Browser fingerprinting has recently entered the radar of many internet users as more companies have begun using it as a more covert way of tracking.
Browser fingerprinting allows a site to learn information from your browser that distinguishes you successfully 99% of the time. Using this technology, trackers are able to identify users and track them across websites.
They do so by collecting a variety of information from your computer, including HTTP header information; properties of your browser like time zone, system fonts, screen resolution, installed plugins, etc; as well as some that even access your hardware configuration.
All this information is combined to reveal a unique combination of properties that are likely only linkable to your computer. This technology was originally designed for security purposes like protecting against fraud and credential hacking – but it is particularly invasive because of its ability to be difficult to detect and hard to block. It can be used to re-create cookies on sites once they have already been deleted by the user.
What is the difference between Cookies and Fingerprinting?
Browser fingerprinting is most often used now as an alternative to Cookies, text files that hold data particular to you and your use of a website. Cookies apply only to the website they were downloaded from and cannot be passed from website to website. Fingerprinting, however, can track you across the web.
Users can also delete cookies easily and implement privacy features that make tracking with cookies more difficult. To limit fingerprinting is much more difficult – first, it is much harder to detect when it is being used and most browsers don’t yet have a good, consistent way to protect against it.
So fingerprinting sounds like an unstoppable technology that will soon have access to you anywhere on the web.
Fortunately, the GDPR was written with the intention of protecting against this kind of covert data collection. The GDPR never explicitly mentions fingerprinting, but it does seem to constitute personal data processing, defined by the GDPR as any information that could be linked to an identifiable individual. While fingerprinting is hardly ever used to link to an identifiable person, it could be used to do so, and that is the important factor.
So, legally and covertly using fingerprinting technology is not possible in the EU under the GDPR. To fingerprint, most websites would need to ask for consent or prove they have a ‘legitimate interest.’ Asking for consent essentially removes all advantage of using browser fingerprinting over Cookies since it will no longer be able to be used without the user’s detailed knowledge and consent.
Many European companies, however, may be prepared to claim they have a ‘legitimate interest’ in tracking. And some companies within the EU and especially outside may just take their chances and hope no regulations are ever enforced.
There are measures you can take to protect yourself against this type of data collection, but most programs you can use to block this kind of tracking will make most websites next to useless. In addition, while many of these measures are meant to improve security, they can often make your browser more distinct and recognizable, making it easier to fingerprint.
Right now, it still remains to be seen how fingerprinting regulations will be enforced under the GDPR. We promise to let you know as soon as we hear anything!
I hope this helps you and your business! If you have any doubt regarding GDPR compliance or you need any legal advice, book a call with our legal team and we’ll guide you through every stage of your legal needs.