Device Fingerprinting: Consent still required

Adam Wright in Advertising

in Advertising

At the end of November, the Article 29 Working Party adopted an Opinion which clarified that the requirement to obtain a user’s consent when accessing or storing information on their device is not limited to cookies and applies to similar tracking technologies, such as device fingerprinting. Under Article 5(3) of Directive 2002/58/EC (the “ePrivacy Directive”), third parties wishing to process device fingerprints which are generated through the gaining of access to, or storing of, information on a user’s device must first obtain the valid consent of that user, save where an exemption applies.

What is Device Fingerprinting?

Device fingerprinting is seen as an alternative to using HTTP cookies. It works by using a set of information fields to identify a specific user, device and/or instance of an application. The information fields can be anything from device configuration, JavaScript objects, HTTP header information, or the use of external or internal APIs on a device. When this information is combined and used in conjunction with other identifiers (such as the originating IP address) it serves as a unique fingerprint for the device or application instance and allows third parties to distinguish devices from one another and to track and analyse the user’s activity on that device over time.

Device fingerprinting technology is sometimes preferred over cookies because it is largely platform-agnostic, it can identify a broad range of internet-connected devices and does not need a user to be on a web browser to be effective. Until the Opinion was adopted by the Working Party, those companies using device fingerprinting technology had sought to distinguish device fingerprints from cookies such that they would fall outside the consent requirements under the ePrivacy Directive. Following the Opinion, it will be difficult to argue that this is a meaningful distinction.

It is important … to remember that where device fingerprinting requires the storage of, or access to, (a set of) information on the user’s device then consent will be required.

What practical steps do providers of online services need to take?

  • Opt-out mechanisms will need to be updated. Traditionally, opt-out cookies were used but on mobile platforms this does not work and hence online service providers will need to develop alternative opt-out mechanisms, perhaps on a unique ID based system (such as Device IDs).

  • Cookie policies will need to be updated. To the extent they do not already, cookie policies should provide “clear and comprehensive information” on the types of tracking technologies which are being used in addition to cookies and the way in which the technology stores or accesses information on a user’s device.

  • Business practices will need to be assessed. Companies which have previously relied on the legal uncertainty by employing alternative tracking technologies to cookies will need to reassess their business processes and consider whether they comply with the ePrivacy Directive.

Device Fingerprinting: Consent still required was last modified: January 28th, 2015 by Adam Wright