EU Feels Device Fingerprinting Should Require Consent

The Pan-European Article 29 Data Protection Working Party (Article 29 Working Party) recently adopted an opinion calling for a consent requirement for device fingerprinting (sometimes also referred to as browser fingerprinting). The technology can be used across a range of devices, including smartphones, smart TV, e-book readers, internet radio, etc. It is intended to collect information about the device for the purpose of identification and can be used to identify devices, networks, or users, and more specifically information relating to browser type, plugins, etc., when cookies are not just turned on, but also off.

The Article 29 Working Party opinion specifies that since fingerprinting can operate covertly, there are no simple means for users to prevent the activity, and furthermore, there are limited options available to reset or modify the information elements used to generate the fingerprint; as such, user consent should be required. While the Article 29 Working Party opinion is not binding, the rather persuasive consent requirement for device fingerprinting is intended to be applied to the same extent as cookies. It can be seen as an expansion upon the earlier Opinion 04/2012 on Cookie Consent Exemption and the latest target in the EU’s efforts to attempt to protect user privacy. How it will be regulated is up to individual EU countries.

Tip: Many vendors in the advertising space use device fingerprinting as an alternative to cookies, especially in the mobile space. If you are launching apps in the EU, work closely with your vendors to understand what tracking technologies they use and what choices are available to consumers.