Two laws, one country
Fingerprinting compliance in the UK sits at the intersection of two statutes, both inherited from EU law but now domesticated. The UK General Data Protection Regulation came into being on 1 January 2021 via the Data Protection Act 2018 (as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019). Its text is substantively identical to EU GDPR, with UK-specific references and a UK regulator.
Sitting alongside it, and predating Brexit by nearly two decades, is the Privacy and Electronic Communications Regulations 2003 (PECR). PECR implements the EU ePrivacy Directive, the same instrument that governs cookies and 'similar technologies' under EU law, and Regulation 6 is the operative section for fingerprinting. As in the EU, the consent rule comes from the ePrivacy layer (PECR Reg 6), and what you do with the resulting personal data is governed by UK GDPR.
PECR Regulation 6: the storage and access rule
Reg 6 of PECR states that a person shall not store information, or gain access to information stored, in the terminal equipment of a subscriber or user unless the user has given their consent. The drafting closely follows Article 5(3) of the EU ePrivacy Directive, with one notable feature: the consent definition in PECR was rewritten in 2019 to align with UK GDPR Article 4(11), so consent under PECR now requires the full UK GDPR standard: freely given, specific, informed, unambiguous, and signified by clear affirmative action.
The exception in Reg 6(4) tracks the EU 'strictly necessary' carve-out: consent is not required where the access is strictly necessary for the provision of an information society service explicitly requested by the user, or for the sole purpose of carrying out a communication. The ICO has read this narrowly and the practical effect is the same as in the EU.
UK GDPR Article 6 lawful bases
Once you have a fingerprint, processing it requires a lawful basis under UK GDPR Article 6. The six bases are identical to EU GDPR's: consent, contract, legal obligation, vital interests, public task, and legitimate interest. The ICO's online guidance has historically been more pragmatic about legitimate interest than the CNIL or Garante, particularly for fraud prevention and network security purposes, but the basis still requires a documented Legitimate Interests Assessment (LIA) and does not exempt you from the separate PECR Reg 6 consent obligation.
When you can rely on legitimate interest for fingerprinting
- Preventing fraud and abuse: explicitly mentioned in the ICO's Legitimate Interests guidance as a recognised business interest.
- Securing the network and the service: Recital 49 of UK GDPR, carried over from EU GDPR, names this as a legitimate interest.
- Direct marketing to existing customers: possible but tightly bounded; PECR Reg 22 still requires opt-in for electronic marketing in most cases.
- Internal record-keeping: when proportionate.
- Conducting a legitimate-interest assessment is mandatory if you wish to rely on this basis; the ICO can demand to see the LIA.
Consent: what the ICO expects
The ICO's 2019 cookie guidance laid out a now-canonical position on consent UX which has shaped UK consent banners since. Implied consent is dead. Pre-ticked boxes are non-compliant. Continued use of the site cannot be treated as consent. A 'reject' option must be as easy and prominent as 'accept'. And consent must be granular at the purpose level: a single 'accept all' button that bundles fingerprinting with strictly-necessary cookies does not meet the standard.
These positions were stress-tested by the ICO's joint statement with the CMA in November 2023, which warned of imminent action against the top UK websites still relying on dark-pattern consent banners. The follow-up enforcement notices in early 2024 named-and-shamed several major publishers.
UK fingerprinting purposes and consent
| Purpose | PECR consent? | UK GDPR basis |
|---|---|---|
| Fraud detection on a payment or login flow | Often not required (strictly necessary) | Legitimate interest (LIA documented) |
| Bot mitigation on a public form | Often not required | Legitimate interest |
| Account takeover detection | Usually not required | Legitimate interest |
| Cross-device measurement for marketing | Required | Consent (Article 6(1)(a)) |
| First-party product analytics | Required | Consent |
| Personalisation / recommendation | Required | Consent |
| Frequency capping or audience building for ads | Required | Consent |
Enforcement under PECR and UK GDPR
The ICO has split fining powers: up to £17.5M or 4% of global annual turnover for UK GDPR breaches, and (currently) up to £500,000 per PECR Reg 6 breach. The proposed Data Protection and Digital Information Bill would raise PECR maxima to align with UK GDPR; it was withdrawn before the July 2024 General Election, reintroduced in modified form thereafter, and as of mid-2026 is still in committee.
ICO enforcement has historically been less prolific than CNIL or Garante in absolute fines but more prolific in formal warnings and reprimands. The ICO publishes a public enforcement tracker, a useful source for anyone benchmarking risk.
Notable UK enforcement actions
- ICO v. Clearview AI (May 2022): £7.5M plus an enforcement notice. Although the underlying tech is facial recognition, the ICO's decision turned on processing a unique identifier of UK residents without a lawful basis or transparency; the framework is directly applicable to fingerprinting.
- ICO joint statement with CMA on harmful design (November 2023): not a fine, but signalled a coordinated review of UK consent banners.
