Back to blog

Device fingerprint tracking in the post-GDPR Era

Analytics GDPR

Written by

Published July 5, 2018 · Updated July 26, 2021

Device fingerprint tracking in the post-GDPR Era

GDPR, which took effect on 25 May 2018, brings many changes to the digital marketing landscape.

Processing and handling customer data is trickier than ever. This is true for all tactics and strategies that marketers employ. Among these, one in particular is affected – device fingerprint tracking, which is a controversial matter.

Device fingerprinting is gaining ground these days, because it overcomes some of the insufficiencies of other customer-tracking methods like cookies.

A study by the Electronic Frontier Foundation (EFF) revealed that, for the majority of browsers, the combination of their various properties is unique and serves as a fingerprint which can help track visitors without the use of cookies.

However, this method stirs a lot of confusion when it comes to privacy regulations and data protection. But what, exactly, is the issue here?

We’ve prepared this post to walk you step-by-step through this minefield and to show you everything you need to know about the hot topic of device fingerprinting. Here we go!

What is device fingerprinting?

As users navigate websites they leave digital traces behind: properties of their computers, smartphones, and tablets. Gathering and stitching them together allows us to identify and then track a particular user.

Though many people can have the same device, each of them has a different configuration. It’s all about types of browsers, plugins, fonts, hardware, and many other aspects. This unique set up and architecture creates what’s known as a device fingerprint.

Device fingerprint tracking – why you should use it

With the recent explosion in the use of mobile devices, tracking users has become more challenging. Marketers who want to reach their customers at an individual level are stumbling over more and more obstacles.

First of all, cookies can’t be transferred from one device to another (for example, from a laptop to a smartphone) or shared between apps.

Second of all, users can easily delete cookies, while in incognito mode they reset every time a user closes their browser.

Finally, the rise of ad-blocking software and new privacy features, such as Apple’s Intelligent Tracking Prevention, are making cookie tracking much harder.

Enter browser fingerprint tracking along with canvas fingerprinting. This method has been developed as an alternative to tracking via cookies. It works where cookies can’t. But digital fingerprint data can be used not only for precise tracking.

This method has proven itself as a good solution for security-related issues. In particular, it is commonly applied to fight fraud or credential hijacking. For instance, it allows you to verify if a user who logs into a particular account or site is the legitimate user in the event of a session hijack. In addition, fingerprint tracking supports anti-bot and anti-scraping services.

Device digital fingerprint tracking inside and out

So, what’s the mechanism underlying the whole process? It all comes down to the technology websites use and how they interact with your browser.

First, when someone visits a website, the HTTP request automatically sends information regarding the user agent, operating system, and browser version/type to the server. You can also find out if the Do Not Track option is active.

What’s more, with special JavaScript code you can query your browser to identify:

  • installed plugins
  • location & time settings
  • audio settings
  • battery status
  • screen resolution
  • fonts (Flash or JavaScript)
  • and many more details
An example of a browser digital fingerprint
An example of a browser fingerprint

The technique allows you to determine many more properties of a user’s browser. For instance, you could even check if it supports VLC media player, Acrobat, Real Media, and so on. What’s more, websites can implement canvas fingerprinting or WebGL (Web Graphics Library) fingerprinting techniques that yield insights into how your hardware is configured.

Canvas fingerprinting

is one of the types of browser fingerprint techniques. It exploits the HTML5 canvas element to extract a digital fingerprint from a user. Specifically, when a user enters a website, their browser follows the instruction to draw a hidden line of text or an image, which could potentially be a unique identifier.

Each browser renders images and fonts differently depending on factors like image processing engine, image compression levels, sub-pixel rendering, algorithms, and installed system fonts. The resulting image is unique and can be used as a fingerprint, or a part of it. In recent years, canvas fingerprinting has gained ground as it’s pretty precise and hard to block.

The data on user browsing behavior is stored on the server side. User actions are tracked without the need to employ persistent identifiers kept on the visitor’s device.

All in all, these properties combined with cookies or some other identifiers significantly increase tracking accuracy and improve attribution.

Device Fingerprinting vs GDPR

GDPR doesn’t explicitly mention digital fingerprinting, as the EU tries to stay neutral in regards to technology. That’s why you won’t find comprehensive lists and examples of specific technologies in the Regulation’s text. Instead, GDPR lays down general rules that should be followed when it comes to tracking users across the Internet, irrespective of methods or techniques used.

>>> Is Google Analytics GDPR-compliant? 10 things to consider

The foundation of the regulation is the definition of personal data. Article 4 defines it as any information relating to an identified or identifiable natural person (‘data subject’). It means that various kinds of online identifiers like:

  • cookie identifier
  • device ID
  • network’s IP address

are personal data. And that’s where the digital fingerprint technique collides with the regulation, as processing such data can only be performed with the user’s consent.

Even less specific information like the combination of browser properties, the foundation of fingerprinting, falls under this data category. The principal is that these bits of information relate to an individual and can be used to identify them, directly or indirectly.

Moreover, in the context of GDPR the user’s identity doesn’t have to be established. It’s enough when an entity that processes data can recognize and identify a user. That can be achieved with personal data, whatever its form.

