Browser Fingerprinting is on a collision course with GDPR
Nearly all of us have been affected in some way by the new General Data Protection Regulation (GDPR)
, which took effect May 2018. The new legislation has brought about a multitude of challenges in the digital marketing field. Handling data has become much more difficult and one area that has been particularly affected is browser fingerprinting.
Browser fingerprinting is advancing as being the front runner of customer tracking these days as it manages to overcome the inadequacies of other methods, such as cookies. The EFF (Electronic Frontier Foundation)
has published a study
How Does Fingerprinting Work?
When a user browses different websites, digital traces pertaining to their computer’s properties or those from their smartphone or other device, are left behind. If all of these bits of information are collected together and combined, it is possible to track and identify individual users.
Piecing it all together and without using identifiers that are stored on the device, like cookies, users’ movements can be tracked. Users these days are very much aware of cookies and how they can delete them to avoid tracking yet fingerprinting subverts this method.
Browser Fingerprinting and the GDPR
This type of tracking is coming head to head with the new privacy regulations. The EFF
Despite this, companies are not above the law. Here in the European Union, the GDPR
came into force on 25 May 2018 and, when all is said and done, it cannot be denied that it is a good thing for user privacy. We have all had the cookie pop-ups when visiting new websites for the first time, and that is all thanks to the GDPR
. The GDPR
does not explicitly mention fingerprinting as is supposed to remain neutral (technologically speaking), so it does not name particular types of technology but provides a more general rule of thumb for companies to follow.
The keystone of the new regulations is in personal data and it’s very broad definition. Personal data can be defined as any information which can be linked to a person, that includes the actual mix of data on which fingerprinting is based. However, it does not mean that a user’s identity has to be established directly, just that it would be possible. The important factor is that the data could be used in identifying an individual, which would be important if there was a data breach. Regardless of a company’s intentions, this type of data should be classed as personal data.
So, can fingerprinting still be legal and comply with the GDPR
? The GDPR
states that any entity must be able to show that they have legitimate reasons to process personal data. There are six possible ways that the GDPR
says that data can be processed and two of those are mostly related to advertising and tracking. These two are user consent as well as the legitimate interest of those carrying out the tracking. In essence, companies are now forced to explain why they want personal data and how they will use it. In practice, this works with a user consenting by carrying out an unambiguous, informed action. This means that companies have to reveal that they are fingerprinting before they do it and wait for the users to consent. This goes against the entire purpose of fingerprinting, which is the covert side to tracking. Therefore, it is more common for companies to cite the second way, having a "legitimate interest" in the data, so that they can avoid asking for consent and publicizing the fact that they are fingerprinting and tracking users. As such, companies are now looking for new ways to build tracking systems based on this legitimate interest.
By default, companies are considered to be not compliant regarding fingerprinting. All companies will have to change their fingerprint-based security systems or they will be penalized. The GDPR
tolerates vendors who have a plan of action in place to remove their fingerprinting and get a new way to protect themselves without using user personal data. However, there are some companies that are working on solutions to respect the client’s privacy and being compliant to the GDPR
. One of the pioneering companies that is really paving the way with its innovative solutions is F8th Inc.
, which creates biometric identities with behavioral data. In collaborating with project such as F8th Inc.
, companies can effectuate a transition to a system that would be compliant to the GDPR
Final Thoughts on Fingerprinting and the GDPR
We can’t deny that fingerprinting is an effective strategy for companies. By identifying users and giving them content that is targeted and appropriate is a winning situation for businesses. Yet, the GDPR
has really thrown a spanner in the works with all the surrounding legalities. Hopefully, there will be more information to come from innovative companies offering solutions in tackling their GDPR
fingerprinting issues. In the meantime, if a business really is not sure if they are compliant, they are best by being open and asking for user consent initially. Likewise, fingerprinting systems are defunct if users can opt out. Luckily, F8th Inc.
is here to provide alternatives.
Published: March 7th, 2019