Article 29 Working Party targets device fingerprinting
In a nutshell:
A few days ago, the Article 29 Working Party, a European data protection advisory board composed of national EU regulators, adopted an Opinion on Device Fingerprinting. According to this Opinion, Device Fingerprinting has to follow the same data protection rules as apply to browser cookies. This is the first pan-European guidance on the subject.
Background:
Device Fingerprinting is an increasingly popular method of identifying devices or applications (e.g. web browsers) using a set of parameters and configurations. There are numerous types of information that can be used for this form of identification, e.g. CSS information, HTTP header information, installed fonts or installed plugins. Even the particular charging behaviour of individual users can create a unique profile, i.e. when and how users charge the batteries of their devices. This information can be combined to generate an individual fingerprint of a device or internet browser. This means fingerprinting can be used as a technical alternative to HTTP cookies for e.g. website analytics or user tracking. Whereas HTTP Cookies are technically visible on the client side, fingerprinting may be used to identify users without their knowledge.
According to the Opinion, the e-Privacy Directive 2002/58/EC should be read as applying to device fingerprinting. This Directive contains the “infamous” Art. 5 (3) – by virtue of which it is also known as the “Cookie Directive”. According to Art. 5 (3) of the Directive, “any storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user” is only allowed with the subscriber’s or user’s prior consent (unless one of the narrow exemptions apply).
Taking six different use cases, the Article 29 Working Party has analysed whether (1) the particular use cases do fall into the scope of the Cookie Directive, and (2) one of the narrow exemptions of this provision apply.
The exemptions from the consent requirement apply in exceptional cases only, i.e. if fingerprinting is used (1) “for the sole purpose of carrying out the transmission of a communication over an electronic communications network” or (2) in case it is “strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service.” Beyond these exemptions, consent is required under the Cookie Directive. According to the Opinion, the exemptions may apply if fingerprinting is used e.g. for optimizing content to a certain device, the connection of a device to a network or for user-centric security measures.
On this basis, consent will be required if device fingerprinting is used for website analytics, user tracking to serve online behavioural advertising or even for the facilitation of easy user login. Unsurprisingly, the Opinion does not indicate how user consent should be obtained in practice. In particular, the question whether an opt-out approach would suffice or whether prior and affirmative opt-in is required remains open.
What does this mean in practice?
As a general remark, opinions of the Article 29 Working Party are not binding for national data protection regulators or courts across Europe. However, experience shows that national regulators often closely follow the Working Party’s opinions when interpreting and enforcing local laws. The Opinion therefore has a good deal of relevance in practice.
First and foremost, the message that the legal framework for cookies applies equally to device fingerprinting means that very fragmented legal landscape – and the legal uncertainty in some countries – regarding cookie compliance across Europe will extend to device fingerprinting. In particular the question whether and which sort of consent is actually required for the use of cookies and how to obtain such consent is regulated in a very diverse manner across Europe. Whereas some countries require active and affirmative consent (e.g. by checking a box, etc.), implied consent or an opt-out approach is common practice in other countries.
This “unlevel playing field” in the online space is clearly an obstacle for companies doing business across Europe. Many will see it as unhelpful that the Article 29 Working Party, instead of defining uniform rules European rules for device fingerprinting, broadened the scope of the Cookie Directive instead.
A best practice approach for the technical implementation of device fingerprinting in line with the Cookie Directive and at least a certain degree of legal certainty will therefore likely not evolve until the national data protection regulators and courts take a stand on device fingerprinting.