On November 25, 2014, the Article 29 Working Party (“WP29”) issued an opinion paper on device fingerprinting (the “Opinion”). The Opinion builds on existing guidance on cookies (Opinion 04/2012) and confirms that organizations wishing to generate “device fingerprints” by storing or accessing information on a user’s device must obtain user consent (unless an exemption applies). This is because Article 5(3) of the European e-Privacy Directive 2002/58/EC, known as the “cookie rule”, also applies to device fingerprints. The real-life impact of the new Opinion on technology businesses is difficult to predict at this stage, but the WP29’s motivation is clear — it aims to prevent companies from using device fingerprinting technology for data analytics or tracking purposes as an alternative to cookies and without the need to obtain consent under Article 5(3).
“Device fingerprinting” is defined broadly in the Opinion and refers to the collection (and possibly combination) of different information elements that can be used to single out, link or infer a user or device over time from (i) the configuration of the device, or (ii) data exposed by the use of network communication protocols. WP29 clarifies that device fingerprinting is not limited to a particular type of device, but can be used in relation to a broad range of equipment (e.g., mobile phones, smart TVs, gaming consoles, e-books, internet radio, smart meters, in-car systems, etc.). One example of device fingerprinting is where a mobile app offers access to information about other apps present on a given smart phone, the phone’s hardware configuration, the operating system, and other features. Another example is where a web page records when a user clicks on a certain image or ad, or when they scroll up or down the page.
According to the Opinion, device fingerprints pose significant privacy risks because they can be used to single out individuals for the purpose of targeting or to otherwise treat them differently and, most importantly, because — unlike cookies — device fingerprints can be used covertly (including by third parties). A key concern expressed by the WP29 is that, at present, there is no easy way for users to limit the activity or to control the information that is used to generate digital device fingerprints.
Some legitimate uses of the technology will of course be permitted, and the Article 5(3) exceptions to the consent requirement also apply to device fingerprinting. Notably, no consent is required for device fingerprinting that is (i) used “for the sole purpose of carrying out the transmission of a communication over an electronic communications network”, or (ii) “strictly necessary” for the provision of an electronic communications service “explicitly” requested by the user. However, if an organization wishes to use device fingerprinting for multiple purposes, it can rely on an exemption only if all distinct purposes are individually exempted from the consent requirement. Thus, use of fingerprinting data for incompatible, secondary purposes is prohibited.
To help organizations better understand how the rules may be applied in practice, the WP29 has offered a number of examples:
- Consent will generally be requiredwhen device fingerprinting is used for the purpose of:
- First-party website analytics;
- Online behavioral advertising; or
- User access and control (e.g., verifying that an account is linked to a specific device).
- By contrast, device fingerprinting can be used without user consent for the solepurpose of:
- Network management;
- Enhancing the security of a service explicitly requested by the user (e.g., to detect repeated failed login attempts); or
- Adapting the content or user interface to the device (e.g., switching to single column layout for mobiles).
The WP29 recalls that, despite these being two distinct requirements, consent required to store or access information on a user’s device (under Article 5(3)) and consent relating to the collection and processing of the user’s personal data (under the Data Protection Directive 95/46/EC) can be merged in practice, “provided that the user is made unambiguously aware of what he is consenting to.” (Opinion 02/2013 on apps and smart devices) This is a helpful clarification that may ease the compliance burden, at least initially.
It remains to be seen how affected organizations will respond to this development in practice. While WP29 guidance doesn’t have the force of law, it is generally well-respected by industry players wishing to ensure compliance with European data protection laws.