This guidance follows Google’s recent announcement that organisations will be permitted to use device fingerprinting techniques, which is a reverse previous position.
The ICO has commented on Google’s announcement with the view that “fingerprinting is not a fair means of tracking users online because it is likely to reduce people’s choice and control over how their information is collected”.
Why is device fingerprinting a concern?
This is a technique used to identify and potentially track individuals. It involves the collection of a range of hardware and software information about a device which when combined enables a particular device or user to be identified.
Device fingerprinting is of particular concern because it relies on information and signals that individuals cannot easily erase reducing data subjects’ choice and control over their personal data. For example, where an individual clears all site data, an organisation that has used device fingerprinting may have retained information that would allow that individual to immediately be reidentified.
The ICO’s response
In order to tackle concerns around the deployment of device fingerprinting the ICO has released draft guidance on storage and access technologies. This draft guidance would expand on the detailed cookies guidance.
Amongst the updates the ICO sets out its expectations about how organisations using storage and access technologies such as cookies and device fingerprinting should request and manage consent. The ICO’s position is clear to be compliant with the Privacy and Electronic Communication (EC Directive) Regulations 2003 and data protection legislation in requesting and managing consent organisations must:
- give individuals clear and comprehensive information, so data subjects understand what their consent is requested for, and their choices.
- ensure individuals retain control over all non-essential storage and access technologies.
- inform individuals of any third parties that can access their personal data.
- ensure that its method of consent is not unnecessarily disruptive.
- consent must be indicated by a positive action.
- allow individuals to withdraw consent.
- regularly consider whether consent needs to be refreshed. The ICO’s suggests consent must be refreshed at least every six months although consent may be needed sooner if for example an organisation, changed its purpose for using a storage and access technology, introduced a new storage and access technology or proposes to allow new parties access to the personal data.
Organisations proposing to use device fingerprinting and other storage and access technologies should be aware of the draft guidance and consultation.
A link to the draft guidance can be found at this here, consultation on the guidance remains open until 14 March 2025.
Beverley Flynn