Device fingerprinting is replacing cookies for analytics and tracking purposes, but privacy regulators now held that their usage is subject to the privacy consent, unless exemptions apply.

Regulations on cookies were the topic of the first half of the year for data protection and privacy lawyers.   The so called ePrivacy Directive required that their usage was subject to the prior user’s consent.  But European privacy regulators issued guidelines in some countries on how such consent had to be provided and the Italian privacy regulator, the Garante, was one of the most forward looking regulators with its guidelines on the matter.

Now the European privacy regulators through the European privacy advisory body, the Article 29 Working Party, issued an opinion on device fingerprinting taking into account the evolution of the sector that showed a shift for HTTP cookies to such type of technology.

What is device fingerprinting?

Fingerprint is defined as

a set of information elements that identifies a device or application instance

that can be used to single out, link or infer a user, user agent or device over time.  This is a combination of information able to identify a specific device or application instance and through which it is possible to track (as occurs through cookies) the Internet behavior of users associated to a device.  And the peculiarity is that the fingerprint is available not only to the website publisher, but also to third parties.

What privacy obligations for device fingerprinting?

The position held by the Article 29 Working Party is that the information collected through device fingerprinting is personal data for the purposes of privacy regulations.  The usage of device fingerprinting is subject to the user’s consent whenever such technology requires either the storage of or access to a set of information on the user’s device regardless of whether or not such information can qualify as personal data.

This applies both in case of usage of device fingerprinting by website operators and by third parties with the peculiarity that in the former scenario no consent is required when the processing of data is necessary for the transmission of the communication or the provision of the requested services.

What consequences today and in the future?

The opinion from the Article 29 Working Party is not binding, but generally shows the view of European privacy regulators on the matter.  In this respect in countries like Italy where the Garante issued specific guidelines on the usage of cookies, operators, advertisers, affiliates and marketing companies might be required to adapt the principles set forth in the guidelines also in relation to device fingerprinting.  The Garante had granted a year to comply with cookies privacy guidelines, but it is unclear whether the same level of flexibility will be applied to the usage of device fingerprinting.

And the above is relevant also for Internet of Things devices that can be tracked through device fingerprinting.  Privacy regulators already gave their opinion on IoT devices, but such new opinion risks to put an additional regulatory burden on companies developing Internet of Things technologies.  Therefore the hope is that privacy regulators will decide to take a more flexible approach in the future in order to boost the sector.