The SDPA has published the study "Fingerprinting or digital stamp in devices," which analyzes the technique of identifying and tracking users through their devices. The agency analyzed more than 14,000 web pages, aimed at the Spanish public, describing the techniques most commonly used to carry out this profiling. The study also includes the measures that users can implement to try to avoid this type of monitoring and a series of recommendations to the industry, including manufacturers, developers, and companies that exploit data obtained from the footprint of devices.

The study states, among other conclusions, that often these techniques are used to collect data from the user's computer without offering him/her information and without asking for his/her consent, and that the data collected can be so extensive, or enriched in such a way, that it can even collect special categories of data. The document adds that, in most cases, the user is not provided with tools to effectively prevent data collection and is not offered the means to exercise the rights established in the GDPR when this information is collected.

Recommendations for the user, include using the Do Not Track option in a browser, and the possibility of installing blockers, disabling the use of JavaScript, switching between different browsers or running internet access on virtual machines. The SDPA study reminds us that private or incognito browsing is not effective in preventing follow-up and states that it projects a false sense of security.

In the case of manufacturers or developers, the study states that they should include in their products the necessary options so that the user has the capacity to deny or accept, totally or partially, the use of these tracking technologies. In addition, they should provide the consumer with equipment with the maximum privacy options activated by default and allow the user to reduce these options as they prefer.

If entities want to exploit data obtained from a fingerprint resident on the device, it indicates that the data controller must refrain from collecting and processing the fingerprint, and any other data associated with it, if the user has not given his/her explicit consent. In addition, any fingerprint application should check the status of the Do Not Track option.