In September 2014, we published our updated European guide to cookies which provides an overview of the effects of Article 5(3) of the European E-Privacy Directive (the “Directive”) in relation to the laws and practices surrounding the use of cookies across Europe.  Since then, there have been a number of interesting developments in the cookies sphere, including the Article 29 Working Party’s Opinion 9/2014 on device fingerprinting and their report on the recently conducted cookie sweep as well as recent comments from the English Court of Appeal regarding whether browser generated information should be classified as personal data.  See our summaries of these developments below.

Device fingerprinting

In November 2014 the Article 29 Working Party (“AWP”) released its Opinion 9/2014 on the application of the Directive in relation to device fingerprinting (the “Opinion”).  The primary aim of the Opinion was to address reports that third parties are looking into alternative technologies to cookies for a range of purposes in an effort to circumvent the consent requirement under Article 5(3) of the Directive. 

In particular, the combination of a set of information elements in order to uniquely identify particular devices or application instances, so-called “device-fingerprinting”, was examined.

The information elements commonly used for device fingerprinting comprise: CSS information, JavaScript objects, HTTP header information, clock information, TCP stack variation, installed fonts, installed plugin information (e.g. configuration and version information) and the use of internal/external APIs.

Fingerprinting tools can be deployed for a range of different devices: computers, tablets, smart phones, e-readers, games consoles, TVs, in-car systems and smart meters (among others).

In the Opinion, the AWP highlighted one main concern – that device fingerprinting can operate covertly.  Unlike cookies, there are no simple means for users to prevent the activity and there are limited opportunities available to reset or modify any information elements being used to generate a fingerprint.

Key points to note

The Opinion confirmed the AWP’s view that:

  • where a fingerprint is generated through the storage of or access to information stored in the user’s terminal device, the Directive will apply (i.e. the same consent requirements that apply to the use of cookies); and
  • device fingerprinting technologies may constitute personal data and where this is the case, data protection legislation will also apply.

You can read the full Opinion by clicking here.

Cookie sweep report

In February of this year, the AWP published a new report detailing its findings following a “cookie sweep” of 478 websites in the e-commerce, media and public sectors across the Czech Republic, Denmark, France, Greece, Netherlands, Slovenia, Spain and the UK.

Although the sweep was not designed as an assessment of cookie compliance, the report has highlighted areas for improvement.  Further, the AWP noted that its analysis is likely to inform the landscape of steps taken towards compliance in the future. 

Key points to note

  • Some cookies were found to have a duration period of over 8000 years in contrast to the average of 1 – 2 years.  In future, regulators may view cookies that have a life span of over 2 years as excessive and/or non-compliant.
  • Whilst the most popular method of informing website users to the use of cookies was via a notification banner in addition to a header or footer linking to further information, there were still a number of sites offering no notification in relation to the use of cookies, insufficient notification and/or not seeking consent from the user regarding the implementation of cookies.  We recommend that websites that do not currently have a cookie consent mechanism, in addition to a header or footer (as described above) consider implementing one where required.
  • The AWP was encouraged to see that a proportion of websites (16%) offered a high degree of user control regarding cookies.  The AWP clearly sees user control in relation to cookie privacy settings in a positive light.
  • As part of their sweep analysis, the AWP conducted their search, firstly by automated and secondly by manual analysis.  The developing use of automated technologies in this way will enable regulators to become far more efficient in conducting analysis and ‘spot checks’ in their respective jurisdictions.  Therefore, businesses with an online presence should ensure that they are compliant with the regulations sooner rather than later.

The full Article 29 Working Party Cookie Sweep Combined Analysis Report can be found here.

Vidal-Hall case

As an aside, at the end of March this year, the English Court of Appeal considered whether Browser Generated Information (“BGI”) is capable of amounting to personal data against the backdrop of the Vidal-Hall case. While this issue was not determined, should the claimants in the case be awarded damages as an outcome of the class action, the implication would be that there is a risk compensation may be awarded for distress, resulting from the unconsented use of BGI in this manner.  We suspect that such a potential risk may cause companies to revisit their own practices, particularly as this is an area of regulation that has, so far, had limited financial implications.

So what?

Businesses deploying cookies and similar technologies should be alive to these recent developments, as they do signify that such practices are being subjected to regulatory scrutiny.

However, it should also be noted that the European Commission suggested last year that the Directive would be revisited in 2015.  Therefore, it will be interesting to see whether the consent requirements for cookies and similar technologies (e.g. fingerprinting) are tightened or relaxed if/when this happens.