European data watchdog the Article 29 Working Party (WP29) has released guidance recommending that so-called device fingerprinting is bound by the same rules as cookies, and should be done only with explicit consent.
The WP29 device fingerprinting report (PDF) said that the practice presents serious data protection concerns for individuals.
"This [report indicates] to third parties who process device fingerprints which are generated through the gaining of access to or the storing of information on the user's terminal device that they may only do so with the valid consent of the user (unless an exemption applies)," the report adds.
The UK Information Commissioner's Office, which installed the cookie rules locally in 2012, explained that the same rules will apply to device fingerprinting.
"The ICO has always been clear that the law around cookies also applies to similar technologies," said a spokesperson.
"The Article 29 opinion adopted this week, which the ICO played a key role in drafting, confirms that digital fingerprinting can be such a technology.
"Digital fingerprinting can access information stored on a user's machine in a similar way to a cookie, for a range of purposes. With that in mind, it is sensible to consider that the law can apply to some uses of digital fingerprinting in the same way it does to cookies."
The ICO added that digital fingerprinting provides enough information to identify an individual, and that this has data protection as well as privacy implications.
The WP29 report said that firms have used device fingerprinting as a way to avoid the consent conditions of current legislation.
Many web firms use device fingerprinting in order to gather information on a visitor to their site and then present information to them, such as adverts, based on their previous browsing history.
Stewart Room, head of data protection and cyber security at PWC, said that the Article 29 guidelines are a continuation of efforts to shore up local data laws and bring a more 'consent-led' approach to internet monitoring.
"The EU regulators want to move the internet as far as possible to a consent-based system wherever the processing of personal data is concerned," he told V3.
"The tracking and profiling of internet use is a top-level privacy worry for the regulators, so it is not surprising that they have formed the view that device fingerprinting needs cookies-style prior consent where there is access to, or storage of, information on the user's equipment."
The move comes as Europe also looks to enforce its so-called Right to be Forgotten ruling on Google in all parts of the world.
IBM software case reminiscent of TSMC trade secrets theft claim
iPhone 8 specs, release date, price, features, basically everything! But will it have a curved display?
CISO pay boom as security become a boardroom concern