In November 2014 the Article 29 Working Party (“AWP”) released its Opinion 9/2014 on the application of the Directive in relation to device fingerprinting (the “Opinion”). The primary aim of the Opinion was to address reports that third parties are looking into alternative technologies to cookies for a range of purposes in an effort to circumvent the consent requirement under Article 5(3) of the Directive.
In particular, the combination of a set of information elements in order to uniquely identify particular devices or application instances, so-called “device-fingerprinting”, was examined.
Fingerprinting tools can be deployed for a range of different devices: computers, tablets, smart phones, e-readers, games consoles, TVs, in-car systems and smart meters (among others).
In the Opinion, the AWP highlighted one main concern – that device fingerprinting can operate covertly. Unlike cookies, there are no simple means for users to prevent the activity and there are limited opportunities available to reset or modify any information elements being used to generate a fingerprint.
Key points to note
The Opinion confirmed the AWP’s view that:
- device fingerprinting technologies may constitute personal data and where this is the case, data protection legislation will also apply.
You can read the full Opinion by clicking here.
Cookie sweep report
In February of this year, the AWP published a new report detailing its findings following a “cookie sweep” of 478 websites in the e-commerce, media and public sectors across the Czech Republic, Denmark, France, Greece, Netherlands, Slovenia, Spain and the UK.
Although the sweep was not designed as an assessment of cookie compliance, the report has highlighted areas for improvement. Further, the AWP noted that its analysis is likely to inform the landscape of steps taken towards compliance in the future.
Key points to note
- Some cookies were found to have a duration period of over 8000 years in contrast to the average of 1 – 2 years. In future, regulators may view cookies that have a life span of over 2 years as excessive and/or non-compliant.
- The AWP was encouraged to see that a proportion of websites (16%) offered a high degree of user control regarding cookies. The AWP clearly sees user control in relation to cookie privacy settings in a positive light.
- As part of their sweep analysis, the AWP conducted their search, firstly by automated and secondly by manual analysis. The developing use of automated technologies in this way will enable regulators to become far more efficient in conducting analysis and ‘spot checks’ in their respective jurisdictions. Therefore, businesses with an online presence should ensure that they are compliant with the regulations sooner rather than later.
The full Article 29 Working Party Cookie Sweep Combined Analysis Report can be found here.
As an aside, at the end of March this year, the English Court of Appeal considered whether Browser Generated Information (“BGI”) is capable of amounting to personal data against the backdrop of the Vidal-Hall case. While this issue was not determined, should the claimants in the case be awarded damages as an outcome of the class action, the implication would be that there is a risk compensation may be awarded for distress, resulting from the unconsented use of BGI in this manner. We suspect that such a potential risk may cause companies to revisit their own practices, particularly as this is an area of regulation that has, so far, had limited financial implications.
Businesses deploying cookies and similar technologies should be alive to these recent developments, as they do signify that such practices are being subjected to regulatory scrutiny.
However, it should also be noted that the European Commission suggested last year that the Directive would be revisited in 2015. Therefore, it will be interesting to see whether the consent requirements for cookies and similar technologies (e.g. fingerprinting) are tightened or relaxed if/when this happens.