How would you ever find out/enforce this though? With cookies, you can examine the local cookie storage but with fingerprinting everything happens server-side (as I understand).

>How would you ever find out/enforce this though?

programmers really have a hard time understanding the law, how does any violation of the law ever get found out, or any law enforced? Generally someone says hey this company is doing X, and then the government gets a warrant to say let us look through your stuff to find out if you are doing X.

As a normal rule most companies work something like:

"excuse me, we have reports you are doing X"

"Not exactly, this is what we are doing - we call it X1, which is why we are totally ok under the rules governing X. Our legal dept. can totally explain"

Court case instantiates.

If the company is doing something that they will actually say "no we are doing nothing of the sort!" then it is likely someone in the company will at some time say "hey they are really doing X" and then the warrant thing I discussed first happens.

At any rate finding out enforcing things can happen without perfect technical access to everything, that's how justice systems have managed to work for centuries.

The fingerprint collection happens mostly using client-side JS (a bit of server side with HTTP headers, but the really high entropy stuff is client side).

Conceivably you could develop some sort of heuristic that detects when a script is simultaneously poking at a whole bunch of APIs associated with common fingerprinting techniques (canvas capabilities, WebGL, screen size, installed fonts, etc) and then kill it. But it is certainly much harder than blocking cookies.

> with fingerprinting everything happens server-side (as I understand).

It happens client-side. Browser headers sent through for requests aren't enough for fingerprinting.