Google's Fingerprinting U-Turn Draws ICO Fire

Digital fingerprinting is a powerful tool with significant implications for both security and privacy. While it offers substantial benefits in fraud prevention, it also raises important data protection concerns, particularly in the area of digital advertising. 

 

Last month, Google announced a significant policy reversal, stating that from February 16, 2025, it will allow the use of fingerprinting techniques in its advertising products. This decision has drawn sharp criticism from the Information Commissioner's Office (ICO), which has labelled the move as irresponsible.  Not least because, in 2019, Google stated that they think fingerprinting “subverts user choice and is wrong”.

What is fingerprinting?

Every time a device (laptop, phone, tablet) connects to the Internet, it broadcasts information about its properties and settings so that it can work smoothly with websites and other devices.  Trackers then collect this information to build a profile or “fingerprint”.

This fingerprint can identify the individual device and track the user across different sessions and websites. Even if the user clears their cookies, or uses private browsing methods, the fingerprint can still be used.

 

And, as always, the more information available (for example, combining fingerprinting with cookies or other identifiers), the closer you can get to narrowing down an individual device or even user. 

What is fingerprinting used for?

While fingerprinting may now seem an intrusive and potentially unfair process, its original beneficial purpose was to prevent software piracy and credit card fraud.  Now it’s becoming a powerful tool for online marketers.

 

Fraud Prevention

Fingerprinting helps detect and prevent fraud.  For example, it helps banks and financial services companies identify unusual or even unauthorised access attempts so they can take appropriate steps to verify the user.  It can also be used as an additional layer of MFA security. 

 

Digital Advertising

Fingerprinting supports digital advertising in a number of areas, specifically to improve targeting and ROI. For example:

  • Tracking:  fingerprinting can be used to track user behaviour across different websites and sessions.  For example, an organisation could use device fingerprinting to provide web analytics such as unique returning visitors.  In addition, advertisers can deliver highly targeted, personalised ads based on the user’s browsing habits, device information and preferences.
  • Cross-Device tracking:  fingerprinting can help identify individual users across multiple devices, so advertisers can tailor their ads and marketing material accordingly.
  • Performance analytics:  fingerprinting can track how users interact with ads, and provide analytics around individual devices’ / users’ ad impressions and clicks. Advertisers can use this information to measure and evaluate both overall campaign and individual ad testing, and increase advertising efficiency.

What are the data protection considerations?

The ICO is very clear in its statement:

 

“Businesses do not have free rein to use fingerprinting as they please. Like all advertising technology, it must be lawfully and transparently deployed—and if it is not, the ICO will act.”

 

The key considerations are:

 

Transparency:  Digital fingerprinting often occurs without users' knowledge, let alone consent, and this “invisible processing” of significant amounts of data flies in the face of data protection laws. Users must be made aware that fingerprinting is taking place. That information should be clear and transparent at all times.  Individuals must know when and how they are being tracked. And there must be a means of ensuring that individuals can choose not to be tracked in this way. 

 

Legal Basis - Consent: While fingerprinting for fraud prevention or identity theft may fall under the legal basis of legitimate interests, for advertising, consent is required. Although device fingerprinting only collects data about a user’s device (and not, for example, contact information like their name or email address), it still, like cookies, falls under the category of personal data. This is because all these pieces of information relate to an individual and can be used to identify them – either directly or indirectly.  So the GDPR and PECR both come into play.

 

If a company wishes to use device fingerprinting for advertising and marketing purposes, then they’ll have to obtain consent from the user to do so, and will need to ensure that such consent is logged. Under GDPR,  consent may be withdrawn at any time and the withdrawal process has to be as simple as the consent process, so a mechanism for withdrawing consent must also be provided.

 

Data Breaches:  If there is a breach around data held in fingerprinting databases, the risks include fraud, identity theft and a variety of other dishonest activity. The additional difficulty is that, in the event of a breach, digital fingerprint characteristics cannot easily be changed.

 

Purpose:  while the original purpose of collecting and processing the "fingerprinting" data elements may be clearly defined and explained, and consent obtained, there is a risk that the data could very easily be repurposed without the knowledge of the individuals concerned, and without their consent to do so.  For example, for surveillance or additional profiling.

 

 

Can individuals avoid fingerprinting?

One of the core reasons the ICO has been so clear in its condemnation of Google's u-turn is that it is incredible challenging to avoid fingerprinting.  Unlike cookies, fingerprinting data cannot be deleted. You may be able to block your IP address by using a VPN or searching anonymously. But it’s hard to know whether device or browser fingerprinting is being used because the actual information used to “fingerprint” your device is processed every time you use your browser to view a website. In addition, using privacy add-ons tends to make you more identifiable rather than less, simply because your set up becomes increasingly unique. This inability to manage your “fingerprint” risks the persistent tracking of individuals’ activity across websites and sessions.  This information may then be used to create very detailed user profiles. 

Conclusion

Be wary when using fingerprinting for advertising purposes. The ICO has made its position very clear, and any use of fingerprinting must ensure transparency.  You will also need consent from users.  Without taking the appropriate data protection steps if (to quote the ICO) it is not "lawfully and transparently deployed" ... "the ICO will act".

 

January 16th 2025

 

 

If you would like help or assistance with any of your data protection obligations, please email dc@datacompliant.co.uk or call 01787 277742.

 

Data Compliant International

International data protection consultants and DPOs.

22 Friars Street, Sudbury, Suffolk, CO10 2AA

Email:          dc@datacompliant.co.uk

Tel No.:       +44 (0) 1787 277 742

We need your consent to load the translations

We use a third-party service to translate the website content that may collect data about your activity. Please review the details in the privacy policy and accept the service to view the translations.

Privacy Settings

Website Translator

Privacy Settings

This tool helps you to select and deactivate various tags / trackers / analytic tools used on this website.

Select all services
Website Translator
More
Save Settings