Google has announced a change to its advertising Platforms programme policies. The current iteration of the policies includes a prohibition on "using device fingerprints". However, that prohibition has been dropped from the new policy which will apply from 16 February 2025.
Those unfamiliar with device fingerprinting may look no further than draft ICO guidance which, coincidentally, was also announced in December (see our article here). The ICO's guidance explains that device fingerprinting involves the collection of pieces of information about a device's software or hardware (such as about device configuration, clock information, and browser information). These can be combined to uniquely identify a particular device.
Fingerprinting is frequently touted as an alternative to other forms of user tracking, such as cookies or the use of user-resettable device advertising identifiers, which require consent under the Privacy and Electronic Communications Regulations 2003 (PECR) and often under other industry standards.
Google's announcement of its new policies framed the overall update as having "privacy at the core". There is however an ongoing debate about device fingerprinting due to the 'invisible' nature of the data collection and a lack of user control.
Legally, there are unresolved questions about how device fingerprinting will operate as an effective alternative to other forms of user tracking (assuming that the law in this area is complied with). The ICO (and other regulators) regard fingerprinting techniques as 'storing information, or accessing information stored, on a device'; and therefore, technically, fingerprinting engages PECR 'cookie consent' requirements. If user consent is not obtained, theoretically fingerprinting (nor other forms of tracking) cannot be used.
The ICO says that it is engaging with Google on this change, and it will be interesting to see how this story develops. Meanwhile, the ICO has issued the following warning to advertisers that may look to change their approach in the light of Google's new position.
“ "Organisations seeking to deploy fingerprinting techniques for advertising will need to demonstrate how they are complying with the requirements of data protection law. These include providing users with transparency, securing freely-given consent, ensuring fair processing and upholding information rights such as the right to erasure. Based on our understanding of how fingerprinting techniques are currently used for advertising this is a high bar to meet. Businesses should not consider fingerprinting a simple solution to the loss of third-party cookies and other cross-site tracking signals." ”
