Out with the tracking cookie, but back in with device fingerprinting. Google’s long-running project to eliminate cookies from Chrome is about to wind up, but it has come with a reversal of course that now allows global fingerprinting. The Google rules also allow this across all user devices, tying Chrome activity together with all manner of smart devices and entertainment options.
A reversal of policy established in 2019, the new Google rules were quietly announced in December of last year but seemed to slip beneath the radar. Now that the terms are in force, they appear to have caught the attention of regulators.
Google rules take one step forward, one step back
Chrome is in the midst of implementing a new “global prompt” upgrade that allows users to opt out of tracking cookies entirely, similar to the system that Apple has been using for several years now. While that move delivers on the company’s long-simmering promise to eliminate this form of tracking from its flagship browser, the return of device fingerprinting along with it was not expected.
Google seemed to formally trash device fingerprinting as an option in an August 2019 blog post, touting its Privacy Sandbox as an alternative to both it and invasive tracking cookies. That position seems to have gone the way of “Don’t Be Evil” at this point. A February 16 update to the Google rules governing data privacy on all devices enabled device fingerprinting across its television services, gaming, fitness monitors and seemingly everything else in its ecosystem along with the Chrome browser.
The play for Google seems to be shifting targeted ads primarily to smart devices, rather than focusing heavily on showing them to Chrome users. It is also centered on a digital ad market that is hungrier for personal data than ever now that AI promises to allow automatic and dynamic identification and tracking of users across their full assortment of devices. The process will also center on IP addresses, making it tougher for even privacy-conscious users to keep targeted ads out of their lives.
Green light on device fingerprinting creates new privacy concerns
A fairly strong case can be made that device fingerprinting is worse for privacy than tracking cookies, as there is essentially zero transparency or control at the user end. Cookies could at least be found and deleted, with most modern browsers making privacy clear-outs a simple matter.
Regulators have been a bit slow to react to the new Google rules, but appear to be waking up to the issue now that the February 16 implementation date has passed. One agency that was onto the issue from the initial announcement in December is the UK’s Information Commissioner’s Office (ICO), which responded to Google’s blog post by calling the change “irresponsible” and indicating that the regulator may be looking at whether the device fingerprinting techniques in use violate regional data and privacy laws. The agency has also issued new guidance on the issue which it is soliciting public comment on until March 14. French data regulator CNIL also recently issued a warning reiterating that EU regulations require user consent for personalized ad tracking, and that consent requirement cannot be legally sidestepped with opaque device fingerprinting.
That requirement would seem to put the new Google rules at odds with the requirements of the whole of the EU, not to mention other countries with laws based on the terms of the GDPR such as Canada, South Korea and Brazil. Device fingerprinting can draw from hundreds of device details to work, but most of the key elements remain forms of personal data that are covered by applicable privacy regulations and consent and transparency requirements. While the GDPR itself does not explicitly forbid device fingerprinting, rulings have consistently determined that end users must be clearly informed of what is happening and presented with a choice in the matter. And while the US does not have a comparable federal-level law, California has already indicated that device fingerprinting is considered a form of Cross-Context Behavioral Advertising under its regulations and that the new Google rules will likely have to provide users with a way to opt out of sharing and sale of data collected in this way to ensure compliance.
Advertising companies like device fingerprinting as it now takes relatively few data points to accurately identify someone, possibly as few as 20 depending on what is collected. But this is also offset by privacy-focused browsers such as Brave and Firefox automatically blocking many of these metrics as well as the companies known to collect and process them. Google Chrome’s “Manifest V3” changes seem to have specifically targeted ad blocking extensions that would similarly bolster the browser, with the popular uBlock Origin officially delisted from the browser and other extensions reduced in their effectiveness by having their API access limited.
