Article excerpts from a forthcoming book – 99 Articles on the GDPR
Summary: Browser fingerprinting is an accurate method of identifying unique browsers and tracking online activity. The GDPR aims to create a more transparency on how data controllers and processors utilize fingerprinting.
- Browser fingerprinting collects pseudonomysous data to create a user profile.
- GDPR aims to control data collection.
- Organizations may not be able to enable fingerprinting without a legitimate interest.
There are incredible ways of acquiring information in today’s world. It wasn’t too long ago that to identify the ownership of a device, you would have to take an actual fingerprint from the device and match it against a database. Nowadays, data collection methods on a device and/or browser can be used to understand the ownership or user. One such method that has come under the scrutiny of the GDPR is browser fingerprinting.
What is browser fingerprinting?
A simple way to look at this is that organizations are trying to bridge a user’s online identity with their offline identity. The assertion is that there is information on a device along with the actions of the user that identifies the user. Similar to how an IP address can glean information on a user, the data can be used to create a user profile.
Every time you go to a website using a browser, data is taken about system configurations that, in aggregate, create a virtual fingerprint of the device and the user. It is also a powerful tracking tool that works even if you’ve taken steps to cover your tracks, like deleting your cookies or using a private browsing window. That’s helpful for everyone from banks to advertisers to help identify the user.
The GDPR doesn’t explicitly mention the legality of browser fingerprinting as it would mean that there may be an expectation, going forward, that the regulation would need to call out specific technologies. Being technologically neutral and flexible is a position, thus far, that the EU has gotten right. The expectation is that case law, and non-binding recitals (like Recital 30) will help the framework keep pace with technology.
An EU citizen’s data is meant to be controlled by that person. Identifiers such as browser characteristics and other configurations don’t expose who you are, per se. However, such tiny bits of data, from such things as cookies, can offer a generalized version of who you are so that organizations that reap benefits from understanding a user and its and their behavior can create a potentially lucrative enterprise. User “identification” does not require establishing a user’s identity but indirect methods of identifying the user is enough for the GDPR. The forcing function in this conversation is if the organization can obtain user consent and the “legitimate interest” of whoever is doing the tracking.
In its current form, the internet is used as a portal to give and take information for both good and bad. With technology such as fingerprinting, organizations that can utilize and process indirect personal data have a significant advantage in their industry. Fingerprinting is most pronounced in advertising. Thus, when several information elements are combined (especially unique identifiers such as your set of system fonts) across websites (e.g. for the purposes of behavioral advertising), fingerprinting constitutes the processing of personal data and must comply with GDPR. However, the goal of the GDPR is to create a framework of how personal data is controlled and processed in which case. Organizations will inevitably claim a “legitimate interest” in tracking, and may be prepared to defend this argument. It will be up to regulators and courts to increase transparency in the process yet that will become an increasingly tougher task as machine learning and technologies, such as “ping” tracking, become standardized into user experiences.