EU: Device Fingerprinting Should Be Regulated Like Cookies

Device fingerprinting is the latest target in the EU’s effort to protect user privacy online. The pan-European Article 29 Working Group has adopted an opinion calling for consent requirements for device fingerprinting in line with requirements when cookies are used.

“This Opinion expands upon the earlier Opinion 04/2012 on Cookie Consent Exemption and indicates to third-parties who process device fingerprints which are generated through the gaining of access to or the storing of information on the user’s terminal device that they may only do so with the valid consent of the user (unless an exemption applies),” the opinion states.

Companies have been turning to device fingerprinting as an alternative to cookies, in part because it had been understood that this method of tracking users and providing analytics fell outside the EU’s consent requirements for cookies.

Device fingerprinting can be used across a range of internet connected devices, smartphone apps, smart TVs, gaming consoles, e-book readers, internet radio, in-car systems and smart meters. The data can be used to signal that a website is being viewed on a smartphone so that the content is rendered properly for a smaller screen. It can also be used for advertising — tracking users over time for behavioral ad targeting — without users’ knowledge or control.

“In contrast to HTTP cookies, device fingerprinting can operate covertly,” wrote the Article 29 Working Party. “There are no simple means for users to prevent the activity and there are limited opportunities available to reset or modify any information elements being used to generate the fingerprint. As a result, device fingerprints can be used by third-parties to secretly identify or single out users with the potential to target content or otherwise treat them differently.”

While using this data for temporary UI customizations — making a site look good on a smartphone, for example — does not require consent, the Working Party states that device fingerprinting for targeting ads is covered by the group’s Cookie Consent Exemption opinion and does require user consent.

A spokesperson from the Information commissioners’ office (Ico) told the Guardian, that the Ico “has always been clear that the law around cookies also applies to similar technologies. The Article 29 opinion adopted this week, which the Ico played a key role in drafting, confirms that digital fingerprinting is such a technology.”

How device fingerprinting will be regulated is up to the individual EU countries. In the UK, for example, sites using cookies typically display a notification and request explicit consent.