GDPR, which took effect on May 25th, brings many changes to the digital marketing landscape. Processing and handling customer data is trickier than ever. This is true for all tactics and strategies that marketers employ. Among these, one in particular is affected – device fingerprint tracking, which is a controversial matter. Device fingerprinting is gaining ground these days, because it overcomes some of the insufficiencies of other customer-tracking methods like cookies.
However, this method stirs a lot of confusion when it comes to privacy regulations and data protection. But what, exactly, is the issue here?
What is device fingerprinting?
As users navigate websites they leave digital traces behind: properties of their computers, smartphones, and tablets. Gathering and stitching them together allows us to identify and then track a particular user.
Though many people can have the same device, each of them has a different configuration. It’s all about types of browsers, plugins, fonts, hardware, and many other aspects. This unique set up and architecture creates what’s known as a device fingerprint.
Why employ device fingerprint tracking?
With the recent explosion in the use of mobile devices, tracking users has become more challenging. Marketers who want to reach their customers at an individual level are stumbling over more and more obstacles. First of all, cookies can’t be transferred from one device to another (for example, from a laptop to a smartphone) or shared between apps. Second of all, users can easily delete cookies, while in incognito mode they reset every time a user closes their browser. Finally, the rise of ad-blocking software and new privacy features, such as Apple’s Intelligent Tracking Prevention, are making cookie tracking much harder.
Enter browser fingerprint tracking along with canvas fingerprinting. This method has been developed as an alternative to tracking via cookies. It works where cookies can’t. But digital fingerprint data can be used not only for precise tracking.
This method has proven itself as a good solution for security-related issues. In particular, it is commonly applied to fight fraud or credential hijacking. For instance, it allows you to verify if a user who logs into a particular account or site is the legitimate user in the event of a session hijack. In addition, fingerprint tracking supports anti-bot and anti-scraping services.
Device Fingerprinting vs GDPR
GDPR doesn’t explicitly mention fingerprinting, as the EU tries to stay neutral in regards to technology. That’s why you won’t find comprehensive lists and examples of specific technologies in the Regulation’s text. Instead, GDPR lays down general rules that should be followed when it comes to tracking users across the Internet, irrespective of methods or techniques used.
The foundation of the regulation is the definition of personal data. Article 4 defines it as any information relating to an identified or identifiable natural person (‘data subject’). It means that various kinds of online identifiers like:
- cookie identifier
- device ID
- network’s IP address
are personal data. And that’s where the digital fingerprint technique collides with the regulation, as processing such data can only be performed with the user’s consent. Even less specific information like the combination of browser properties, the foundation of fingerprinting, falls under this data category. The principal is that these bits of information relate to an individual and can be used to identify them, directly or indirectly.
Moreover, in the context of GDPR the user’s identity doesn’t have to be established. It’s enough when an entity that processes data can recognize and identify a user. That can be achieved with personal data, whatever its form.
So it doesn’t matter if advertisers want to identify individuals with this data or not. It’s more important that this data could be used to do so, which is what makes it personal data. A given advertiser might not care about who that person is, but if the data leaks, it would be very easy to do so with all that fingerprinting data. Therefore, such data needs to classified as personal data, no matter what the company’s intentions are.
That said, processing personal data can be legal under certain circumstances. For instance, if it’s based on legitimate interests. That’s one of the legal bases for that purpose and an important point in GDPR compliance. Some people consider it a get out of jail free card to escape the regulation’s limitations. And it could be a good strategy in some cases, but only in some.
Legitimate interests is not like the other lawful bases. If you go down this path, you can expect more twists and challenges. Although it’s more flexible, at the same time you can’t be sure it will be the most appropriate in every case. So how does it differ?
It’s not focused on a particular purpose (for example, executing a contract with the individual user), and it doesn’t process data that a particular person has agreed to. To process data based on legitimate interests you need to make sure that the rights and freedoms of data subjects are not seriously affected. It means you take more responsibility for respecting and protecting people’s rights and interests.
Consent to solve the compliance issue
As you can see, processing based on legitimate interests is a tough path to follow. If you are unsure whether you can process personal data based on legitimate interests, make things simple for your organization and you customers by asking users for consent right away. It’s a win-win situation – you show respect to your users while making sure the company’s compliance is guaranteed. Show that you’re responsible and take your customers’ rights into consideration by informing them of your intentions and giving them a choice.
When a company wants to process personal data, that is, track users actions, match ads with user profiles, or provide targeted advertising across the site, then it needs to obtain that user’s consent. According to the Article 29 Working Party, device fingerprinting, covered by Article 5(3) of the ePrivacy Directive, can be performed with consent:
Parties who wish to process device fingerprints which are generated through the gaining of access to, or the storing of, information on the user’s terminal device must first obtain the valid consent of the user (unless an exemption applies).
GDPR has introduced some major changes to data processing and a uniform definition of consent. It states that it must be:
Any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
One of the key elements of the concept is that you should clearly state your intentions and let people know what they are agreeing to. Your site’s visitors need to know from the beginning that they are consenting to the processing of their personal data. What’s more, they should be informed of their rights concerning this agreement, that they can withdraw their decision and can correct their data, and so on.
There are a couple of rules that you should follow when asking for consent. The request should be:
- easy to understand
- written in plain language
- separate from other terms and conditions
Apply technology for managing consents
The changes introduced by GDPR have a significant impact on your marketing tools, especially those you use for online analytics. Whatever processing of personal data you do, including browser and canvas fingerprinting, you need to ensure that your technology is aligned with the Regulation.
There’s a lot of responsibility you need to take to fulfill the long list of requirements regarding consent. It sounds like a tough task, but you can find solutions that help you with this job.
Download FREE Guide You can use a tool that enables you to respect your visitors’ rights while at the same time remaining in step with your marketing practices. Going by various names, like Cookie Widget, GDPR Consent Manager, or Cookie Consent Manager, it’s a piece of software that process your customers’ consents and passes this information to your analytics system.
Naturally, these tools vary in their functionalities, UI, and other features. Most importantly, find one that lets you meet all GDPR demands. Some vendors offer privacy by design, and respecting their customers’ rights is the pillar of their organization.
On the whole, with the right tool your marketing tactics become transparent to your visitors and you meet your obligations under the new regulation. It’s really hard to find this kind of support on the market. And the absence of such practices is what worries people when they hear about device fingerprinting.
Users want to know what’s happening with their data, how it’s being handled, and why it’s being gathered. They must have the choice to decide whether they want to share their data or not. Now, it’s all in your hands. You can either quit tracking or use quality consent management software to resolve these issues and address your customers’ needs.
Device fingerprinting combined with tracking is a complex but effective strategy. It lets you identify unique users to provide them with content that matches their preferences. But you must be aware of the privacy issues related to it. Once you gain an understanding of all the changes on the legal landscape, you need to find a vendor whose software performs within the GDPR framework and offers you reliable tools that respect your users’ rights and freedoms.