GDPR Compliance

With the decline of third-party cookies, regulators and privacy teams have increased scrutiny of alternative identification techniques, including fingerprinting, under GDPR. HockeyStack’s fingerprinting is designed to operate within GDPR requirements when implemented correctly, and it is built around consent, data minimization, and the avoidance of direct personal data processing. This document explains the technical and organizational measures that support HockeyStack’s GDPR-compliant approach.

Opt-in Banners

HockeyStack supports explicit, informed consent mechanisms consistent with GDPR Articles 6 and 7 by allowing its tracking script to be conditionally loaded only after user consent is obtained.

Most European companies already have an opt-in or a classic cookie banner when a visitor enters their website for the first time. When a visitor gives their consent, the necessary scripts that were mentioned in the banner are fired automatically. HockeyStack’s tracking script can be loaded conditionally based on user consent, ensuring that tracking occurs only after explicit opt-in.

The HockeyStack snippet that you should use for this purpose is:

<script>
  var script = document.createElement("script");
  script.id = "fphs";
  script.src = "https://cdn.jsdelivr.net/npm/hockeystack@latest/hockeystack.min.js";
  script.async = 1;
  script.dataset.apikey = "YOUR_API_KEY";
  script.dataset.cookieless = 1;
  document.getElementsByTagName('head')[0].appendChild(script);
</script>

Don’t forget to change YOUR_API_KEY with your own API key that you see from your dashboard.

If you don’t already have a banner like this, there are services that offer a free banner like GlowCookies so that you wouldn’t need to create one from scratch.

Not Collecting PII

As you can see the list from here, HockeyStack does not directly collect or store personal data such as names, email addresses, or raw IP addresses. Instead, identification relies on a combination of non-PII device and contextual signals that are processed transiently to generate an irreversible, pseudonymous identifier. The underlying signals are not retained after hashing, and the resulting identifier cannot be reverse-engineered to identify an individual.

Relation to Third Parties

HockeyStack does not share, sell, or license fingerprinting data to third parties. All processing occurs solely to provide the contracted service, and data is not reused for unrelated purposes. This ensures HockeyStack is not involved in downstream processing activities that could introduce GDPR compliance risk.

Here is a link to our Privacy Policy for more details.

Conclusion

HockeyStack’s fingerprinting approach aligns with GDPR principles of lawfulness, transparency, purpose limitation, and data minimization, and is intended to be deployed as part of a compliant consent and privacy framework.