I would like to discuss publicly whether device fingerprinting requires consent.
The legal question refers to Art. 5 (3) EU ePrivacy Directive of 2002 as updated in 2009. In 2014 the Article 29 Working Party published opinion 09/2014. At that time the opinion has been that fingerprinting requires consent. I have not seen any official declarations on the issue since 2014.
The Matomo documentation states that fingerprinting does not require consent. This mismatch troubled me for quite some time.
After reading a new article on Matomo (in German) and the legal requirements of its use I came to a new conclusion. But I am curious to read what other people think is the right legal answer.
My understanding at the moment is: “access to information already stored” in Art. 5 (3) is only a sub-group of “storing of information (…) in the terminal equipment”.
If I am right the Article 29 Working Party has been wrong. And Matomo is right that fingerprinting does not require consent.
My understanding by now is that Art. 5 (3) only refers to information like identifiers which have been stored at some point from the outside into the device. Fingerprinting does not transfer any (initial) data (like a cookie) into the device. Fingerprinting does only look at technical information provided by hardware and software already installed on the device.
As a friend of mine coined it: With fingerprinting I only look at a car’s licence plate but I do not plug a transmitter to the car.
That’s a good question and I don’t think I have heard one definitive answer to this.
In the end the only person that can give you legal advice is your lawyer (and definitely not me).
While I agree that fingerprinting does not store any data on the client, I don’t think this is a good deciding point on whether something needs consent.
In a hypothetical parallel world where there was a Web-API implemented in every mobile that allowed a website to read the IMEI of a visitor, I really don’t believe using it for tracking without consent would be anywhere close to legal, even though it does not store any data on the client.
Two more (mostly subjective) points in this discussion:
noyb.eu is a great NGO working mostly on enforcing GDPR rules and other privacy topics from a legal point of few. (You might know them from Max Schrems’ lawsuit against Facebook).
On their website they seem to be using Matomo without Cookies and without consent (if I see things correctly)
And CNIL (the French data privacy agency) takes a bit more direct approach regarding GDPR-recommendations and explicitly lists tracking software that they consider to be exempt from requiring consent (I think even when using cookies):
You might notice that Matomo in not yet on this list, but this is a work in progress and should soon be the case. So you might want to follow this page in the next months.
I would say your IMEI example compares to my example with a car’s licence plate.
Legally ePrivacy law is telecommunications law which is basically there to protect the integrity of your communications infrastructure. GPDR is the “real” privacy law and less strict than the ePrivacy Directive.
From my understanding fingerprinting in general can be legitimate without consent under ePrivacy law. You still need a legal bases under Art. 6 GDPR. If you access more sensitive data like IMEI it is most likely that you can’t call legitimate interest as your legal bases.
To access data like IMEI consent might not be required by Art. 5 (3) ePrivacy Directive but by GDPR.
I know that is a very legal perspective. But this is what I like to discuss here.
My point of view is if you create a device that reads each car licenses in the street (and store them in your server) to create some statistics, you should ask the consent of drivers, or at least inform them that they are tracked…
In my point of view, fingerprint is a kind of personal data.
I’ve just read how the fingerprinting was implemented in Matomo…
As the fingerprinting of a user changes with time (a user who comes back won’t have the same fingerprint) for me it is not personal data. Then no consent is needed
ePrivacy doesn’t care about personal data. ePrivacy is telecommunications law.
Only GDPR cares about personal data. But at this point I am talking about Art. 5 (3) ePrivacy Directive.
******** Following GDPR logic *******
For the evaluation whether the fingerprint is personal data or not it doesn’t matter whether it is kept for a second, 24 hours (by Matomo) or month or years. Time is no factor to be considered.
As long as the fingerprint enables recognition of returning visitors it looks very much like personal data.
In English it should read: “In general, the CNIL considers that the following measures are strictly necessary for the proper administration of a site.”
CNIL refers to Art. 82 of the French Data Protection Law which turns Art. 5 para 3 EU ePrivacy Directive (2009) into French law. The most relevant term is “strictly necessary”.
As CNIL accepts (basic) website analytics as strictly necessary for the running of a website CNIL provides an incredible support for analytics without consent.
The CNIL judgement stays slightly fragile till it has been challenged in front of a court – most likely the ECJ. Lets see what other national authorities add to this legal development.
