The Federal Trade Commission (FTC) recently issued a staff report (available here) on the trend to link consumers’ online behavior across multiple devices. Among other recommendations, the FTC suggests that companies not track sensitive information which may include health, financial, children’s and precise geolocation information without the consumers’ affirmative express consent. The FTC also recommends that all companies engaged in cross-device tracking should truthfully disclose their tracking activities. The FTC reviewed the privacy policies of 100 top websites and only found 3 policies that expressly mentioned enabling third-party cross-device tracking on their websites.
What is cross-device tracking and how is it used?
The FTC report states that “cross-device tracking occurs when platforms, publishers and ad tech companies try to connect a consumer’s activity across [multiple devices]” (e.g. smartphones, tablets, desktop computers, and other connected devices). The goal of cross-device tracking is not only to associate multiple devices with the same person, but ultimately for companies to target consumers more precisely and create a personalized advertising experience. Advertisers use the information obtained through cross-device tracking to target specific consumers, avoid ad redundancy and measure the success of various ad campaigns.
Companies engaged in cross-device tracking use two techniques, deterministic and probabilistic. According to the FTC report, deterministic techniques “track consumers across devices through a consumer identifying characteristic,” usually login credentials. Companies link consumers based on deterministic techniques because consumers actively identify themselves within multiple devices which then allows companies to associate and observe a consumer’s activity on more than one device. The second technique, probabilistic, is an approach which infers which consumer is using a device, usually through an IP address and the placement of cookies or similar mechanisms. For example, an ad platform may place a cookie, which includes the IP address of the device, on the consumer’s browser; the ad platform then can infer that any other device using the same IP address belongs to the same person or household. Similarly, if your smartphone connects to your work’s IP address during the day and then a separate one at home, the ad platform may infer that your work computer, home computer, smartphone and other devices all belong to the same person based on the correlation between the devices and IP addresses.
Benefits and challenges of cross-device tracking
The benefits of cross-device tracking are obvious; cross-device tracking:
- Creates a seamless experience for the consumer as they maneuver from one device to another
- Improves fraud detection and account security
- Allows advertisers to provide consumers with a more relevant and personalized online experience
- Increases competition among those within the advertising industry
But with the creation and growth of cross-device tracking technology comes a greater risk to privacy and data security. One of the biggest challenges for cross-device tracking is transparency. Consumers are often times either not aware of the practice and/or the scope of the practice, or both. This is especially true with respect to probabilistic techniques where the consumer has not actively logged into a platform, and may be most concerning with respect to sensitive information. Consumers may be horrified to find that activities they engage in on their personal devices, such as searching a medical condition, will then prompt ads relating to that condition, or related topics may start popping up on your work computer or other household members’ devices. Consumers may also not be aware of the expansive list of devices that are included in cross-device tracking. Typically we think about our desktops, laptops, smartphones and tablets, but what about the inclusion of smart televisions, wearable devices and data obtained from brick and mortar stores? There is a need for privacy relating to sensitive information which may be obtained from cross-device tracking of a consumer’s online footprint, and may often times contain sensitive information which the consumer is not aware they are sharing.
Not only are consumers not aware of the breadth of this technology but the use of cross-device tracking is often not discussed in companies’ privacy policies. Furthermore, the practice of cross-device tracking and the number of entities which have access to, compile and share customer data is not clear to consumers. The consumer may only be aware of the first-party, such as the login platform, but is unaware of the third-party advertising and analytics companies that have access to this information but are not identified to the consumer.
Another big challenge of cross-device tracking is the consumer’s ability to control this practice. Consumers are becoming more sensitive to the need to control data collection by deleting cookies on a regular basis, using ad blockers or using the “limited ad tracking” setting on smartphones, but it is unclear whether or not these choices apply to cross-device tracking.
The final challenge outlined by the report relates to the sheer amount of information collected and the security of this information. Cross-device tracking includes a large amount of information relating to sites visited and apps used, in conjunction with raw or hashed email addresses. This type of information is a prime target for hackers who are looking for large caches of information. Although the type of information collected is usually not financial information or Social Security numbers, the information may be harmful if posted as it may include health or other sensitive information derived from internet browsing. A breach on this type of information may also make knowledge-based authentication measures less effective, such as the application to the banking sector which uses security questions based on personal information.
Addressing the challenges, the FTC’s recommendations
Transparency – all companies engaged in cross-device tracking should truthfully disclose their tracking activities which will allow consumers to decide what tools they can utilize to limit or expose their data obtained through this technology. Consumer facing and third-party companies, not directly involved with the consumer, should provide truthful disclosures to consumers and to the first-party companies that use their websites and apps. Consumer facing companies should also disclose cross-device tracking and the categories of data being collected, as certain types of information may be personally identifiable information. The FTC went on to state that such non-disclosure and transparency may implicate the FTC Act for third-party and consumer facing companies.
Choice – companies should offer consumers a choice with respect to cross-device tracking, such as opt-out tools and disclosure of a tool’s material limitations. Two FTC cases, ScanScout, Inc.[1] and Turn Inc.[2], have recently sent important messages that if a company provides an opt-out which may contain a limitation, such limitation must be conspicuously disclosed so consumers are not mislead.
Sensitive Data – the FTC recommends that companies engaged in cross-device tracking refrain from tracking sensitive information which may include health, financial, children’s and precise geolocation information without the consumers’ affirmative express consent. This type of data requires a high level of protection.
Security – the FTC requires companies to maintain reasonable security to avoid unexpected and unauthorized use of data. Companies are advised not only to keep data necessary to their business but to properly secure collected data.
Cross-device tracking provides a wealth of benefits, but consumers should be informed about such activities and be able to control the tracking activities. Entities involved in cross-device tracking should review their cross-device tracking practices and implement the recommendations provided by the FTC.
[1] ScanScout, Inc., No. C-43444 (F.T.C. Dec. 14, 2011)
[2] Turn Inc., No. 152 3099 (F.T.C. Dec. 20, 2016)