Stephen Almond is the ICO’s executive director of regulatory risk. |
Yesterday, Google announced to organisations that use its advertising products, that from 16 February 2025, it will no longer prohibit them from employing fingerprinting techniques. Our response is clear: businesses do not have free rein to use fingerprinting as they please. Like all advertising technology, it must be lawfully and transparently deployed – and if it is not, the ICO will act.
Fingerprinting involves the collection of pieces of information about a device’s software or hardware, which, when combined, can uniquely identify a particular device and user.
The ICO’s view is that fingerprinting is not a fair means of tracking users online because it is likely to reduce people’s choice and control over how their information is collected. The change to Google’s policy means that fingerprinting could now replace the functions of third-party cookies.
We think this change is irresponsible. Google itself has previously said that fingerprinting does not meet users’ expectations for privacy, as users cannot easily consent to it as they would cookies. This in turn means they cannot control how their information is collected. To quote Google’s own position on fingerprinting from 2019: “We think this subverts user choice and is wrong.”
We are continuing to engage with Google on this U-turn in its position and the departure it represents from our expectation of a privacy-friendly internet. When the new policy comes into force on 16 February 2025, organisations using Google’s advertising technology will be able to deploy fingerprinting without being in breach of Google’s own policies. Given Google’s position and scale in the online advertising ecosystem, this is significant.
In the meantime, there should be no doubt around any business’s obligations when it comes to fingerprinting and privacy. Data protection law, including the Privacy and Electronic Communications Regulations (PECR), applies. Businesses must give users fair choices over whether to be tracked before using fingerprinting technology, including obtaining consent from their users where necessary.
We have taken the step of publishing draft guidance today on how data protection law, including PECR, applies to storage and access technologies such as fingerprinting. We’ll be launching a consultation on the guidance on Friday 20 December to give organisations the opportunity to feed back their thoughts.
Organisations seeking to deploy fingerprinting techniques for advertising will need to demonstrate how they are complying with the requirements of data protection law. These include providing users with transparency, securing freely-given consent, ensuring fair processing and upholding information rights such as the right to erasure.
Based on our understanding of how fingerprinting techniques are currently used for advertising this is a high bar to meet. Businesses should not consider fingerprinting a simple solution to the loss of third-party cookies and other cross-site tracking signals.
Our guidance forms part of the ICO’s upcoming strategy to give people meaningful control over how their information is used to show them personalised adverts. We will set out more details of our plans in the New Year.
Explainer: What does fingerprinting mean for the public?
- Privacy controls are built around existing technologies. When you choose an option on a consent banner or ‘clear all site data’ in your browser, you are generally controlling the use of cookies and other traditional forms of local storage.
- Fingerprinting, however, relies on signals that you cannot easily wipe. So, even if you ‘clear all site data’, the organisation using fingerprinting techniques could immediately identify you again. This is not transparent and cannot easily be controlled.
- Fingerprinting is harder for browsers to block and therefore, even privacy-conscious users will find this difficult to stop.