“Device fingerprinting” is the combining of various “information elements”, such as IP addresses, JavaScript objects.(e.g. document, window, screen, navigator, date and language information), installed fonts and installed plug-in information, in order to identify particular devices and users, even when cookies are disabled.
In other words, by gathering such information, a unique fingerprint for device or application instance is created. In one instance this can be good as they can distinguish one device from another. However, it can be problematic as they can be used as an overt alternative to track internet behaviour over time.
As a result, an individual may be associated, and therefore identified, or made identifiable, by that device fingerprint.
The technology is not limited to the configuration parameters of a traditional web browser on a desktop PC. It can also be used to identify a broad range of internet connected devices, consumer electronics and applications; these include those running on mobile devices, smart TVs, gaming consoles, e-book readers, internet radio, in-car systems or smart meters.
The Article 29 Data Protection Working Party has published an Opinion on the application of the E-Privacy Directive (2002/58/EC) to “device fingerprinting” (WP224). According to the Working Party, device fingerprinting, which can be used to track internet users’ behaviour online, presents “serious data protection concerns for individuals“. The Working Party’s main concern is the proposal by some online services that device fingerprinting can be used as an alternative to cookies for the purpose of providing analytics or for tracking. This would negate the need for consent under Article 5(3) of the E-Privacy Directive.
The key message of the Opinion is that, in the Working Party’s view, Article 5(3) is applicable to device fingerprinting. Therefore, those who process device fingerprints which are generated by gaining access to, or storing information on a user’s device may only do so with the valid consent of the user. The user must have clear and comprehensive information on the purposes of the processing has been provided; unless an exemption applies.
Article 5(3) of the E-Privacy Directive states that Member States shall ensure that.“the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user” is only permitted on the condition that the user concerned has given his or her consent, having been provided with clear and comprehensive information on the purposes of the processing in accordance with the Data Protection Directive (95/46/EC). In Opinion 04/2012 on Cookie Consent Exemption (WP194), the. Working Party considered Article 5(3) of the 2002 Directive in relation to the storage of, or access to, information through the use of cookies. That Opinion stated that Article 5(3) does not exclusively apply to cookies, but is also applicable to “similar technologies“.
This latest Opinion addresses reports that online service providers are actively exploring the use of device fingerprinting as an alternative to cookies for a range of purposes in an effort to avoid the consent requirement of Article 5(3).
Data Protection Risks
The Opinion does not analyse the provisions of the Data Protection Directive (95/46/EC). However, it does refer to the data protection issues that are relevant in the context of device fingerprinting.
The Opinion considers that:
- When several information elements are combined, especially unique identifiers such as IP addresses, and the.purpose of the processing is to identify users over time, across websites, such as with behavioural advertising, the processing must also comply with the rules provided in the Data Protection Directive. This is because device fingerprints also constitute personal data.
- Device fingerprinting also carries data protection risks because of who they are available to. The unique set of information elements combined to create a “fingerprint” are available to website publishers and other third parties. As many parties frequently contribute to the content of a web page, each of these parties may have the opportunity to collect the information needed to fingerprint a user’s device.
- In contrast to cookies, device fingerprinting can operate covertly. There is no simple way for users to prevent the activity. There are also limited opportunities available to reset or modify any information elements being used to generate the fingerprint. Consequently, device fingerprints can be used by various parties to “secretly identify or single out users with the potential to target content or otherwise treat them differently“.
This article is a summary of recent developments. It should not be regarded as a substitute for advice in any particular case. For further advice please contact us.
