Fingerprinting defeats opt-outs

Browser fingerprinting lets websites recognize a device from traits like screen size, time zone, and fonts, and new research says that identifier can keep working after a user opts out. (cs.jhu.edu) Researchers from Johns Hopkins University and Texas A&M University said in 2025 that they found “strong evidence” fingerprinting was being used for ad tracking and targeting across browser sessions and sites. Their paper was first posted to arXiv on September 24, 2024, revised on February 19, 2025, and later presented at the ACM Web Conference in Sydney from April 28 to May 2, 2025. (arxiv.org) (spies.engr.tamu.edu) The team built a system called FPTrace that changed browser fingerprints and then watched for shifts in ad bids and HTTP traffic, the records exchanged between a browser and a server. The researchers said those changes let them test whether fingerprinting was being used for identification rather than only for fraud checks or login security. (cs.jhu.edu) (eurekalert.org) (arxiv.org) The paper said fingerprinting could bypass opt-outs under the European Union’s General Data Protection Regulation and California’s Consumer Privacy Act, allowing tracking to continue after a user declined consent. A separate 2024 study by some of the same researchers found that, in many cases, user data was still being collected, processed, and shared even when users opted out through consent tools such as OneTrust, Quantcast, Didomi, and CookieBot. (arxiv.org) (petsymposium.org) That finding lands as regulators are still trying to make opt-out signals work in practice. A 2025 USENIX Security paper found that only about a third of sites with evidence of selling or sharing personal information implemented at least one recognized privacy string, and 45% of those sites opted users out through all implemented strings in April 2024. (usenix.org) California’s rules require covered businesses to honor a user-enabled Global Privacy Control signal as a valid opt-out request. The Wesleyan-Princeton study said low compliance rates showed “widespread disregard” for California residents’ opt-out rights. (usenix.org) The fingerprinting paper also draws a line between cookies and fingerprints that privacy tools treat differently. Cookies are files a user can delete or block, while a fingerprint is inferred from browser behavior and device settings, which the Johns Hopkins and Texas A&M researchers said is harder for users to detect or prevent. (stories.tamu.edu) (cs.jhu.edu) The researchers did not argue that every use of fingerprinting is illegal or ad-related. Their paper notes that the same techniques can be used for bot detection, fraud prevention, and user authentication, which is why they focused on measuring ad-market behavior rather than just spotting fingerprinting code on a page. (arxiv.org) (spies.engr.tamu.edu) What the studies add is evidence that consent banners and opt-out toggles do not reliably stop data collection once tracking shifts from stored files to device-level signals. The result is a privacy regime where the button says no, but the browser can still be recognized. (arxiv.org) (petsymposium.org)