Spanish DPA publishes survey on device fingerprinting

On February 2, 2019, the Spanish Data Protection Agency (AEPD) published a Survey on Device Fingerprinting. (“Survey“)

Device fingerprinting is the systematic gathering of information on a specific remote device with the aim of identifying, singling out and, thus being able to monitor its user’s activity for the purpose of profiling.” The data set extracted from the user’s terminal device allows that device to be unequivocally uniquely identified.

The APD estimates that there are around 4 billion computers, smartphones and other terminal devices in the world, and all of them could be identified with digital fingerprinting.

“The impact of the use of these techniques on the rights and freedoms of users has never been analysed by the data controllers of device fingerprinting models, nor have they provided information on the measures established to minimise the risk and to prevent any breach in security.” Survey at 21.

The processing of data using device fingerprinting techniques is subject to Regulation 2016/679/EU (the General Data Protection Regulation, GDPR) when the scope of Article 3 is met.

The ADP describes several of these digital fingerprinting techniques. Survey at 6-8. There are a number of particularly advanced techniques that may be used to obtain digital fingerprinting of a device, such as canvas fingerprint, canvas font fingerprint, webRTC fingerprint or audio fingerprint which allow for very precise profiles to be obtained.

The Survey gives users some recommendations on how to protect their privacy (Survey at 16-19), such as:

  • use of the browser’s Do Not Track (DNT) option;
  • installation of blockers (browser extensions , allowing the user to elude advertising and user tracking);
  • disabling use of Javascript;
  • alternating browser;
  • execution of access to internet in virtual machines.

Finally, the ADP provides some recommendations for the industry. Survey at 19-20

Under the GDPR perspective, the ADP notes how “it is common to find privacy clauses on websites and applications that allow the user to consent to the use of cookies but it is not so common to find information for the user on the use of tracking techniques based on digital fingerprinting to build user profiles.” Considering that said techniques are generally used for user profiling and analyzing internet activity, consent under the GDPR is required. “Where the user has not consented to processing, the data controller must refrain from compiling and processing the fingerprint and any other data associated with same. …The company must compile a register of processing activities, including processes that use fingerprinting. They must also evaluate whether they comply with the criteria for a Data Protection Officer and contract one in accordance with the criterial set by the GDPR.” Survey at 19.

The ADPT notes how digital fingerprinting tecniques might be  may be legitimate. For example, being part of multiple factor authentication mechanisms. However, they may also be used to monitor users during their web browsing and compile information on their habits and interests without the user being conscious of it.

The Survey on Device Fingerprinting is available at…

More on cookies is available at…

For more information on how EU privacy may impact your business, contact Francesca Giannoni-Crystal. Thanks to Federica Romanelli