Browser Fingerprinting is on a collision course with GDPR

Browser Fingerprinting is on a collision course with GDPR Nearly all of us have been affected in some way by the new General Data Protection Regulation (GDPR), which took effect May 2018. The new legislation has brought about a multitude of challenges in the digital marketing field. Handling data has become much more difficult and one area that has been particularly affected is browser fingerprinting.

Browser Fingerprinting

Browser fingerprinting is advancing as being the front runner of customer tracking these days as it manages to overcome the inadequacies of other methods, such as cookies. The EFF (Electronic Frontier Foundation) has published a study that shows that most browsers have a combination of properties that are so unique that they act as a digital fingerprint and it is this fingerprint that can track their visitor without having to use cookies. However, we need to question this method’s data and privacy regulations, given the introduction of the new GDPR.

How Does Fingerprinting Work?

When a user browses different websites, digital traces pertaining to their computer’s properties or those from their smartphone or other device, are left behind. If all of these bits of information are collected together and combined, it is possible to track and identify individual users. Of course, many people have the same computer or phone, but each has its own configuration including specific plugins, hardware, fonts, and browsers, to name a few, and it is this inimitable set up that forms the device’s individual fingerprint. By collecting all of this information, trackers can identify users covertly over a period of time, tracking them through their visits to different websites and therefore they can create a targeted advertising profile for them. The information collected includes things like HTTP headers that are a normal component of all web requests as well as properties from JavaScript coding, such as your system fonts, time zone and browser platforms. Some sites can even gain a glimpse into the type of hardware that is being used. Piecing it all together and without using identifiers that are stored on the device, like cookies, users’ movements can be tracked. Users these days are very much aware of cookies and how they can delete them to avoid tracking yet fingerprinting subverts this method.

Browser Fingerprinting and the GDPR

This type of tracking is coming head to head with the new privacy regulations. The EFF has long-since been aware of this type of browser fingerprinting, despite it being less well-known than tracking "cookies". Fingerprinting is harder for users to spot as websites do it without the user being aware and it is also trickier to modify your browser to try and stop it. Because cookies are now famous, companies have turned to browser fingerprinting to be sneakier and make it easier to avoid detection. Despite this, companies are not above the law. Here in the European Union, the GDPR came into force on 25 May 2018 and, when all is said and done, it cannot be denied that it is a good thing for user privacy. We have all had the cookie pop-ups when visiting new websites for the first time, and that is all thanks to the GDPR. The GDPR does not explicitly mention fingerprinting as is supposed to remain neutral (technologically speaking), so it does not name particular types of technology but provides a more general rule of thumb for companies to follow.

Personal Data

The keystone of the new regulations is in personal data and it’s very broad definition. Personal data can be defined as any information which can be linked to a person, that includes the actual mix of data on which fingerprinting is based. However, it does not mean that a user’s identity has to be established directly, just that it would be possible. The important factor is that the data could be used in identifying an individual, which would be important if there was a data breach. Regardless of a company’s intentions, this type of data should be classed as personal data.


So, can fingerprinting still be legal and comply with the GDPR? The GDPR states that any entity must be able to show that they have legitimate reasons to process personal data. There are six possible ways that the GDPR says that data can be processed and two of those are mostly related to advertising and tracking. These two are user consent as well as the legitimate interest of those carrying out the tracking. In essence, companies are now forced to explain why they want personal data and how they will use it. In practice, this works with a user consenting by carrying out an unambiguous, informed action. This means that companies have to reveal that they are fingerprinting before they do it and wait for the users to consent. This goes against the entire purpose of fingerprinting, which is the covert side to tracking. Therefore, it is more common for companies to cite the second way, having a "legitimate interest" in the data, so that they can avoid asking for consent and publicizing the fact that they are fingerprinting and tracking users. As such, companies are now looking for new ways to build tracking systems based on this legitimate interest.

New Compliance

By default, companies are considered to be not compliant regarding fingerprinting. All companies will have to change their fingerprint-based security systems or they will be penalized. The GDPR tolerates vendors who have a plan of action in place to remove their fingerprinting and get a new way to protect themselves without using user personal data. However, there are some companies that are working on solutions to respect the client’s privacy and being compliant to the GDPR. One of the pioneering companies that is really paving the way with its innovative solutions is F8th Inc., which creates biometric identities with behavioral data. In collaborating with project such as F8th Inc., companies can effectuate a transition to a system that would be compliant to the GDPR yet give them what they are looking for in terms of user tracking.

Final Thoughts on Fingerprinting and the GDPR

We can’t deny that fingerprinting is an effective strategy for companies. By identifying users and giving them content that is targeted and appropriate is a winning situation for businesses. Yet, the GDPR has really thrown a spanner in the works with all the surrounding legalities. Hopefully, there will be more information to come from innovative companies offering solutions in tackling their GDPR fingerprinting issues. In the meantime, if a business really is not sure if they are compliant, they are best by being open and asking for user consent initially. Likewise, fingerprinting systems are defunct if users can opt out. Luckily, F8th Inc. is here to provide alternatives.

Published: March 7th, 2019