CookieLaw Blog November 28, 2014

Device Fingerprinting Requires Visitor Consent

The use of device fingerprinting techniques, which are increasingly being employed as an alternative to cookies, should be treated by website owners as equivalent to cookies when it comes to the requirements for gaining user consent under the various EU cookie laws.

This position has been confirmed in an Opinion published recently by the influential Article 29 Working Party.  Although the body itself does not carry any legal weight, it is made up of representatives of each of the EU Member States Data Protection Authorities (DPAs).  As these are the same people that are responsible for enforcing the cookie rules, it can be taken as strong guidelines to follow.

The opinion also makes clear reference to the fact that one reason for the clarification on the legal status of device fingerprinting was some technology providers have begun using the techniques specifically to try and circumvent the consent rules.

The document outlines a number of different technological methods in use, all of which have the goal of uniquely identifying the device and by inference tracking the online behaviour of the user.  This is essentially what cookies themselves do, but device fingerprinting allows this to be done in a way which is much harder to detect, or defend against.

This has potentially wide reaching consequences for site owners, particularly in terms of managing their relationships with third party technology providers.  These techniques, especially as they are evolving very quickly, can be difficult to identify.  It therefore means that owners are going to have to start asking specific questions of their suppliers, particularly in relation to any scripts or tags that are communicating with third party domains – which are a common feature of most websites.

Another reason this is significant is that any approach to cookie compliance that relies solely on telling users to change browser settings can longer be considered a viable solution.  Browsers do not provide any mechanism for users to block device fingerprinting.  The only way for that to happen is if website owners configure their sites to turn it off if users do not give or withdraw consent, and that requires making changes to functionality, such as is provided by Optanon.

Recent Posts


January 13, 2017
Future of EU Cookie Compliance Webinar: ...

GDPR and now the proposed E-Privacy Regulation mean a stricter regime for cookie compliance, web governance and use of online tracking technologies. Join p...

View Article
Recent blog thumbnail
December 14, 2016
Draft EU ePrivacy Regulation Leaked...

A draft of the proposed legislation to replace the outdated EU ePrivacy Directive was leaked on the Politico.eu (PDF) website this week. The proposal is fo...

View Article
Recent blog thumbnail
November 3, 2016
GDPR Compliance Means Cookie Notices Mus...

Are you one of those people that ticked the cookie law box ages ago and not thought about it since? Well the game has changed and now is the time to re-vis...

View Article
Recent blog thumbnail
September 21, 2016
Optanon Acquired by OneTrust...

We are pleased to announce that Optanon, along with parent company Governor Technology, has been acquired by OneTrust....

View Article

Be in the Know

Subscribe to our newsletter