How This Briefing Works
This dossier opens with key findings, then maps the gap between what FingerprintJS discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection evidence underneath. BLACKOUT observes runtime browser behavior and cites the regulations that address each pattern — legal determinations are your counsel's call.
At a Glance
across 3 sites
vendor fires before consent
2 CRIT · 2 HIGH
Briefing
FingerprintJS is a Chicago-based device fingerprinting platform ($77M Series C) that enables persistent visitor identification across web and mobile applications. While marketed for "fraud detection," the technology fundamentally enables cross-site identity resolution without user consent. Critical finding: FingerprintJS claims SOC2 Type II, GDPR, and CCPA compliance, yet 100% of their detections in our dataset occurred pre-consent, and their own website deploys 59 third-party vendors while disclosing only 4 subprocessors. The 14.75x vendor disclosure gap represents a material misrepresentation of data sharing practices.
What This Means For You
If FingerprintJS identifies devices on your site, their technology generates persistent fingerprints that users cannot clear — unlike cookies, fingerprints survive private browsing, cache clearing, and browser updates. Under ePrivacy Art 5(3), device fingerprinting requires the same consent as cookies, meaning their 100% pre-consent rate creates absolute consent violations on EU traffic. FingerprintJS discloses 4 subprocessors while 59 vendors operate at runtime on fingerprint.com — a 14.75x disclosure gap that makes GDPR Art 28 compliance impossible. While marketed for "fraud detection," the underlying technology fundamentally enables cross-site identity resolution. Their SOC2 certification alongside this extreme disclosure gap requires explanation from your compliance team.
Risk Channel Breakdown
Device fingerprinting creates persistent identifiers that corrupt attribution by linking sessions across consent boundaries. Analytics built on fingerprinted visitors conflate genuine users with identified profiles, poisoning conversion data with pre-consent tracking.
Fingerprint data feeds into identity graphs that competitors and data brokers can access. Every fingerprinted visitor becomes a tradeable asset - their device signature, behavior patterns, and inferred intent flow to undisclosed third parties including Apollo.io, Clearbit, and HubSpot detected on fingerprint.com itself.
Device fingerprinting creates indelible tracking that cannot be cleared by users. Unlike cookies, fingerprints persist across browser resets, private mode, and device changes. This creates permanent attack surface where any breach of fingerprint data enables persistent tracking of affected users.
100% pre-consent tracking rate directly contradicts GDPR/CCPA compliance claims. The 4 disclosed vs 59 detected vendor gap violates GDPR Article 28 subprocessor disclosure requirements. Deploying fingerprinting while claiming privacy compliance creates regulatory liability for customers using FingerprintJS.
Threat Indicators
Runtime-observed (BTI-C)
Evasion infrastructure, auditor bypass
Keystroke/mouse tracking
Identity stitching
Ignoring CMP signals
Device identification
PII deanonymization
Container/loader (neutral)
Claims-vs-Reality (BTI-X)
Not in privacy policy
Hidden data recipients
Behavior contradicts marketing
False certification claims
Collection exceeds disclosed scope
CMP vendor list vs runtime
Per-code narrative explanations of what each detected behavior means for your organization
Per-code evidence with full attribution chain, severity rankings, and consequence narratives See pricing →
Claims vs. Reality
BLACKOUT analyzed FingerprintJS's public claims against observed runtime behavior and identified 4 contradictions.
"DPA lists 4 subprocessors (AWS, Rollbar, Postmark, WorkOS)"
59 vendors detected on fingerprint.com including identity resolution platforms
3 more gaps — with regulatory citations and evidence pointers — available with subscription.
Full claim-vs-reality gap analysis with claim text, observed behavior, severity, regulatory citations (GDPR, CCPA, ePrivacy), and evidence pointers per gap See pricing →
What To Do
5 for current users · 5 for evaluators
contractual leverage points
Role-specific actions (security / legal / marketing / procurement), full negotiation brief with contractual language, and BTI-code-specific consequences See pricing →
Supply Chain & Pairings
Claims 4, observed 6
Full supply-chain mapping (loads / loaded-by lists with vendor identities) and the undisclosed-subprocessor list with observation evidence See pricing →