I like to transfer a discussion from GitHub Issues to the forum.
I would like to discuss publicly whether device fingerprinting requires consent.
The legal question refers to Art. 5 (3) EU ePrivacy Directive of 2002 as updated in 2009. In 2014 the Article 29 Working Party published opinion 09/2014. At that time the opinion has been that fingerprinting requires consent. I have not seen any official declarations on the issue since 2014.
The Matomo documentation states that fingerprinting does not require consent. This mismatch troubled me for quite some time.
After reading a new article on Matomo (in German) and the legal requirements of its use I came to a new conclusion. But I am curious to read what other people think is the right legal answer.
My understanding at the moment is: “access to information already stored” in Art. 5 (3) is only a sub-group of “storing of information (…) in the terminal equipment”.
If I am right the Article 29 Working Party has been wrong. And Matomo is right that fingerprinting does not require consent.
My understanding by now is that Art. 5 (3) only refers to information like identifiers which have been stored at some point from the outside into the device. Fingerprinting does not transfer any (initial) data (like a cookie) into the device. Fingerprinting does only look at technical information provided by hardware and software already installed on the device.
As a friend of mine coined it: With fingerprinting I only look at a car’s licence plate but I do not plug a transmitter to the car.
Any thoughts on this?