That’s the way that the EU cookie rules crumble (again… even if it’s not a cookie), says watchdog

The influential, pan-EU Article 29 Data Protection Working Party (DPWP) has released an Opinion (9/2014) on the applicability of the E-Privacy Directive (2002/58/EC) to device fingerprinting, in which it addresses what it believes to be “serious” data protection concerns arising from its use.

Like HTTP cookies (small text files bits of information placed on a user’s computer to record their online movements), device fingerprinting technologies can be used to track online users and analyse their behaviour. Each device connected to the Internet identifies itself in various ways to help websites and services deliver requested information. The gaining of access to, and/or the storing of, a combined set of such information elements as configured on an electronic device generates a ‘fingerprint’, which can potentially distinguish one device from another. In turn, the fingerprint can be used to attempt to identify (described by the DPWP in terms of the potential to single out, link to or infer the identification of, echoing wording the DPWP used in its May 2014 opinion on anonymisation techniques at pp.11-12) a device and/or person using that device, either alone or in conjunction with network communications data, and track their online behaviour over time.

Unlike cookies, the Opinion warns that device fingerprinting technologies operate in a covert fashion. Even if a user were aware that the process is taking place, there are limited opportunities for users to prevent it (such as through browser settings or modifying the information elements being used to generate the fingerprint) unless they use anonymity tools like Tor. Moreover, a device’s fingerprint is available not only to the publisher of websites visited by the device, but also potentially to a variety of other third parties. For example, different software, platforms and Application Programming Interfaces (‘API’) each offer access to different information elements present on a device. Such third parties can use fingerprints derived from such data in an attempt to identify online users through their devices, e.g. to target content towards them or otherwise treat them differently from other users, even if the user has declined the imposition of cookies.

In its legal analysis, the DPWP initially opines that device fingerprints can constitute ‘personal data’ as defined under EU data protection rules as they provide the ability to track online behaviour over time as a result of which an individual may be associated, and therefore either be identified or become identifiable, from them. Although the Opinion does not analyse data protection obligations in this respect, it emphasises that these must be followed where relevant and makes particular reference to situations when “several information elements are combined, especially unique identifiers such as an IP addresses”. The DPWP justifies its argument by reference to scenarios where the purpose of combining several information elements and unique identifiers is done with a view to identifying users over time online and/or to communicate directly with a specific individual (e.g. by delivering personalised content and targeted advertising).

The Opinion also addresses concerns that device fingerprinting is being used as an alternative to cookies for a range of purposes in an effort to avoid the requirement for informed consent under Article 5(3) of the EU Privacy and Electronic Communications (‘E-Privacy’) Directive (2002/58/EC, as amended by Directive 2009/136/EC). Under this requirement, which came into force in 2012, cookies are only permitted to be installed and accessed on users’ computers or mobile devices if they have been provided with clear and comprehensive information about the purposes of the processing and given their consent. Exceptionally, under Article 5(3) consent need not be obtained if the cookie is either planted for the sole purpose of carrying out the transmission of a communication over an electronic communications network, or strictly necessary for the provision of an information-society service explicitly requested by a subscriber or user.

In the Opinion, the DPWP confirms its belief that similar obligations with respect to obtaining users’ valid consent apply to parties “who wish to process device fingerprinting which are generated through the gaining of access to, or the storing of, information on the user’s terminal device”. In other words, consent from the user is required first before such technologies can be imposed upon devices and this remains true even before the information to be gleaned would be deemed personal data. For example, the DPWP confirms that the consent requirement applies to those first or third parties carrying out web analytics and/or creating profiles of users based on their online behaviour to provide personalised content and targeted adverts.

Furthermore, according to the Opinion, the use of the words “stored or accessed” in Article 5(3) of the E-Privacy Directive indicates that storage and access to information on devices do not need to occur within the same communication and do not need to be performed by the same party. For example, information that is stored by one party (including information stored by the user or device manufacturer) and later accessed by another party (e.g. a website operator or an advertising network) is covered by the legal provision. The DPWP gives the example of “a mobile phone app which processes the user’s contact list where the contact details are stored by the user himself but the access is performed by the third-party. It is not correct to interpret this as meaning that the third-party does not require consent to access this information simply because he did not store it”.

Referring to its opinion 04/2012 on cookie consent exemptions (for other relatively recent discussions by the DPWP on consent, see its opinion in general on the topic of consent and its opinion with specific regard to online behaviour advertising), the Working Party nevertheless acknowledges that similar exemptions that apply to the use of online cookies apply to certain types of fingerprinting. It provides some use-case examples detailing scenarios where consent does not need to be obtained. For example, an exemption is deemed to apply:

• where information elements stored on a user’s device (such as a MAC address used to maintain connections and correctly route data packages) are collected and processed solely for the normal functionality of network provisioning (e.g., the management of a connection between a wireless devices and a wired network through a Wi-Fi access point);

• where device fingerprinting is used for the sole purpose of increasing the security of a service explicitly requested by the user;

• where a third party requests access to information stored on a user’s device for the sole purpose of adapting the interface to its characteristics (e.g., by changing the layout of content for a particular type of device); or,

• where device fingerprinting is used to facilitate user access and control as a secondary factor of user authentication (i.e. to provide verification of identity in combination with, say, a username and password), although the Opinion clarifies that using information elements accessed from a device is not strictly necessary to this end and website operators should consider alternative methods.

The Opinion will be unpopular with some website operators for confirming the expansion of the cookie consent requirement to a wider variety of online tracking technologies and, consequently, imposing more costs and administrative burdens on online service providers. Indeed, some website operators and online advertisers have argued that the E-Privacy Directive does not apply to device fingerprinting because of the technical differences between placing a cookie on a user’s device and collecting information that already exists on a device.

Nevertheless, the DPWP’s guidance provides some much needed legal certainty and guidance in this evolving area. In particular, the Opinion is at pains to point out that device fingerprinting for secondary purposes is unlikely to fall within an exemption and technical/organisational safeguards must be taken to prevent secondary uses that are not strictly necessary from occurring. Furthermore, save where a valid exemption applies, if device fingerprinting requires the storage of, or access to, a set of information on the user’s device then valid consent should always be obtained from the user regardless of how, by whom and whether these information elements were stored or accessed by other companies in the first place.

The Opinion lays a foundation for developing new legislation to govern online tracking technologies in protecting online users’ privacy. It will be interesting to see how this topic will be addressed in the context of the upcoming data protection reform package and as part of the revision of the E-Privacy Directive, bearing in mind recent evidence to suggest that the cookie consent requirement has fallen far short of original expectations in stemming the tracking of online users’ behaviour in practice since 2012.

Alison Knight