So it doesn’t matter if advertisers want to identify individuals with this data or not. It’s more important that this data could be used to do so, which is what makes it personal data. A given advertiser might not care about who that person is, but if the data leaks, it would be very easy to do so with all that fingerprinting data. Therefore, such data needs to be classified as personal data, no matter what the company’s intentions are.

That said, processing personal data can be legal under certain circumstances. For instance, if it’s based on legitimate interests. That’s one of the legal bases for that purpose and an important point in GDPR compliance. Some people consider it a get out of jail free card to escape the regulation’s limitations. And it could be a good strategy in some cases, but only in some.

Legitimate interests is not like the other lawful bases. If you go down this path, you can expect more twists and challenges. Although it’s more flexible, at the same time you can’t be sure it will be the most appropriate in every case. So how does it differ?

It’s not focused on a particular purpose (for example, executing a contract with the individual user), and it doesn’t process data that a particular person has agreed to. To process data based on legitimate interests you need to make sure that the rights and freedoms of data subjects are not seriously affected. It means you take more responsibility for respecting and protecting people’s rights and interests.

If you’re interested in some specific examples of legitimate interest grounds, then we recommend reading this document prepared by The Centre for Information Policy Leadership (CIPL).

As you can see, processing based on legitimate interests is a tough path to follow. If you are unsure whether you can process personal data based on legitimate interests, make things simple for your organization and you customers by asking users for consent right away.

It’s a win-win situation – you show respect to your users while making sure the company’s compliance is guaranteed. Show that you’re responsible and take your customers’ rights into consideration by informing them of your intentions and giving them a choice.

When a company wants to process personal data, that is, track users actions, match ads with user profiles, or provide targeted advertising across the site, then it needs to obtain that user’s consent. According to the Article 29 Working Party, device fingerprinting, covered by Article 5(3) of the ePrivacy Directive, can be performed with consent:

Parties who wish to process device fingerprints which are generated through the gaining of access to, or the storing of, information on the user’s terminal device must first obtain the valid consent of the user (unless an exemption applies).

GDPR has introduced some major changes to data processing and a uniform definition of consent. It states that it must be:

Any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

One of the key elements of the consent collection is that you should clearly state your intentions and let people know what they are agreeing to. Your site’s visitors need to know from the beginning that they are consenting to the processing of their personal data. What’s more, they should be informed of their rights concerning this agreement, that they can withdraw their decision and can correct their data, and so on.

There are a couple of rules that you should follow when asking for consent. The request should be:

  • concise
  • prominent
  • easy to understand
  • written in plain language
  • separate from other terms and conditions

If you want to know more about consent and how you can introduce it into your marketing strategy, then read our post:
How Consent Manager Can Help You Obtain GDPR-Compliant Consents From Your Users

The changes introduced by GDPR have a significant impact on your marketing tools, especially those you use for online analytics. Whatever processing of personal data you do, including browser and canvas fingerprinting, you need to ensure that your technology is aligned with the Regulation.

There’s a lot of responsibility you need to take to fulfill the long list of requirements regarding consent. It sounds like a tough task, but you can find solutions that help you with this job.

>>> 10 new privacy laws around the world and how they’ll affect your analytics

You can use a tool that enables you to respect your visitors’ rights while at the same time remaining in step with your marketing practices. Going by various names, like cookie widget, GDPR consent manager, or cookie consent manager, it’s a piece of software that processes your customers’ consents and passes this information to your analytics system.

Naturally, these tools vary in their functionalities, UI, and other features. Most importantly, find one that lets you meet all GDPR demands. Some vendors offer privacy by design, and respecting their customers’ rights is the pillar of their organization. For instance, software like Piwik PRO Consent Manager was created to help you with the GDPR requirements for user consent. You can easily collect and handle visitors’ consents for particular types of data processing. Additionally, it lets you manage other requests regarding your customers’ rights.

On the whole, with the right tool your marketing tactics become transparent to your visitors and you meet your obligations under the new regulation. It’s really hard to find this kind of support on the market. And the absence of such practices is what worries people when they hear about device fingerprinting.

Users want to know what’s happening with their data, how it’s being handled, and why it’s being gathered. They must have the choice to decide whether they want to share their data or not. Now, it’s all in your hands. You can either quit tracking (ha!) or use quality consent management software to resolve these issues and address your customers’ needs.

Digital fingerprinting combined with tracking is a complex but effective strategy. It lets you identify unique users to provide them with content that matches their preferences. But you must be aware of the privacy issues related to it. Once you gain an understanding of all the changes on the legal landscape, you need to find a vendor whose software performs within the GDPR framework and offers you reliable tools that respect your users’ rights and freedoms.

Read other related articles on our blog:

>>> The CJEU sheds more light on trackers and consent requirements

>>> When design goes awry – How dark patterns conflict with GDPR and CCPA

Author

Karolina Matuszewska

Senior Content Marketer

Writer and content marketer. Transforms technical jargon into engaging and informative articles.

See more posts by this author

Core – a new plan for Piwik PRO Analytics Suite

Privacy-compliant analytics, built-in consent management and EU hosting. For free.

Sign up for free

Categories