[tracker1]

For that matter, browser + ip fingerprinting can be server-tracked anyway, if less reliably overall. Especially with JS enabled. There are lots of tricks that can be used for this.

Aside, wonder how good/bad ip+agent fingerprinting could be combined with a url that feeds a small randomly generated string with a VERY long cache expiration, with server/proxy no-cache headers (e-tag per agent/ip). Effectively similar to a cookie, without technically being a cookie.

[medbrane]

But serverside tracking without consent would still be illegal, right? GDPR does not make a difference between cookies and other mechanisms.

[thaumasiotes]

Setting cookies involves you telling all your visitors that you're tracking them. How would the server-side tracking be detected?

[janosdebugs]

Fingerprinting still requires a lot of client-side information. Sending that to the server for no good reason may prompt some questions.

[jefftk]

I expect Microsoft would still disclose it in their privacy policy. Or be vulnerable to a whistleblower.

[tracker1]

It's not "tracking" it's just ensuring a "consistent user experience throughout our ecosystem".

/sarc

[jefftk]

The tracking they were fined for was for ad fraud detection, not personalization.

[tracker1]

Fair enough... didn't know, since I'm in the US and don't deal with EU on a business level.

[jefftk]

Not clear in this case, since while detecting ad fraud doesn't meet the "strictly necessary" requirements of ePrivacy (necessary for storing the cookie on your machine) it is still an open question whether the GDPR requires user consent for it. (Lawyers at advertising companies think that you don't, but that doesn't mean they're right)

[wkat4242]

It is but it's a hell of a lot harder to prove.