In a new opinion it has issued, the Article 29 Working Party confirmed that consent rules in the EU's Privacy and Electronic Communications (e-Privacy) Directive are "applicable to device fingerprinting" (11-page / 560KB PDF). However, it outlined some examples where device fingerprinting could be deployed without users' consent.
The Working Party's position mirrors what the Information Commissioner's Office (ICO) told Out-Law.com it considers to be the legal position on the use of cookie-alternative technologies more than a year ago. The ICO is a member of the Article 29 Working Party, which is a committee made up of national data protection authorities based across the EU.
EU rules require individuals to consent to the placing of cookies on their device by the website operators and advertisers in most circumstances.
The EU's Privacy and Electronic Communications (e-Privacy) Directive permits the storing and accessing of information on users' computers "on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information … about the purposes of the processing".
An exception to the consent requirements exists where the information stored, often in cookies, is "strictly necessary" for the provision of a service "explicitly requested" by the user.
According to the Working Party's opinion, however, some technology companies have been developing alternative technologies to cookies to enable them to track use of devices through "the combination of a set of information elements". This device fingerprinting can be used to identify internet connected devices and applications, from mobile apps to smart TVs, in-car systems and smart meters, and track their use, it said.
Device fingerprints can constitute personal data, meaning that the processing of that information is subject to data protection laws, because the combination of "information elements", which on their own might not be sufficient to identify users, can produce a set of data that is " sufficiently unique (especially when combined with other identifiers such as the originating IP address) to act as a unique fingerprint for the device or application instance", the watchdog said.
The Article 29 Working Party said that there are "data protection risks" associated with the use of device fingerprinting because third parties and not just website operators that use them can get access to that information, and because device fingerprinting information might be revealed through "the combination of data obtained through Application Programming Interfaces (API) present in the software on client devices".
"There are no simple means for users to prevent the activity and there are limited opportunities available to reset or modify any information elements being used to generate the fingerprint," the Working Party said. "As a result, device fingerprints can be used by third-parties to secretly identify or single out users with the potential to target content or otherwise treat them differently."
Businesses using device fingerprints cannot claim that the e-Privacy Directive rules do not apply because the storage and access to information on devices does not "occur within the same communication" and are stored and accessed by different parties, the Working Party said.
"Information that is stored by one party (including information stored by the user or device manufacturer) which is later accessed by another party is therefore within the scope of [the consent rules under the e-Privacy Directive]," the Working Party said. "An example is a mobile phone app which processes the user’s contact list where the contact details are stored by the user himself but the access is performed by the third-party. It is not correct to interpret this as meaning that the third-party does not require consent to access this information simply because he did not store it."
The Working Party said that website operators must obtain device users' consent to use new device fingerprinting technologies for analytics purposes. It said that third parties using device fingerprinting must gain users' consent for the purposes of using the information for targeted advertising.
In addition, the use of device fingerprinting as part of a broader mechanism for verifying the identity of service users to provide them with access to those services would require those users' consent, it said.
However, service operators can use device fingerprinting as a security tool without users' consent so as to prevent unauthorised access to services those users have accessed in the past. This would mean that device fingerprinting could be used to lock down access to services to prevent alternative users of devices, such as criminals, from repeatedly trying to log in to accounts previously accessed on that device, it said.
The Working Party said that third parties can also use device fingerprinting without users' consent for the sole purposes of "adapting the user interface to the device" or for network management.