Imagine this: you walk into a big department store. You pick up a pair of running shoes and take them to the counter to purchase. The store has thousands of visitors every day, so to the sales assistant, you’re just another nameless face in the crowd.
As you’re buying the shoes, the sales assistant hands you a note. On it is written some kind of seemingly meaningless number “Hteushrbt6123987!”. You ask the sales assistant what this means. “Oh,” he says, “it’s just a way for us to remember that you like sports equipment. This number is unique to you, so we make a note of it and record the fact that you like running shoes. Next time you come in, we’ll ask you for the number and look it up on our systems. That’ll tell us that you like running shoes, so we’ll then show you other sports products we think may interest you.”
Slightly bemused, you pocket the paper, leave the store and return home. But, sometime later, you return to the store. As you enter, another shop assistant asks you if the store has ever given you a piece of paper with a number on it. You root around in your pockets, find the note, and hand it over. The shop assistant examines it, and taps away on a little handheld device he’s carrying. “Ah!” he says, “Number Hteushrbt6123987! You like running shoes, don’t you? Maybe you’d like to see some other running gear we have in stock? We have some new running vests in, you know – let me show you!”
If such a thing existed, this is how cookie-based targeted advertising would work in the offline world. The note handed to you by the shop assistant represents, of course, a cookie: a piece of information stored with you that enables you (and so your shopping preferences) to be recognized next time you visit the shop so that the merchant can show you products it thinks will interest you – all without knowing your real name, address or other directly identifying details.
Depending on your personal preferences, you may think this is great (“They showed me stuff I wanted but without needing to know my personal details!”) or creepy (“They may not know my name, but that number is all they need to track and surveil me!”) That’s a debate that fiercely divides opinion in the privacy community.
Imagining fingerprinting in the offline world
But cookies aren’t the only way to identify someone. Imagine if instead of being handed a note, the sales assistant instead jotted down some of your personal characteristics: your age, height, weight and gender; the color of your hair (and whether you have any hair at all!); whether or not you wear glasses; your nationality and so on. We’re all unique, so if the sales assistant recorded enough of these details, the store wouldn’t need your name or to give you a number – they could recognize you simply from the information they’d collected about you: “Ah, yes, you’re the 6 foot, 36 year old dark-haired British male, weighing 180 pounds and wearing glasses, who likes running shoes. Let me show you our latest sportswear items!”
In privacy terms, we call a uniquely defining aggregation of personal characteristics a ‘fingerprint’. Perhaps you have heard the term ‘device fingerprinting’ discussed as an alternative technology to cookies in the online world? In an online context, websites can collect device characteristics about the desktop or mobile based device visiting them – such as its IP address, browser type, screen resolution, installed font pack and so on. Gather enough of these details and you have a ‘device fingerprint’.
Fingerprinting and consent
Over the past few years, some businesses have been swinging away from using cookies and towards using other tracking technologies, like device fingerprinting, because of concerns about EU “cookie consent” requirements. The thinking goes that if website cookies require consent, then a ‘cookieless’ technology like device fingerprinting should avoid the need for consent.
For online businesses, the attractions are obvious: no more ugly cookie banners, no cumbersome user consent experiences, no more paying third party cookie compliance vendors. That logic may seem sound; unfortunately, it’s wrong.
This is because “cookie consent” is a misnomer: it isn’t about cookies at all – it’s about online tracking, in whatever form that takes. This is clear both from the wording of Article 5(3) of the e-Privacy Directive (which creates the consent requirement but never uses the term “cookie”, referring instead to “information”) and from recent guidance on device fingerprinting published by the Article 29 Working Party (here). The long and short of it is that when an online service tracks its visitors by any means – cookies, device fingerprinting, LSOs, pixels, scripts or any other technology – consent requirements will apply.
Choosing a consent strategy
What’s less clear is what form that consent needs to take – namely, whether consent needs to be obtained on an opt-in basis (i.e. the assistant asks you if it’s ok to hand you the piece of paper with the number on it) or whether it can be implied if the visitor doesn’t opt-out (i.e. the assistant hands you the note with the number, and tells you to throw it away if you don’t want it). Because of this complexity, we keep a table of these different opt-in and opt-out standards around the EU, which you can see here.
Deciding on the correct consent strategy for your online operations can be tricky, and depends on a number of factors including the necessity of the tracking you do, the context in which you do it, and the countries across which you operate (do you, for example, want a ‘one size fits all’ consent standard across all website operations or a country-by-country approach to consent based on local legal requirements and risk?)
But, whatever you do, don’t do nothing. That would be like having the shop assistant reach over the till to superglue the number to you while your back was turned.
And none of us would want a world where that would be acceptable.