Device fingerprinting is a common way for websites to quickly gather information about a visitor to help customize their experience. The most basic way it is used is to determine what type of device is accessing a site, and then loading the right user interface. For example, it would allow a site to display a mobile version when the user is visiting on their smart phone and the full version while on their PC.
In addition, however, this type of fingerprinting can also gather unique user data and browsing history to help display targeted ads. In effect, it can be used in very similar ways that cookies have been used for years.
Since the EU published “Article 29” regulating how cookies can be used, and what type of consent sites need to get in order to use them, many companies have been looking for ways around using cookies. For quite some time now, device fingerprinting has become that option.
According to a recently published opinion by the pan-European Article 29 Working Group, however, that may be coming to an end. In the opinion, they said, “This Opinion expands upon the earlier Opinion on 4/2012 on Cookie Consent Exemption and indicates to third-parties who process device fingerprints which are generated through the gaining of access to or the storing of information on the user’s terminal device that they may only do so with the valid consent of the user (unless an exemption applies).”
The primarily exemptions currently in place are concerning the temporary use of the fingerprinting to determine what version of a site to display. Storing fingerprinting information and using it for other things, it seems based on this opinion, will not be permitted.
Essentially what this is going to do is require websites in the EU to either continue using cookies (with consent) or begin requesting consent for using the device fingerprinting. Obviously, neither of these options will be liked by website owners.
The specific way that this is to be implemented with vary from country to country in the EU. What, if any, impact this will have on US browsers is not known. THE FCC or other agencies may use this move to inspire a similar policy. You can read the full opinion HERE.
