The Article 29 Data Protection Working Party (the independent European advisory and consultative body on data protection and privacy) recently issued an Opinion on device fingerprinting, in response to market reports that this technique, or rather set of technologies, is being used to circumvent the legislation of the ePrivacy Directive 2002/58/EC, as amended by Directive 2009/136/EC (the ‘Cookie Directive’). In the Working Party’s view, device fingerprinting is also governed by the provisions of the Cookie Directive and, unless an exemption applies, its use requires prior consent.
The very first question to ask is what device fingerprinting actually is. The Article 29 Working Party defines a fingerprint as ‘a set of information elements that identifies a device or application instance’. In other words, it comprises the characteristics of a device (e.g. a smart phone or tablet) with which that device can be distinguished from other devices. The object is to retrieve device fingerprints, for example JavaScript objects (e.g. document, window, screen, navigator, date and language), HTTP header information and the use of external APIs. These data are read out without the use of cookies.
Does this method of collecting data come under the Cookie Act? The answer is simple: yes, it does. Section 11.7a of the Telecommunications Act (implementing Article 5.3 of the Cookie Directive) stipulates that it applies to anyone who ‘(…) seeks to gain access to data stored in the peripheral equipment of a user or to store data in the user’s peripheral equipment’.
As there is no reference to the term ‘cookies’ here, the title ‘Cookie Act’ is misleading and does not cover the full content of the Act. This should come as no surprise in the Netherlands, where this debate was held as long as eighteen months ago. The first version of a list of FAQs published by the Dutch Authority for Consumers & Markets (ACM) in July 2013 already provided clarity about the applicability of the rules to similar technologies:
Do the rules also apply to similar technologies?
The legal provision extends beyond the placement of cookies. It also applies to other technologies, including the use of JavaScripts, Flash cookies, HTML5 local storage and other techniques involving placing or reading out data. Section 11.7a of the Telecommunications Act applies unless no data whatsoever are stored and no access whatsoever is gained to data stored in the user’s peripheral equipment. Consequently, the information in this document on cookies also covers similar technologies.
In an earlier Opinion issued in June 2012, the Article 29 Working Party pointed out that the scope of the Cookie Directive extends beyond “real” cookies: ‘As such, this opinion explains how the revised Article 5.3 impacts on the usage of cookies but the term should not be regarded as excluding similar technologies.’
In spite of this, the technology of device fingerprinting is obviously widely used without due observance of the rules of the Cookie Act.
The information elements collected through device fingerprinting together can constitute a set creating a unique fingerprint for a certain device (especially in combination with an IP address). This allows devices to be distinguished from one another and device fingerprinting to be used as an alternative for cookies to track internet behaviour over time. That way, individuals may be associated, and therefore identified, by their device fingerprint. Moreover, device fingerprinting is difficult to prevent and there are limited opportunities available to reset or modify any information elements being used to generate the fingerprint.
In its Opinion, the Article 29 Working Party works out six use case scenarios, providing examples of how device fingerprinting is used. These scenarios link up with the cases discussed earlier in the June 2012 Opinion. I have picked out four below.
1. First-party website analytics
The Article 29 Working Party basically believes that no consent requirement should apply to the use of device fingerprinting for the sole purpose of providing first-party website analytics. However, its Opinion states that currently there is no such exemption in the Cookie Directive. Remarkably, the legislative proposal to amend the Cookie Act does provide for such an exemption. If the bill is adopted, device fingerprinting for the purpose of providing first-party website analytics will be permitted in the Netherlands without the need for prior consent.
2. Tracking for online behavioural advertising
The Article 29 Working Party states that web-bugs, pixel tags and JavaScript code are used to display relevant advertising and to follow users across websites and over time. Consequently, users can be targeted this way even if they have objected to the use of “real” cookies. Using device fingerprinting for this purpose without the user’s consent is prohibited.
3. User access and control
A party providing a music subscription service may permit users to access the service from a limited number of specific devices only. If a subscriber has previously accessed the service from a certain device, the provider can choose to use device fingerprinting instead of other verification or authentication methods.
Such use falls within the scope of Article 5(3) of the Cookie Directive (and, hence, Section 11.7a of the Telecommunications Act). No exemption applies, given that this purpose cannot be regarded as “strictly necessary” to provide a functionality explicitly requested by the user. The user’s prior consent is therefore required.
4. Adapting the user interface to the device
Where device fingerprinting is used to adapt content to the characteristics of the device used, the user’s prior consent is not required. In other words, no consent requirement applies to short-term user interface customisation.
The full text of the Opinion is available here.