Data Protection Risks: Device Fingerprinting
The Opinion does not analyse the provisions of the Data Protection Directive (95/46/EC). However, it does refer to the data protection issues that are relevant in the context of device fingerprinting.
The Opinion considers that:
- When several information elements are combined, especially unique identifiers such as IP addresses, and the purpose of the processing is to identify users over time, across websites, such as with behavioural advertising, the processing must also comply with the rules provided in the Data Protection Directive. This is because device fingerprints also constitute personal data.
- Device fingerprinting also carries data protection risks because of who they are available to. The unique set of information elements combined to create a “fingerprint” are available to website publishers and other third parties. As many parties frequently contribute to the content of a web page, each of these parties may have the opportunity to collect the information needed to fingerprint a user’s device.
- In contrast to cookies, device fingerprinting can operate covertly. There is no simple way for users to prevent the activity. There are also limited opportunities available to reset or modify any information elements being used to generate the fingerprint. Consequently, device fingerprints can be used by various parties to “secretly identify or single out users with the potential to target content or otherwise treat them differently“.
This article is a summary of recent developments. It should not be regarded as a substitute for advice in any particular case.