• At Kemp Little, we are known for our ability to serve the very particular needs of a large but diverse technology client base. Our hands-on industry know-how makes us a good fit with many of the world's biggest technology and digital media businesses, yet means we are equally relevant to companies with a technology bias, in sectors such as professional services, financial services, retail, travel and healthcare.
  • Kemp Little specialises in the technology and digital media sectors and provides a range of legal services that are crucial to fast-moving, innovative businesses.Our blend of sector awareness, technical excellence and responsiveness, means we are regularly ranked as a leading firm by directories such as Legal 500, Chambers and PLC Which Lawyer. Our practice areas cover a wide range of legal issues and advice.
  • Our Commercial Technology team has established itself as one of the strongest in the UK. We are ranked in Legal 500, Chambers & Partners and PLC Which Lawyer, with four of our partners recommended.
  • Our team provides practical and commercial advice founded on years of experience and technical know-how to technology and digital media companies that need to be alert to the rules and regulations of competition law.
  • Our Corporate Practice has a reputation for delivering sound legal advice, backed up with extensive industry experience and credentials, to get the best results from technology and digital media transactions.
  • In the fast-changing world of employment law our clients need practical, commercial and cost-effective advice. They get this from our team of employment law professionals.
  • Our team of leading IP advisors deliver cost-effective, strategic and commercial advice to ensure that your IP assets are protected and leveraged to add real value to your business.
  • Our litigation practice advises on all aspects of dispute resolution, with a particular focus on ownership, exploitation and infringement of intellectual property rights and commercial disputes in the technology sector.
  • We have an industry-leading reputation for our outsourcing expertise. Our professionals deliver credible legal advice to providers and acquirers of IT and business process outsourcing (BPO) services.
  • We work alongside companies, many with disruptive technologies, that seek funding, as well as with the venture capital firms, institutional investors and corporate ventures that want to invest in exciting business opportunities.
  • Our regulatory specialists work alongside Kemp Little’s corporate and commercial professionals to help meet their compliance obligations.
  • With a service that is commercial and responsive to our clients’ needs, you will find our tax advice easy to understand, cost-effective and geared towards maximising your tax benefits.
  • At Kemp Little, we advise clients in diverse sectors where technology is fundamental to the ongoing success of their businesses.They include companies that provide technology as a service and businesses where the use of technology is key to their business model, enabling them to bring their product or service to market.
  • We bring our commercial understanding of digital business models, our legal expertise and our reputation for delivering high quality, cost-effective services to this dynamic sector.
  • Acting for market leaders and market changers within the media industry, we combine in-depth knowledge of the structural technology that underpins content delivery and the impact of digitisation on the rights of producers and consumers.
  • We understand the risks facing this sector and work with our clients to conquer those challenges. Testimony to our success is the continued growth in our team of professionals and the clients we serve.
  • We advise at the forefront of the technological intersection between life sciences and healthcare. We advise leading technology and data analytics providers, healthcare institutions as well as manufacturers of medical devices, pharmaceuticals and biotechnological products.
  • For clients operating in the online sector, our teams are structured to meet their commercial, financing, M&A, competition and regulatory, employment and intellectual property legal needs.
  • Our focus on technology makes us especially well positioned to give advice on the legal aspects of digital marketing. We advise on high-profile, multi-channel, cross-border cases and on highly complex campaigns.
  • The mobile and telecoms sector is fast changing and hugely dependent on technology advances. We help mobile and wireless and fixed telecoms clients to tackle the legal challenges that this evolving sector presents.
  • Whether ERP, Linux or Windows; software or infrastructure as a service in the cloud, in a virtualised environment, or as a mobile or service-oriented architecture, we have the experience to resolve legal issues across the spectrum of commercial computer platforms.
  • Our clients trust us to apply our solutions and know-how to help them make the best use of technology in structuring deals, mitigating key risks to their businesses and in achieving their commercial objectives.
  • We have extensive experience of advising customers and suppliers in the retail sector on technology development, licensing and supply projects, and in advising on all aspects of procurement and online operations.
  • Our legal professionals work alongside social media providers and users in relation to the commercial, privacy, data, advertising, intellectual property, employment and corporate issues that arise in this dynamic sector.
  • Our years of working alongside diverse software clients have given us an in-depth understanding of the dynamics of the software marketplace, market practice and alternative negotiating strategies.
  • Working with direct providers of travel services, including aggregators, facilitators and suppliers of transport and technology, our team has developed a unique specialist knowledge of the sector
  • Your life as an entrepreneur is full of daily challenges as you seek to grow your business. One of the key strengths of our firm is that we understand these challenges.
  • Kemp Little is trusted by some of the world’s leading luxury brands and some of the most innovative e-commerce retailers changing the face of the industry.
  • HR Bytes is an exclusive, comprehensive, online service that will provide you with a wide range of practical, insightful and current employment law information. HR Bytes members get priority booking for events, key insight and a range of employment materials for free.
  • FlightDeck is our portal designed especially with start-up and emerging technology businesses in mind to help you get your business up and running in the right way. We provide a free pack of all the things no-one tells you and things they don’t give away to get you started.

