EU data watchdog calls for rules on device fingerprinting

The EU’s privacy watchdog has warned website companies that device fingerprinting should be in line with similar data protection rules as web cookies in an ongoing effort to enforce privacy regulations.

The pan-European Article 29 Working Group released a guidance report recommending that device fingerprinting should be bound by the same rules as cookies and only deployed after approval by the user.

A device fingerprint is information collected about internet connected devices, such as smartphone apps, e-book readers and smart meters, for the purpose of tracking activity on the device, the same as with cookies.

The data can be used by web firms in order to gather information on a visitor to their site and then track users over time for ad targeting without their control.

"This Opinion expands upon the earlier Opinion 04/2012 on Cookie Consent Exemption and indicates to third-parties who process device fingerprints which are generated through the gaining of access to or the storing of information on the user’s terminal device that they may only do so with the valid consent of the user (unless an exemption applies)," the WP29 device fingerprinting report said.

The report added that device fingerprinting can also "operate covertly", compared to the use of cookies.

"There are no simple means for users to prevent the activity and there are limited opportunities available to reset or modify any information elements being used to generate the fingerprint. As a result, device fingerprints can be used by third-parties to secretly identify or single out users with the potential to target content or otherwise treat them differently."

The UK Information Commissioner’s Office, which installed the cookie rules locally in 2012, also explained that the same rules will apply to device fingerprinting.

"The ICO has always been clear that the law around cookies also applies to similar technologies," said a spokesperson.

"The Article 29 opinion adopted this week, which the ICO played a key role in drafting, confirms that digital fingerprinting can be such a technology.

"Digital fingerprinting can access information stored on a user’s machine in a similar way to a cookie, for a range of purposes. With that in mind, it is sensible to consider that the law can apply to some uses of digital fingerprinting in the same way it does to cookies."