The GDPR and Browser Fingerprinting

Katarzyna Szymielewicz and Bill Budington of the Electronic Frontier Foundation:

The concept of legitimate interest in the GDPR has been constructed as a compromise between privacy advocates and business interests. It is much more vague and ambiguous than other legal grounds for processing data. In the coming months, you will see many companies who operate in Europe attempt to build their tracking and data collection of their users on the basis of their “legitimate interest.”

But that path won’t be easy for covert web fingerprinters. To be able to rely on this specific legal ground, every company that considers fingerprinting has to, first, go through a balancing test (that is, verify for itself whether its interest in obscure tracking is not overridden by “the fundamental rights and freedoms of the data subject, including privacy” and whether it is in line with “reasonable expectations of data subjects”) and openly lay out its legitimate interest argument for end-users. Second, and more importantly, the site has to share detailed information with the person that is subjected to fingerprinting, including the scope, purposes, and legal basis of such data processing. Finally, if fingerprinting is done for marketing purposes, all it takes for end-users to stop it (provided they do not agree with the legitimate interest argument that has been made by the fingerprinter) is to say “no.” The GDPR requires no further justification.

Browser fingerprinting is seriously intrusive — and popular. One of the privacy-focused features new to Safari in MacOS Mojave is protection against fingerprinting, which Apple says is possible because any given installation of the browser will look more generic. I’m glad to see it being reined in from both regulatory and technological standpoints.