EU: Device Fingerprinting should require consent

Nowadays there are several ways to collect personal data from a web user: cookies, device fingerprinting etc.. The Article 29 Working Group tries to protect user privacy online even more and calls for a consent requirement for device fingerprinting to the same extent as for cookies.

Device fingerprinting

A device fingerprint is often also referred to as a browser fingerprint. It collects information about a remote computer device for the purpose of identification. Such fingerprints can be used to identify users or devices even when cookies are turned off. Every time a user opens a webpage certain information is send to the website provider without the user’s consent, such as browser type, plugins, screen size and resolution. Combining all the information collected enables a website provider to almost perfectly identify a user (about 90%) .

The advantage of device fingerprints is seen in the diversity and stability of a fingerprint. Ideally all web client machines have a different “fingerprint” that never changes. Therefore, using such a device fingerprint enables a user to uniquely identify a machine or network.

Application of the Cookie-Directive

The Article 29 Working Group therefore recently called for a consent requirement for device fingerprinting to the same extent as for cookies.

The opinion states that:

“This Opinion expands upon the earlier Opinion 04/2012 on Cookie Consent Exemption and indicates to third-parties who process device fingerprints which are generated through the gaining of access to or the storing of information on the user’s terminal device that they may only do so with the valid consent of the user (unless an exemption applies).”

Because it is often understood that there are no requirements for the use of device fingerprinting, companies have been turning to it as an alternative to cookies . Nowadays device fingerprinting is most commonly used in smartphone apps, smart TVs, e-book readers and in-car systems that for example allow, , for the adoption to a much smaller screen or format automatically without the user’s knowledge. Sometimes fingerprinting devices are also used for advertising.

As the Working Party points out one of the main data protection risks is the fact that the unique set of information elements collected by device fingerprinting is not only available to the website publisher, but also to many other third parties.

“In contrast to HTTP cookies, device fingerprinting can operate covertly. There are no simple means for users to prevent the activity and there are limited opportunities available to reset or modify any information elements being used to generate the fingerprint. As a result, device fingerprints can be used by third-parties to secretly identify or single out users with the potential to target content or otherwise treat them differently.”

This problem was also part of the consideration of the Cookie Directive (E-Privacy Directive 2002/58/EC amended by 2006/24/EC, 2009/136/EC).

Because the possibilities seem almost endless the Article 29 Working Party suggested to introduce a consent requirement without which information on a user’s terminal device cannot be obtained.

Next steps

The Working Party’s suggestion is a point in the right direction to increase data protection online.  However, it must first be approved by the EU Parliament and then be implemented in the data protection laws of all member states.

Future will tell how the internet will influence our lives even more and how our personal data can legally be protected.


Please note that your comments will be published after review and approval by our administrator and not immediately after they have been posted. Please also see our Terms of Service and our Privacy Police.