Compliance reference
Fingerprinting laws by jurisdiction.
A plain-English reference to how the world's privacy regulators treat browser and device fingerprinting. 4 jurisdictions live, 15 planned. Not legal advice.
What you'll find here
Each jurisdiction page covers the operative statute, what counts as fingerprinting under it, when consent is required, what enforcement has looked like, and an FAQ. Pages are written for product and engineering teams shipping fingerprinting into production, not lawyers drafting a memo. We cite the statute and the regulator on every claim.
Live jurisdictions
Tier 14 of 4 jurisdictions
Europe
| Region | Regulator | Consent posture | Max penalty | How the law treats fingerprinting | Updated |
|---|---|---|---|---|---|
| European Union (all member states) | European Data Protection Board (EDPB) + national DPAs | €20M or 4% of global annual turnover (whichever is higher) | Prior, freely given, specific, informed, unambiguous consent is required before reading fingerprinting signals, with narrow strictly-necessary carve-outs. | 2026-06-06 | |
| United Kingdom (England, Scotland, Wales, Northern Ireland) | Information Commissioner's Office (ICO) | £17.5M or 4% of global annual turnover (UK GDPR); £500,000 (PECR, pre-DPDI Bill) | Same consent requirement as EU GDPR for now; ICO has been clearer than most DPAs that fingerprinting is treated as 'similar to a cookie'. | 2026-06-06 |
United States
| Region | Regulator | Consent posture | Max penalty | How the law treats fingerprinting | Updated |
|---|---|---|---|---|---|
| California, United States | California Privacy Protection Agency (CPPA) + California Attorney General | $2,500 per violation; $7,500 per intentional violation or violation involving a minor's data | Notice + the ability to opt out of 'sale' and 'sharing' of fingerprints; opt-in only for sensitive data and minors under 16. | 2026-06-06 |
Asia-Pacific
| Region | Regulator | Consent posture | Max penalty | How the law treats fingerprinting | Updated |
|---|---|---|---|---|---|
| India (national) | Data Protection Board of India (yet to be fully constituted as of mid-2026) | Up to INR 250 crore per breach category (Section 33) | Consent is the default basis; Section 7 legitimate uses cover fraud and security with notice, without separate consent. | 2026-06-06 |
Coming soon
Tiers 2 – 4We're publishing jurisdictions in priority order: head-of-funnel regulators first, US states and global long-tail next. Want a jurisdiction prioritised? Drop us a line.
| Jurisdiction | Acronym | Tier | Status |
|---|---|---|---|
| South Africa (Protection of Personal Information Act) | POPIA | Tier 4 | Planned |
| Australia (Privacy Act 1988) | AU PA | Tier 4 | Planned |
| New Zealand (Privacy Act 2020) | NZ PA | Tier 4 | Planned |
| Singapore (Personal Data Protection Act) | SG PDPA | Tier 4 | Planned |
| Thailand (Personal Data Protection Act) | TH PDPA | Tier 4 | Planned |
| UAE (Personal Data Protection Law) | UAE PDPL | Tier 4 | Planned |
| Saudi Arabia (Personal Data Protection Law) | KSA PDPL | Tier 4 | Planned |
| Nigeria (Nigeria Data Protection Act 2023) | NDPA | Tier 4 | Planned |
| Switzerland (Federal Act on Data Protection, revised) | nFADP | Tier 4 | Planned |
| Türkiye (Personal Data Protection Law) | KVKK | Tier 4 | Planned |
| Israel (Privacy Protection Law) | IL PPL | Tier 4 | Planned |
Tooling
Pick a regime; ship fingerprinting that fits it.
Benny the Doorman is free fingerprinting that defers to your consent management platform, runs on Indian infrastructure, and ships with a DPA addendum sized for the jurisdiction you're serving.