Device Fingerprinting: what, how, why... and the law

Concerns have been raised that a digital technique known as ‘device fingerprinting’ is increasingly being adopted as an alternative to cookies, offering a means to digitally analyse and track internet users, often without the users’ knowledge or consent. The Article 29 Data Protection Working Party[i] has recently adopted an opinion (WP224) stating that Article 5(3) of the E-Privacy Directive (aka the legislation regulating usage of cookies) is also applicable to device fingerprinting (as a “similar technology”), so that consent would be required to use this technique.[ii]

Definition

Device fingerprinting refers to the generation of a unique combination of data related to the use of a specific internet-connected device, which in turn can be used to identify and track the behaviour of a specific device and thus in many cases its user, across the internet.

A device “fingerprint” is defined as “a set of information elements that identifies a device or application instance.”[iii] The working party acknowledge that they have adopted a broad interpretation of this term, to include “a set of information that can be used to single out[iv], link[v] or infer[vi] a user, user agent or device over time”[vii], including data derived from the “configuration of a user agent/device”, and “data exposed by the use of network communication protocols.”[viii]

Data Protection Impact?

The Article 29 Working Party expressly do not consider the requirements of the Data Protection Directive in the Opinion.  However, they do say that device fingerprints may constitute personal data.  As such, the data protection principles must be complied with, including fair and lawful processing, and peoples’ right to refuse direct marketing must be respected.     

Device fingerprints can be personal data because a user may be associated, and therefore identified, or made identifiable, by the fingerprint generated by their device. Individually, non-unique information elements, such as the model of smartphone being used, browser settings, fonts or API’s do not necessarily present a significant risk from a data protection perspective- e.g. there may be many users with the same configuration. However, when a number of these information elements are merged together, the resulting derived data can be sufficiently accurate and unique to enable the precise pinpointing of a specific device or application instance across the internet. This process effectively allows the online behaviour of individual users to be tracked over time.

Risks?

Unlike cookies, device fingerprint information can be accessed by numerous third parties, who are able to collect such data and recognise a particular user.  Another issue, and a significant difference between device finger printing and cookies, is that “device fingerprinting can operate covertly”[ix]. With cookies, a user has the option to wipe the cookie files, or select a ‘do-not-track’ browser setting (although these settings requests are not always complied with in practice). In contrast, there are no simple, user-friendly solutions to prevent device fingerprinting from occurring, and some of the information elements collected, such as a device serial number, or an IP address, are simply not practical to change regularly- e.g. switching internet service provider, or buying a new phone every few weeks. This would quickly become an expensive, and perhaps somewhat paranoid ritual, to avoid being tracked.

Advertising companies have attempted to argue that the use of this fingerprint information does not involve the processing of personal information. However, the Article 29 Working Party argues that these unique strings of data should in fact qualify as personal data, since the very purpose of processing the data is to serve personalised content and advertisements to the individual user.

E-Privacy Compliance?

Concern has been raised that a growing number of parties are using device fingerprinting as a convenient technique to sidestep the regulations which cover the use of cookies.[x] Internet users and site operators will be familiar with the consent pop-up boxes and banners which appear on most websites relating to cookies. These are the result of Article 5(3) of the E-Privacy Directive, which requires that “the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user” is only permitted if, (1) the user has given consent, and, (2) the consent is based on being presented with comprehensive information regarding the purposes of the data processing.

Note that Article 5(3) does set out two clear exemptions to the requirement for user consent when attempting to process information on a device: The first exemption applies when information is stored or accessed on a device “for the sole purpose of carrying out the transmission of a communication over an electronic communications network”. The second exemption is when information is stored or accessed, which is “strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service”. Thus, if a cookie falls within the scope of these exemptions, user consent will not be required.

Moving back to device fingerprinting, in adopting Opinion WP224, the Article 29 Working Party has stated that when a device fingerprint is generated, the E-Privacy Directive will apply, even if the information collected does not yet constitute personal data. Consequently, where the process of device fingerprinting requires either the storage of, or access to, information on a user’s device (note both storage and access are not required), then “consent will be required”, unless one of the above valid exemption criteria applies.

Additionally, the opinion of the Working Party provides various “use case scenarios”[xi], detailing examples of different types of device fingerprinting, and examining whether in each instance the consent requirement will, in general, apply, or be exempt.  In particular, they conclude that consent will be required where device fingerprinting is used for tracking for online behavioural advertising, this must be with the consent of the user.

Conclusions

The use of device fingerprinting should, like cookies, be interpreted as falling under the user consent requirements of Article 5(3), even if certain individual information elements which constitute the overall device fingerprint, do not themselves require the storage of, or access to, information on the user’s device. This means that third parties and online data analytics stakeholders should be aware that the “cookie rules” do not only apply to cookies, and going forward, a more careful approach to device fingerprinting should be adopted.

Please contact Nicola Fulford, Head of Data Protection and Privacy, with any queries.


[i] The Working Party on the Protection of Individuals with regard to the Processing of Personal Data

[ii] Opinion 9/2014 on the application of Directive 2002/58/EC to device fingerprinting.

[iii] Cooper, 2013. Privacy Considerations and Internet Protocols http://tools.ietf.org/html/rfc6973

[iv] Opinion 05/2014 on Anonymisation Techniques, pp 11-12.

[v] Opinion 05/2014 on Anonymisation Techniques, pp 11-12.

[vi] Opinion 05/2014 on Anonymisation Techniques, pp 11-12.

[ix] http://www.w3.org/TR/geolocation-API/#privacy_for_uas. 

[x] Wall Street Journal, 2013. Web Giants Threaten End to Cookie Tracking. http://online.wsj.com/news/articles/SB10001424052702304682504579157780178992984

[xi] Opinion 9/2014 on the application of Directive 2002/58/EC to device fingerprinting.