A recent Opinion of the Article 29 Working Party (“WP”) (WP 224) has considered the impact of what is termed “device fingerprinting”. This is a method of identifying specific devices or users for purposes including tracking and analytics. In particular, the WP has considered whether the cookies rules under the ePrivacy Directive – which set down information and consent requirements for the use of cookies – could equally apply to device fingerprinting. This Opinion is particularly focused on the perceived circumvention of these cookies rules by online services that use device fingerprinting.

So what is a device fingerprint?

A device fingerprint can be defined as “a set of information elements that identifies a device or application instance”. In other words, it is something that can be used to single out or infer a user or a device over time. This is particularly helpful for providers of tailored advertising or web analytics services.

Data commonly used to create this fingerprint are derived from device settings and data exposed by the device’s use of network communications protocols. The data can include details such as your browser and device information that is ordinarily transferred to return the webpage sought to your particular device and in the correct format and layout.

Device fingerprinting is not limited to a desktop PC-based web browser, and it traverses many device types and protocols, applying to smart TVs, mobile devices and e-book readers. This fact contrasts with ‘traditional’ cookies which were largely limited to desktop web browsers and would not usually identify the same user across different browsers installed on the same computer. Consequently, as the WP notes, device fingerprints are now being used by online services as an alternative to HTTP cookies for analytics, tracking and ad tailoring.

The cookies rules

The Opinion specifically examines device fingerprinting in the context of the ePrivacy Directive, rather than from a data protection angle. One of the well-recognised aspects of the ePrivacy Directive is the regulation of cookies and the associated information and consent requirements. The WP’s primary concern for device fingerprinting appears to be that users are not afforded the same information and consent options as with cookies. By utilising device fingerprinting as a method of identifying users or devices, the WP considers the companies are skirting their information and consent obligations.

Is a device fingerprint personal data?

Although the Opinion does not consider the data protection implications in depth, the WP has stated that device fingerprints can constitute personal data. It views the combination of several information elements, particularly unique identifiers like IP addresses, with the aim of identifying users over time as constituting personal data. As a result, the WP states that service providers must remember to process personal data in line with the provisions of the Data Protection Directive.

This statement reflects the trend of European regulators towards considering any data point to be personal data where it can “single out” an individual. This view, however, does not take into account the fact that device fingerprints often merely single out a device or machine, which may be shared between individuals or relate to a corporate entity.

What next?

One of the main issues arising from this Opinion is how the current cookies rules could apply in practice to device fingerprinting. It is worth remembering that these rules were once highly controversial when first introduced and the current approach taken by websites with respect to cookies, usually identified by a popup or banner, has developed over a number of years.

While the ePrivacy rules have been viewed as mainly applying to cookies, the rules have arguably always been of broader application. This new interpretation of the rules by the WP raises the interesting question of how notice and consent frameworks can be developed in the context of device fingerprinting.