Spanish ISP sanctioned after using browser fingerprinting technology without notice


Movistar, one of the most important Spanish mobile operators and Internet Service Providers (ISPs) has received the first sanction in Spain relating to browser fingerprinting technology.

Header enrichment is a type of browser fingerprinting technology used by mobile operators to include additional information into HTTP traffic. In other words, mobile operators add custom information to HTTP header requests, for instance, to indicate the language of the user so that the webpage that he is accessing to is displayed in his chosen language, or to indicate which browser the user is using. Header enrichment is not a cookie as it is not installed in the end user device. However, the information included through header enrichment is often used to identify a specific user and therefore the use of this technology triggers the application of the Spanish data protection and e-commerce legislation. 

The issue began with a complaint made by a user in Movistar's website forum in November 2015. In his post, the user stated that he had found that the company was using header enrichment without notice and without requesting his consent. After several weeks, the user's suspicions were confirmed when Movistar posted a reply: indeed, Movistar had been using header enrichment for a limited set of services with certain subscribers, such as premium services subscribers, because the provision of said services required the identification of the user. Due to this reply, a complaint was submitted to the Spanish Data Protection Authority (DPA). 

During the investigation proceedings, Movistar submitted that it was using header enrichment exclusively with premium services subscribers only insofar as it was necessary to provide them with the requested services. However, Movistar later confessed to the DPA that it had been using this browser fingerprinting technology with all kind of users, not only premium subscribers, between 2012 and 2015. The confession triggered the enforcement proceedings.

The DPA concluded that:

  • Header enrichment falls under the scope of the Spanish E-commerce Act (the Spanish E-Privacy Directive transposing legislation) due to the fact that it retrieves information from users and said users can be identified through this information.
  • Movistar did not use header enrichment with the sole purpose of facilitating the transmission of a communication over a communications network nor to provide an information society service explicitly requested by the subscriber because it was used with every user, including non-premium users, until September 2015. Thus, further to the E-Privacy Directive (and the Spanish E-commerce Act), Movistar should have informed users about the use of this technology and provided them with the right to refuse. 
  • As Movistar had not informed the users about the use of this type of technology, nor had it provided them with the right to refuse, it infringed the Spanish E-commerce Act and was fined € 20,000.

The sanction has been made public recently and it may be appealed by Movistar.

If you wish to assess whether you are complying with the Spanish cookies legislation in Spain, please contact us and we will be glad to assist you.