On November 25th, the Article 29 Working Party – an entity within the European Commission focused on data protection initiatives for the EU – issued an opinion in which it declared that device fingerprinting techniques should be subject to the same user consent guidelines as cookies are.
The EU “cookie law”, or Article 5(3) of the European Commission’s ePrivacy Directive, went into effect on May 26th, 2012 and requires that any site operated from within the EU or targeted to EU citizens must get consent from a user before storing persistent information about them in a cookie (the law doesn’t only apply to cookies — it also covers the use of Flash and HTML5 local storage). Cookie “disclaimers” are usually put at the top of a website, such as the BBC’s:
Device fingerprinting is the practice of forming a profile for a specific device from a number of characteristics about that device – enough that it would be unlikely for another device’s profile to look the same. While device fingerprinting doesn’t create data artifacts that store persistent information about users, it can be used to achieve the same effect as cookies: to uniquely identify users.
Mobile user attribution, or the act of matching the device that clicks on a mobile app install ad to the device that ultimately installs an app, relies on device fingerprinting. Although both Apple and Google allow developers to identify mobile users through advertising identifiers – iOS’ IDFA and Android’s Advertising ID – those identifiers aren’t always helpful or practical:
- Advertising identifiers aren’t available from users’ browsers, only from within apps, meaning that mobile web app install ads aren’t trackable via platform advertising identifiers;
- Users can opt out of and change their platform advertising identifiers;
- Platform developers do not want their advertising identifiers used for tracking users. In February, Apple began rejecting submitted apps that collected users’ IDFAs but did not serve ads (using the IDFA only for identification purposes). Apple explicitly states in section 3.3.12 of its developer license that the IDFA is only to be used for serving ads:
“You and Your Applications (and any third party with whom you have contracted to serve advertising) may use the Advertising Identifier, and any information obtained through the use of the Advertising Identifier, only for the purpose of serving advertising. If a user resets the Advertising Identifier, then You agree not to combine, correlate, link or otherwise associate, either directly or indirectly, the prior Advertising Identifier and any derived information with the reset Advertising Identifier.”
It’s unclear whether the EU’s e-Privacy directive will exempt app install ad tracking from its consent guidelines, although none of the currently stated exceptions (authentication, user interface customization, load balancing, etc.) fit the mobile attribution model. The Article 29 Working Party’s opinion seems directed at device fingerprinting for the purposes of user tracking, at least to the extent that the tracking is utilized in “behavioral advertising”:
Device fingerprints can also constitute personal data… For example, when several information elements are combined, especially unique identifiers such as an IP addresses, and the purpose of the processing is to identify users over time, across websites, such as with behavioural advertising. In such cases, processing must also comply with the rules provided in the Data Protection Directive.
The technology of device fingerprinting is not limited to the configuration parameters of a traditional web browser on a desktop PC. Device fingerprinting is not tied to a particular protocol either, but can be used to fingerprint a broad range of internet connected devices, consumer electronics and applications, including those running on mobile devices, smart TVs, gaming consoles, e-book readers, internet radio, in-car systems or smart meters.