Device Fingerprinting Requires Visitor ConsentBy: Richard Beaumont | Friday, November 28, 2014 | Tagged: Cookie Law, Device Fingerprinting | Leave Comment
The use of device fingerprinting techniques, which are increasingly being employed as an alternative to cookies, should be treated by website owners as equivalent to cookies when it comes to the requirements for gaining user consent under the various EU cookie laws.
This position has been confirmed in an Opinion published recently by the influential Article 29 Working Party. Although the body itself does not carry any legal weight, it is made up of representatives of each of the EU Member States Data Protection Authorities (DPAs). As these are the same people that are responsible for enforcing the cookie rules, it can be taken as strong guidelines to follow.
The opinion also makes clear reference to the fact that one reason for the clarification on the legal status of device fingerprinting was some technology providers have begun using the techniques specifically to try and circumvent the consent rules.
The document outlines a number of different technological methods in use, all of which have the goal of uniquely identifying the device and by inference tracking the online behaviour of the user. This is essentially what cookies themselves do, but device fingerprinting allows this to be done in a way which is much harder to detect, or defend against.
This has potentially wide reaching consequences for site owners, particularly in terms of managing their relationships with third party technology providers. These techniques, especially as they are evolving very quickly, can be difficult to identify. It therefore means that owners are going to have to start asking specific questions of their suppliers, particularly in relation to any scripts or tags that are communicating with third party domains – which are a common feature of most websites.
Another reason this is significant is that any approach to cookie compliance that relies solely on telling users to change browser settings can longer be considered a viable solution. Browsers do not provide any mechanism for users to block device fingerprinting. The only way for that to happen is if website owners configure their sites to turn it off if users do not give or withdraw consent, and that requires making changes to functionality, such as is provided by Optanon.