Cookie Rules apply to Device Fingerprinting

13 March 2015

Jane Bentham

Cookie Rules apply to Device Fingerprinting

Website operators, publishers, ad techs and others in the online industry who have been using alternative tracking technologies to cookies in order to avoid the 'cookie rules' regarding consent (see below) may no longer be able to do so. The Article 29 Working Party ('the Working Party') adopted, on 25 November 2014, its first opinion on device fingerprinting (Opinion 9/2014), which states that the 'cookie rules' also apply to other technology used for analytics and tracking purposes ('the Opinion'). The Working Party intends to make clear to organisations which are using device fingerprinting as an alternative to cookies that they must (still) gain the consent of their website users.

What is Device Fingerprinting?

The Opinion defines this broadly as 'a set of information that can be used to single out, link or infer a user, user agent or device over time' from (i) the configuration of a device or (ii) data exposed by the use of network communication protocols.

In other words, device fingerprinting allows the identification of a particular internet-connected device by collecting various information elements (e.g. HTTP header information, Java script objects, installed fonts/plug-ins etc.), specific to that device or in combination with other devices (e.g. smart TVs, gaming consoles, internet radio, in-car systems, smart readers etc.).

This information can then be used to track the user of the device over time and across multiple websites to make inferences about that individual based on his or her behaviour (this is known as 'profiling'). Profiling has received greater prominence since Snowden's revelations and also as a result of ad-tech initiatives (e.g. online behavioural targeting).

Accordingly, the Working Party considers the privacy risks associated with device fingerprinting as significant not only because it can be used to single out an individual to treat them differently (e.g. to target ads or other content specifically to them), but also because - unlike cookies - it can be used 'covertly' by third parties (i.e. not solely by the publisher/operator of the website).

What are the Cookie Rules?

These are found in Article 5(3) of the e-Privacy Directive 2002/58/EC (as amended), which provide that the use of cookies (and similar technologies) is only permitted where the individual/website user has:

  • been provided with clear and comprehensive information of the purpose for which the cookie is stored and accessed; and
  • given his or her consent. 

Note that 'cookies' are not directly referred to in Article 5(3), but rather a broad description of the type of technology to which these requirements relate is given: 'the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user'. Also, the Opinion makes clear that the storing and accessing of information do not need to occur at the same time or by the same party for it to be caught by the cookie rules. The Working Party gives the example of a mobile phone app which processes the mobile user's contact list: the contact details are entered and stored by the user but access is separately performed by the app operator.


However, Article 5(3) also provides that consent will not be required where the cookie is:

  • strictly necessary to provide an information society service explicitly requested by the user; or
  • for the sole purpose of carrying out the transmission of a communication over an electronic communications network

In practice, the first ('strictly necessary') exemption is more commonly relied on, and in order to apply there must be a clear link between the strict necessity of the cookie and the delivery of the service as actively requested by the user. Note that if you are using device fingerprinting for multiple purposes, you will only be able to rely on the exemption if each purpose is exempt.

What does this mean for me?

Although opinions issued by the Working Party do not impose any legal obligations as such and do usually reflect the most conservative approach, organisations who want to be seen as following best practice recommendations will take note of this guidance and ensure that where they are using device fingerprinting they only do so with the valid consent of the user unless an exemption applies.

When will I need consent?

If you are using device fingerprinting to engage in:

  • Online behavioural advertising - many websites have certain features (e.g. pixel tags) to enable third-party advertising networks to generate a device fingerprint to follow individuals across websites and over time without their knowledge, even if the user declines cookies.
  • First-party website analytics - some websites have started using device fingerprinting as an alternative to 'performance' cookies (e.g. Google Analytics) which collect anonymous information on how individuals interact with a particular website.
  • User access and control (i.e. account verification) - some websites use device fingerprinting to verify that an account is linked to a particular device so that the device acts as authentication. As well as needing consent, the Working Party suggests that website operators use a range of authentication methods (e.g. a one off password or secondary email confirmation).
When can I rely on an exemption (i.e. consent not required)?

If you are using device fingerprinting solely for:

  • Network management - or providing the network (e.g. managing a connection between a wireless device and a wired network through a WIFI access point).
  • User centric security - in other words, to enhance the security of a service explicitly requested by the website user (e.g. to detect failed log in attempts).
  • Adapting the user interface to the device - in other words, adapting the content to the device (e.g. changing the screen size or graphics mode for a mobile device).