- ICO enforcement notice to LinkedIn (October 2024): targeted advertising practices; reaffirmed that legitimate interest cannot displace the PECR consent requirement for behavioural ads.
- ICO v. Snap (November 2023): not a fine but an enforcement notice on profiling minors, with reasoning that applies to any fingerprint-class identifier used to recognise under-18 users.
- ICO Action Plan on Online Tracking (December 2024): committed the regulator to publishing fresh guidance on 'consent or pay' and 'pay or okay' models, both of which directly affect fingerprinting deployments behind paywalls.
Children's data: the Age Appropriate Design Code
The UK has a children-specific obligation that the EU does not match in equivalent form. The Age Appropriate Design Code (in force since September 2021, sometimes called the 'Children's Code') sets 15 standards for online services likely to be accessed by children under 18. Standard 7 prohibits profiling by default for users assessed to be children, and Standard 12 covers detrimental use of personal data.
For a fingerprinting deployment, this means that age-assurance, even probabilistic, must be considered before fingerprinting is enabled, and that fingerprints used for behavioural advertising to users who are or may be children require explicit opt-in plus parental consent for under-13s.
Where UK and EU rules diverge
The UK GDPR and EU GDPR remain substantially equivalent (the Commission's June 2021 adequacy decision rests on that equivalence), but pressure to diverge has grown. The Data Protection and Digital Information Bill, in its various drafts, has proposed loosening PECR Reg 6 to permit certain low-risk cookies and similar technologies without consent. As of mid-2026, those proposals are not yet law. Until they pass, treat UK and EU consent rules as functionally equivalent.
Where the rules already diverge is at the regulator level. The ICO has been markedly more receptive to legitimate-interest reliance for fraud and security than the CNIL, and more willing to publish concrete operational guidance. For a deployment that serves both UK and EU users, defaulting to the stricter EU-style consent UX remains the safe path.
How Benny the Doorman fits into a UK-compliant deployment
A UK-compliant Benny deployment is operationally close to a GDPR-compliant one. The fingerprint API call sits behind the user's consent decision in the CMP. Lawful basis is documented in the record of processing activities. Where the use case is anti-fraud or security, a Legitimate Interests Assessment is filed, and the data flow is kept separate from analytics or marketing purposes.
Our standard DPA includes UK Information Commissioner's Office IDTA (International Data Transfer Agreement) addenda as an alternative to the EU's SCCs, given that Benny's processing infrastructure sits in Chennai, India. India is not currently subject to a UK adequacy decision, so a transfer mechanism is required.
Frequently asked questions
Is browser fingerprinting legal in the UK?
Yes, when done with valid consent under PECR Regulation 6 or under a recognised exception. Fingerprinting itself is not banned, but unconsented fingerprinting for non-strictly-necessary purposes is non-compliant and subject to ICO enforcement.
Do I need consent for fingerprinting under UK GDPR?
The consent requirement comes from PECR Reg 6, not UK GDPR Article 6. You need PECR consent before reading device characteristics, and a separate UK GDPR lawful basis for processing the resulting personal data. For most non-security use cases, both need to be consent.
Is fingerprinting for fraud prevention exempt from UK consent rules?
Narrowly, yes. The 'strictly necessary' exception in PECR Reg 6(4) can cover fraud and security uses, and UK GDPR Article 6(1)(f) legitimate interest can support the processing, provided a documented LIA is in place and the fraud signal is kept separate from analytics or marketing.
Are UK and EU GDPR fingerprinting rules the same?
Substantively the same today. The text of UK GDPR mirrors EU GDPR, and PECR mirrors the ePrivacy Directive. The ICO has been more pragmatic about legitimate interest than several EU member-state regulators. Pending divergence under the Data Protection and Digital Information Bill could change this.
What are PECR fines for non-compliant fingerprinting?
Up to £500,000 per breach under current PECR rules. The proposed Data Protection and Digital Information Bill would lift this to UK GDPR levels (£17.5M or 4% of global turnover). UK GDPR penalties for the downstream processing breach are already at those levels.
Does the ICO accept Global Privacy Control or similar signals?
The ICO has not made GPC a binding signal in the way California has, but it has stated that signals which clearly express a user's choice should be respected as a matter of good practice. Treat GPC and similar signals as opt-out instructions for safety.
Does the Age Appropriate Design Code affect fingerprinting?
Yes. If a child is likely to access your service, the Code's profiling-by-default-off rule applies. Fingerprints used to recognise users for behavioural targeting fall within the profiling concept, and you must apply age-appropriate restrictions before enabling them.
Does the UK GDPR apply to non-UK companies?
Yes, in two situations. UK GDPR Article 3(2) extends to controllers and processors outside the UK that offer goods or services to UK data subjects, or monitor their behaviour in the UK. Fingerprinting UK visitors counts as monitoring.
Tooling
Benny the Doorman is built for this compliance posture.
Free, cookieless fingerprinting that defers to your consent management platform, runs on Indian infrastructure, and ships with a DPA addendum sized for the jurisdiction above.
Last reviewed 2026-06-06
