EU: DEVICE FINGERPRINTING: Article 29 Working Party on data protection: Opinion 9/2014 on the application of Directive 2002/58/EC to device fingerprinting

See the full text: Opinion 9/2014 on the application of Directive 2002/58/EC to device fingerprinting (pdf) The A29WP report asks whether using ways other than cookies to uniquely identify web users for the purposes of tracking comes within the scope of the e-privacy Directive - the short answer: yes, if such 'device fingerprinting' is used for the purposes of advertising:

"Many websites include third-party web-bugs, pixel tags and JavaScript code to enable advertising services. This results in a number of requests for information elements from the user's device. The requests are transmitted to the third-parties providing the advertising services, and allow them to generate a device fingerprint to follow users across websites and over time, and create an interest profile for targeted advertising, even if the user declines cookies. Such processing can technically be undertaken in a covert manner without the knowledge of the user..... device fingerprinting for the purpose of targeted advertising requires the consent of the user."

See also: Guidelines on implementing CJEU judgment: Google Spain (pdf) "In the terms of the Court, “in the light of the potential seriousness of the impact of this processing on the fundamental rights to privacy and data protection, the rights of the data subject prevail, as a general rule, over the economic interest of the search engine and that of internet users to have access to the personal information through the search engine”."


Spotted an error? If you've spotted a problem with this page, just click once to let us know.

Report error