Breaking The Cookie Jar? A Look At The Trend Of ‘Device Fingerprinting’

Author:Mr Philip Nolan, Jeanne Kelly, Oisin Tobin and Peter Bolger
Profession:Mason Hayes & Curran

A recent Opinion of the Article 29 Working Party ("WP") (WP 224) has considered the impact of what is termed "device fingerprinting". This is a method of identifying specific devices or users for purposes including tracking and analytics. In particular, the WP has considered whether the cookies rules under the ePrivacy Directive - which set down information and consent requirements for the use of cookies - could equally apply to device fingerprinting. This Opinion is particularly focused on the perceived circumvention of these cookies rules by online services that use device fingerprinting.

So what is a device fingerprint?

A device fingerprint can be defined as "a set of information elements that identifies a device or application instance". In other words, it is something that can be used to single out or infer a user or a device over time. This is particularly helpful for providers of tailored advertising or web analytics services.

Data commonly used to create this fingerprint are derived from device settings and data exposed by the device's use of network communications protocols. The data can include details such as your browser and device information that is ordinarily transferred to return the webpage sought to your particular device and in the correct format and layout.

Device fingerprinting is not limited to a desktop PC-based web browser, and it traverses many device types and protocols, applying to smart TVs, mobile devices and e-book readers. This fact contrasts with 'traditional' cookies which were largely limited to desktop web browsers and would not usually identify the same user across different browsers installed on the same computer. Consequently, as the WP notes, device fingerprints are now being used by online services as an alternative to HTTP cookies for analytics, tracking and ad tailoring.

The cookies rules

The Opinion specifically examines device fingerprinting in the context of the ePrivacy Directive, rather than from a data protection angle. One of the well-recognised aspects of the ePrivacy Directive is the regulation of cookies and the associated information and consent requirements. The WP's primary concern for device fingerprinting appears to be that users are not afforded the same information and consent options as with cookies. By utilising...

To continue reading