The SOP of this entire industry is "Include this javascript link in your tag manager of choice", and it will run whatever javascript it can to collect whatever they want to collect. You then integrate in the back end to investigate the signals they sell you. America has no GDPR or similar law, so your "privacy" never enters the picture. They do not even think about it.

This includes things like the motion of your mouse pointer, typing events including dwell times, fingerprints. If our providers are scanning the list of extensions you have installed, they aren't sharing that with us. That seems overkill IMO for what they are selling, but their business is spyware so...

On the backend, we generally get the results and some signals. We do not get the massive pack of data they have collected on you. That is the tracking company's prime asset. They sell you conclusions using that data, though most sell you vague signals and you get to make your own conclusions.

Frankly, most of these providers work extremely well.

Sometimes, one of our tracking vendors gets default blackholed by Firefox's anti-tracking policy. I don't know how they manage to "Fix" that but sometimes they do.

Again, to make that clear, I don't care what you think Firefox's incentives are, they objectively are doing things that reduce how tracked you are, and making it harder for these companies to operate and sell their services. Use Firefox.

In terms of "Is there a way to do this while preserving privacy?", it requires very strict regulation about who is allowed to collect what. Lots of data should be collected and forwarded to the payment network, who would have sole legal right to collect and use such data, and would be strictly regulated in how they can use such data, and the way payment networks handle fraud might change. That's the only way to maintain strong credit card fraud prevention in ecommerce, privacy, status quo of use for customers, and generally easy to use ecommerce. It would have the added benefit of essentially banning Google's tracking. It would ban "Fraud prevention as a service" though, except as sold by payment networks.

Is this good? I don't know.

Mandating that tracking for anti-fraud be vertically integrated with the payment network seems unnecessary. Surely the law could instead mandate the acceptable uses of such data? The issue at present appears to be the lack of regulation, not scofflaws.

I'm not convinced tracking is the only or even a very good way to go about this though. Mandating chip use would largely solve the issue as it currently stands (at least AFAIK). The card provider doing 2FA on their end prior to payment approval seems like it works just as well in practice.

At this point my expectation is that I have to do 2FA when first adding a new card to a platform. I'm not clear why they should need to track me at that point.