Privacy & Information Security Law Blog

On November 25, 2014, the Article 29 Working Party (the “Working Party”) adopted Opinion 9/2014 (the “Opinion”) on device fingerprinting. The Opinion addresses the applicability of the consent requirement in Article 5.3 of the e-Privacy Directive 2002/58/EC (as amended by Directive 2009/136/EC) to device fingerprinting. As more and more website providers suggest using device fingerprinting instead of cookies for the purpose of providing analytics or for tracking purposes, the Working Party clarifies how the rules regarding user consent to cookies apply to device fingerprinting. Thus, the Opinion expands on Opinion 04/2012 on the Cookie Consent Exemption.

The Working Party concludes that Article 5.3 of the e-Privacy Directive applies to device fingerprinting, and thus indicates that third parties may process device fingerprints and gain access to or store information on the user’s terminal device only with the valid consent of the user (unless an exemption applies).

According to Article 5.3 of the e-Privacy Directive, EU Member States must ensure that the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is allowed only if the subscriber or user has provided consent. In addition, the subscriber or user must have been provided with clear and comprehensive information in accordance with EU Data Protection Directive 95/46/EC. The Opinion defines fingerprint in broad terms, meaning that it includes a set of information that can be used to single out, link or infer a user, user agent or device over time. According to the Article 29 Working Party, this includes, but is not limited to, data derived from (1) the configuration of a user agent or device, or (2) data exposed by the use of network communications protocols. The Opinion also states that due to design choices when the Internet was developed, devices necessarily transmit information elements. And when a number of information elements are combined, the combination may provide a unique fingerprint for the device or application. Because a user may be associated with the device, he or she may be identifiable via the device fingerprint. In addition, the Working Party considers unique identifiers to be personal data. Therefore, if a fingerprint is generated through the storage of or access to information on a user’s terminal device, the e-Privacy Directive applies and user consent is required.

The Opinion also addresses the rules on possible exemptions from the consent requirement under Article 5.3 of the e-Privacy Directive as described in Opinion 04/2012. These rules exempt processing from the consent requirement if the technical storage or access is (1) “for the sole purpose of carrying out the transmission of a communication over an electronic communications network,” or (2) “strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service.” It also provides practical guidance by providing six example scenarios, and indicating in each example whether the processing is exempt from the consent requirement. The six examples are:

• First-party website analytics,
• Tracking for online behavioral advertising,
• Network provision,
• User access and control,
• User-centric security, and
• Adapting the user interface to the device.