How do websites track me without cookies? Browser fingerprinting explains how

If you are asking how websites track you without cookies, the short answer is that cookies were never the only way to recognize a browser. Fingerprinting builds continuity from the environment itself: screen size, installed fonts, rendering behavior, language, timezone, hardware patterns, and other details that can make one browser look unusually distinctive even when the person never logs in.

EFF’s Cover Your Tracks project has spent years teaching this lesson the hard way. Its earlier Panopticlick research found that 83.6% of browsers were unique from fingerprintable attributes alone, and with additional plugin detail that figure rose even higher. The exact percentages come from an older web, but the durable takeaway still holds: deleting cookies is not the same thing as becoming unrecognizable.

Princeton’s web-measurement work helps explain why the distinction matters operationally. Tracking infrastructure is widespread across ordinary sites, which means merchants and intermediaries do not need a dramatic black-hat exploit to keep continuity. If a browser stays legible and the page is full of analytics, personalization, or marketing code, the system can preserve more context than the shopper expects across visits and comparisons.

That continuity becomes commercially meaningful once it feeds scoring and steering. The FTC’s surveillance-pricing inquiry described systems that can use browsing history, shopping history, demographics, location, and related inputs to shape how people are treated. Fingerprinting does not have to replace those signals to matter. It only has to make the same person easier to recognize often enough that the rest of the behavioral profile can stay coherent.

This is why cookie banners alone do not solve the real recognition problem. A shopper can reject some tracking, clear the obvious state, and still feel like the site remembers them anyway. That feeling is not irrational. Fingerprinting lives in the gap between what users think a privacy reset should do and what the browser still reveals by default.

For Cloak, that is the product opportunity. A browser privacy tool should not pretend a consent click fixed the environment. It should reduce repeatable signals where possible, make the remaining risk legible, and tell the shopper when the page still looks capable of building continuity after the obvious cookies are gone.