EU Data Rules Now Require Consent for Device Fingerprinting

- This requirement stems from the long-standing interpretation of Article 5(3) of the ePrivacy Directive, first formally applied to device fingerprinting in a 2014 opinion by the Article 29 Working Party, the predecessor to the European Data Protection Board (EDPB). - Device fingerprinting creates a unique identifier for a device by combining a set of its specific attributes, such as operating system, browser version, installed fonts, and plugins. This technique can track users even when cookies are disabled, often without their knowledge. - The EDPB has reinforced and expanded upon this guidance, most recently in its 2024 guidelines, to address emerging tracking technologies that go beyond traditional cookies, including URL and pixel tracking. - Unlike cookies, which users can often easily delete, a device fingerprint is much harder for an individual to change or remove, making the tracking more persistent. - Consent is not required if the fingerprinting is strictly necessary for transmitting a communication or for providing a service explicitly requested by the user, such as adapting content to the device's interface. However, fingerprinting for analytics or targeted advertising requires prior user consent. - While the ePrivacy Directive governs the act of accessing a user's device, the General Data Protection Regulation (GDPR) applies to the subsequent processing of any personal data collected through fingerprinting. - Privacy advocacy groups, such as noyb, actively file complaints against companies for alleged breaches of these tracking rules, demonstrating ongoing enforcement efforts across the EU.