The UK Information Commissioner's Office (ICO) has issued a stern warning following Google's announcement regarding device fingerprinting practices. The tech giant revealed it will lift its ban on fingerprinting techniques for organizations using its advertising products, effective February 16, 2025.
Stephen Almond, ICO's Executive Director of Regulatory Risk, called the policy change "irresponsible" and emphasized that companies must still comply with data protection laws when implementing such tracking methods.
Device fingerprinting involves collecting various pieces of information about a device's hardware and software to create a unique identifier for tracking users across websites. Unlike cookies, which users can easily delete, fingerprinting creates persistent identifiers that are harder to remove or control.
The ICO highlighted that Google's new stance contradicts its own 2019 position, when the company stated fingerprinting "subverts user choice and is wrong." The privacy regulator expressed concerns about the technology's impact on user consent and control over personal data collection.
In response to this development, the ICO has published draft guidance outlining how data protection laws, including the Privacy and Electronic Communications Regulations (PECR), apply to fingerprinting and similar technologies. A public consultation on these guidelines will begin December 20, 2023.
The ICO warned that organizations must obtain explicit user consent before implementing fingerprinting techniques and demonstrate compliance with data protection requirements. The regulator plans to release a comprehensive strategy in 2024 focusing on giving users meaningful control over personalized advertising.
For consumers, the implications are notable. While traditional privacy controls allow users to clear cookies and site data, fingerprinting techniques can immediately re-identify users, making it challenging even for privacy-conscious individuals to maintain their online anonymity.
The ICO maintains its position that fingerprinting should not be viewed as a simple replacement for third-party cookies, setting a high compliance bar for organizations considering its implementation.