This work exposes the systematic misuse of browser fingerprinting in online advertising to circumvent GDPR/CCPA compliance mechanisms—extending beyond legitimate defensive uses such as fraud prevention or authentication. We introduce FPTrace, the first empirical framework that isolates fingerprinting’s causal impact on ad targeting by applying controlled perturbations to fingerprint features, measuring consequent changes in ad bid values, and quantifying HTTP traffic decay. Unlike prior studies relying solely on script detection, FPTrace provides direct, measurement-based evidence that fingerprinting actively drives behavioral targeting. Large-scale measurements across real websites reveal statistically significant bid inflation (up to +37%) and reduced HTTP request volumes (average −22%), demonstrating its privacy-invasive role in tracking. Our findings challenge prevailing qualitative assumptions about fingerprinting’s purpose and deliver the first quantitative, empirically grounded evidence to inform regulatory policy and privacy-enhancing technology design.

While advertising has become commonplace in today's online interactions, there is a notable dearth of research investigating the extent to which browser fingerprinting is harnessed for user tracking and targeted advertising. Prior studies only measured whether fingerprinting-related scripts are being run on the websites but that in itself does not necessarily mean that fingerprinting is being used for the privacy-invasive purpose of online tracking because fingerprinting might be deployed for the defensive purposes of bot/fraud detection and user authentication. It is imperative to address the mounting concerns regarding the utilization of browser fingerprinting in the realm of online advertising. This paper introduces ``FPTrace'' (fingerprinting-based tracking assessment and comprehensive evaluation framework), a framework to assess fingerprinting-based user tracking by analyzing ad changes from browser fingerprinting adjustments. Using FPTrace, we emulate user interactions, capture ad bid data, and monitor HTTP traffic. Our large-scale study reveals strong evidence of browser fingerprinting for ad tracking and targeting, shown by bid value disparities and reduced HTTP records after fingerprinting changes. We also show fingerprinting can bypass GDPR/CCPA opt-outs, enabling privacy-invasive tracking. In conclusion, our research unveils the widespread employment of browser fingerprinting in online advertising, prompting critical considerations regarding user privacy and data security within the digital advertising landscape.