Use of device fingerprinting for marketing purposes requires the user’s explicit consent in order to comply with European Union data protection rules.

Internet user tracking and profiling

Tracking and profiling online user activity has long been the bread and butter of e-commerce and online advertising. They are commonly used for targeted marketing, market research and analytics. Cookies were the-state-of-the-art tool for tracking until regulators started acting on the associated privacy concerns in the late 2000s. In 2009, changes to the European Union ePrivacy Directive 2002/58/EC have unambiguously brought cookies under the scope of European data protection rules and necessitates the user’s prior, explicit consent before cookies can be installed on his/her machines. Since then, an increasing number of users have become aware of the role cookies play in the online world and have been turning them off or attempting to block their functioning.

In recent years, a new user tracking technique called “device fingerprinting” has been gaining ground. In essence, device fingerprinting is a method for identifying a user’s device (PC, tablet, smartphone) by reference to various pieces of information routinely transmitted by or stored on the individual machine (device configuration, browser customisation, type and order of fonts, JavaScript objects, etc.). Device fingerprinting is used by website operators and online merchants for various reasons. The majority of these relate to security issues, for example to detect and prevent malicious misuse of personal and financial data online. However, device fingerprinting is also used for behavioural marketing purposes.

The widespread use of device fingerprinting has led the data protection authorities of the 28 European Union Member States — as part of the Article 29 Working Party[1] — to adopt the following position toward its regulation within the EU.

Device fingerprinting, like cookies, is subject to EU data protection requirements

According to the EU data protection authorities, device fingerprinting should be regulated in the same manner as digital cookies. This means that website operators using device fingerprinting technologies must obtain the user’s explicit prior consent when a device is fingerprinted for the purposes of targeted advertising, website analytics or market research. When seeking such consent, the operators involved in device fingerprinting must provide users with clear and comprehensive information about the purpose, essence and scope of fingerprinting.

There are some exceptions. For example, user consent is not required when device fingerprinting must be carried out in order for an electronic communication to be transmitted. Such would be the case when, for example, data from a device is gathered and transmitted in order for the device to access an electronic communications network. Equally, consent is not required when device fingerprinting is necessary to provide functionality relating to a service explicitly requested by the user. Under this banner comes, for example, tracking carried out in order to adapt online content (text, video, layout, etc.) to the interface of the user’s device. However, identifying a device in order to facilitate user access and control over accounts cannot be considered as an “essential” functionality and would require the user’s consent.

What’s next?

Although this stance of the Article 29 Working Party is not binding for regulators and businesses, it is likely to raise the compliance bar for gathering identification data in Europe. The Party’s opinions are often taken into account by most of the data protection agencies in the Member States, including by the Bulgarian authorities and their counterparts in other Central and Eastern European jurisdictions. As they can be expected to approach the issue in the same way as the Party if/when confronted by it, it is therefore of particular relevance to website operators, content providers, online merchants and advertisers regarding the type of tracking that is carried out, the manner in which it is done, and whether or not these meet the standards described above.