. We do not sell or share data outside the scope of our agreement. You must inform consumers about data processing and handle consumer rights requests. Fingerprint supports compliance by helping with data deletion and protection. For more details, see our CCPA Data Processing Addendum.

Can you use Fingerprint for cross-site tracking?

No, Fingerprint cannot be used for cross-site tracking. Each visitor ID created by Fingerprint is unique to the specific website. If the same person visits different sites using Fingerprint, they will get a different visitor ID for each site. This design choice, made early in our development, ensures cross-site tracking is not possible.

Fingerprint is focused on same-site identification, which helps prevent fraud and abuse on a single site. By focusing on accurate identification within the same-site context, Fingerprint offers strong security without allowing cross-site tracking.

Can you use Fingerprint for attribution?

You can use Fingerprint for same-site marketing attribution and personalization. It works well for identifying devices and visitor activity on the same website. For example, you can use it to link a purchase to an email campaign or see how users interact with different parts of your site.

However, Fingerprint is not made for cross-site tracking or building a user activity graph across multiple sites. This means it should not be used for personalized ads that rely on cross-site data.

Can you identify visitors across multiple domains you own?

Yes, you can generate the same visitor ID for the same browser or device across your domains by using a single Fingerprint application. Configuring the JavaScript agent on each domain with a public API key from one application ensures consistent identification of the visitor across your sites.

If you need to query the Fingerprint Server API by domain name, you can use the linkedId feature to associate data across your domains. If you are using a custom subdomain for your domains, verify that the endpoint property in your agent matches the domain origin.

Updated about 22 hours ago