Disadvantages of cookie tracking
Digital fingerprinting – how it works
Digital fingerprinting is the common term for a whole range of user tracking techniques that are difficult to prevent via the browser’s default settings and thus work as non-erasable cookie successors. Although browser fingerprints are not quite as unique as an individual’s fingerprint, they offer a high success rate of over 80 percent in the recognition of web users. In the meantime, however, browser manufacturers are also incorporating measures into browsers that at least partially prevent digital fingerprinting.
Digital fingerprinting works with the fact that the representation of text in canvas elements varies greatly depending on the user’s computer configuration (IP and MAC address, operating system, browser type or version, plug-ins, fonts and other special settings) and is therefore unique and can be clearly assigned, similar to a human fingerprint.
The technical side of fingerprint tracking
In order to create the user’s specific fingerprint at the time a website is visited, depends on how the technology of the visited website interacts with the user’s browser.
Basically there are two types of browser fingerprinting:
- Passive fingerprinting: refers to the collection of browser information that is obtained without the use of a special application, i.e. the IP address, the port used or the browser type. All this information is included in the header data of IP packets by default and reaches the web server in any case.
- Active fingerprinting: With active fingerprinting, the browser specifically requests information that is not automatically provided when a web page is opened. For example, information about the browser, but also about the operating system and the screen (width, height, resolution).
Fingerprint tracking and the requirements of the GDPR
Fingerprint tracking is a tracking method, where the end device of a user is clearly recognized. The fingerprint can be determined by different providers and makes it possible to track the user across different websites. It is not obvious for the user and often cannot be turned off individually.
Fingerprinting is only permitted if:
- an explicit consent of the user is given that fingerprinting is required to provide a special service and is used in this context without exception to carry out the data transfer or
- if there is another legal basis, such as the entitled interest (according to GDPR Art. 6 1 f), which, however, might no longer be admissible in Germany after the BGH ruling of the end of May. In other EU countries, the Beneficiary’s Interest is already no longer regarded as permissible
Our data protection experts from ePrivacy are familiar with all requirements relating to this topic. So if you have any questions about the handling of fingerprint tracking in consideration of the requirements of the GDPR, please contact us.