Fingerprinting… evolution or fad?

Well, if you're Google, then you’re now heavily invested in the former, with a U-turn to introduce fingerprinting into its devices. However, as the ICO was quick to raise, it does not see it as a ‘fair means of tracking users online because it is likely to reduce people’s choice and control over how their information is collected’. The next steps for fingerprinting seem murky to say the least, but before we get there, let's examine what’s going on. What is fingerprinting, and why is Google introducing it? And why does the ICO object so heavily? 

What is fingerprinting? 

In practice, fingerprinting is a unique ID. But how that ID is generated and where it is stored is what makes it different. Fingerprinting creates a unique identifier for a user based on a combination of their device and browser settings. This can include information such as operating system, browser version, screen resolution, installed plugins, time zone, and even the fonts. 

While seemingly innocuous on their own, these data points, when combined, can create a highly distinctive "fingerprint" that is stored on a user's device and can be used to track a user across different websites.

Why is Google introducing fingerprinting?

To answer this question, as with every conversation about digital advertising and user privacy, it comes back to the cookie and the deprecation (or non-deprecation) of third-party cookies. Initially (before things arguably got out of control), cookies were set on a user's browser. Brands and advertisers could use them to recognise when a user had completed an action online (such as purchasing their product) and, more crucially, track this activity back to a user clicking on an ad. 

This was game-changing at the time for marketers because they could now optimise marketing campaigns at a much more granular level than before, ensuring marketing spend is being used to its full advantage. 

The first disadvantage of cookies for brands and advertisers was that users could delete them relatively easily. 

Further, over the years more and more pressure has been placed on brands and the usage of cookies due to its ability to track users without their knowledge, culminating in the now norm of requiring users to accept or reject various levels of cookie consent whenever they go onto a website depending on what those cookies are then going to be used for (advertising, marketing, functional etc). 

This change was certainly a benefit for the user, as it gave them more control over how their data was being used; however, from an advertising perspective, it led to fragmented user journeys, making it much harder to understand the actual impact of marketing efforts. 

So why is Google introducing fingerprinting? Well, on the surface, it could pave the way back to the granularity of marketing optimisation while complying with the current laws on cookie consent. With fingerprinting on a user's device rather than in a browser, it doesn’t fall into the same limitations of cookies and can allow Google to ‘oversee’ that users' preferences and consent are maintained while taking advantage of a more robust means of tracking.

Why does the ICO object? 

Put simply, it doesn’t give the user a choice over how their data is used. Equally, it is a means of tracking that cannot be amended or deleted by the user to the same extent as cookies. With these two reasons, it’s not hard to think that, from a user privacy and control perspective, this is a significant step in the wrong direction. For example, if a device is going to collect a ‘fingerprint’ of that user, it is more accurate and robust than that of cookies. How can we be sure that a user’s cookie preferences will still be adhered to?

Is a compromise on the horizon?

The introduction of fingerprinting by Google, despite the ICO's strong objections, paints a complex picture for the future of digital advertising and user privacy. While Google positions fingerprinting as a way to potentially regain marketing optimisation granularity within the bounds of current cookie consent regulations, the ICO views it as a direct threat to user choice and control over their data. The fundamental conflict lies in the persistent and less transparent nature of device-based fingerprinting compared to cookies, which users can more easily manage and delete.

Given these opposing viewpoints, the question of whether a compromise is on the horizon remains highly uncertain. For a compromise to emerge, Google would likely need to demonstrate a precise and robust mechanism for ensuring user consent and control over their device "fingerprint." 

This would involve addressing the ICO's concerns regarding the lack of user amendability and deletability of these identifiers, as well as guaranteeing that users' cookie preferences are consistently respected.

Conversely, the ICO might need to acknowledge the industry's need for effective advertising measurement in a privacy-centric landscape. This could potentially involve exploring frameworks that allow for more persistent forms of identification, provided they are built with transparency and user control at their core.

Ultimately, the path forward likely hinges on a delicate balance between innovation in advertising technology and the imperative to uphold user privacy rights. Whether a middle ground can be found that satisfies both the advertising industry's needs and regulatory scrutiny remains to be seen, making the next steps in the evolution (or potential banning) of fingerprinting a closely watched space.