That's true for browsers, but Google controls both the Android OS and Google Play Services, giving them access to hardware identifiers on Android smartphones. Given the broad adoption of Android devices and the potential to correlate data, this is not a case of "making stuff up." Even if your MAC address is spoofed/randomized, the remaining data points are still sufficient to track you.
Depending on your network configuration I could imagine abuse of EDNS(0). This is used for example by NextDNS to identify which device (MAC) on your local network sent the request in order to apply specific filters and log the request. A not-so-friendly DNS could sell such information.
This list manages to be mostly correct while still spreading FUD. These can all be tracked, but the threat actors are very much uncoordinated in exploiting this info, and much of it (especially things like keystroke and mouse fingerprinting) is expensive to track en masse.
Just using Firefox with uBlock, no history, and privacy settings on max, through a somewhat trustworthy VPN like Mullvad will make your data mostly useless. Yeah, "they" could still catch you in a million ways, but if your threat model revolves mostly around surveillance capitalism you'll just be too much of a hassle to matter
To me just posting this long list is spreading FUD.
It mixes voluntary user actions, like submitting forms and “query parameters”, with things like “WebGL fingerprint” which we agree is evil sneaky fingerprinting.
I agree tracking is a serious problem, but this list isn’t contributing to any discussion.
People complain about google logging their search queries when they are in "incognito mode" and logged into their google account - we need a lot more education.
Query parameters are hardly voluntary, just about every linked acquired via "share" button on various platform includes tracking query parameters, including google search results. Combined with the fact that query parameters are has legitimate uses, the distinction complexity becomes indistinguishable from "legitimate WebGL usage" vs "WebGL fingerprint".
It is scary where we are, but you can't solve it by dismissing it as FUD.
IP address, User-Agent string, Referrer URL, Requested URL, Language, Locale, Screen resolution, Time zone, System time, Installed fonts, Installed plugins, Cookie data, Browser fingerprint, Canvas fingerprint, WebGL fingerprint, AudioContext fingerprint, Mouse movements, Click paths, Keyboard input timing, History sniffing, DNS queries, Destination IP addresses, HTTP traffic content, HTTPS metadata (host, SNI, timing), MAC address, Query parameters, Session ID, Login status, User account info, Geolocation (via IP), Geolocation (via browser API), Page interaction data, Time on page, Scroll behavior, Clicks, Form submissions, Browser type, OS type, Network provider, Client ID (\_ga cookie), Session ID, Timestamp, Pages visited, UTM parameters, Interaction events, Google Ad ID, DoubleClick cookie (IDE), Cross-site behavior, Cross-device behavior, Inferred demographics, Mouse tracking, Scroll depth, Video interactions, Audio interactions, Session replay, Keystroke logging, Facebook login status, Pixel events (Meta, LinkedIn, etc)
If you want to avoid that, you need to make a real effort (not just using DuckDuckGo). The Tails operating system might be a good place to start.