[0xy]

Chrome sends X-Client-Data headers to DoubleClick and other Google-owned properties, which can be used for tracking purposes. There's no way to disable this behavior.

The header contains a "low entropy" random ID generated by Chrome upon installation. Coupled with other data, this can be used to track users even after clearing cookies and in private mode.

[rossjudson]

There's a rather precise description of X-Client-Data at https://www.google.com/chrome/privacy/whitepaper.html#variat...

Note that you can reset at any time with the “--reset-variation-state” command line flag.

"Coupled with other data", anybody can track anything.

[aspenmayer]

I use the GDPR definition for what “other data” means in an online data collection context. Even then, legal hoop-jumping causes those definitions to be gamed, to the detriment of user privacy, and to the boon of site operators and advertisers.

Damian George, Kento Reutimann, Aurelia Tamò-Larrieux, GDPR bypass by design? Transient processing of data under the GDPR, International Data Privacy Law, Volume 9, Issue 4, November 2019, Pages 285–298, https://doi.org/10.1093/idpl/ipz017

Michael Veale, Reuben Binns, Jef Ausloos, When data protection by design and data subject rights clash, International Data Privacy Law, Volume 8, Issue 2, May 2018, Pages 105–123, https://doi.org/10.1093/idpl/ipy002

Frederik J. Zuiderveen Borgesius, Singling out people without knowing their names – Behavioural targeting, pseudonymous data, and the new Data Protection Regulation, Computer Law & Security Review, Volume 32, Issue 2, 2016, Pages 256-271, https://doi.org/10.1016/j.clsr.2015.12.013