The Federal Trade Commission yesterday released its report on cross-device tracking. The report, which follows the Commission’s November 2015 Cross-Device Tracking Workshop, describes some of the current approaches to track consumers across multiple connected devices, discusses industry self-regulatory approaches to protect consumer privacy, and offers recommendations for how to apply longstanding FTC principles like transparency, choice, and security to cross-device tracking.  These recommendations are not binding legal rules, but provide insight on what the FTC staff consider best practices and how the FTC might interpret and apply Section 5 of the FTC Act in this space.

At a high level, cross-device tracking allows companies to associate multiple devices with the same person.  This may be achieved, for example, deterministically (e.g., when a user logs in to a service on multiple devices) or probabilistically (i.e., by inferring who is using a device through technological or statistical methods). The report acknowledges that cross-device tracking has numerous consumer benefits, such as creating a seamless consumer experience, improving fraud detection and account security, and receiving more relevant ads.

Recommendations

The report’s recommendations mirror the general principles that the FTC has applied in other contexts, such as the 2009 Self-Regulatory Principles for Online Behavioral Advertising.  Applied to the cross-device tracking context, these recommendations include:

• Transparency. All companies involved in cross-device tracking (including  advertising technology providers, website publishers, and mobile app developers) should truthfully disclose their tracking activities.  The report warns that failure to disclose cross-device tracking could implicate the FTC Act. These disclosures extend not only to stating the fact that companies are engaging in these practices, but also to making truthful claims about the categories of data collected and the scope of any opt-out mechanisms.Notably, the report states that data that is “reasonably linkable to a consumer or a consumer’s device” – including in some cases a hashed email address or username – is “personally identifiable.”  As an example, the FTC pointed out that consumer-facing companies who share plain-text or hashed email addresses or usernames for purposes of cross-device tracking should “refrain from referring to this data as anonymous or aggregate, and should be careful about making blanket statements to consumers stating that they do not share ‘personal information’ with third parties.”  (In a footnote, however, Commissioner Ohlhausen clarifies that “to the extent that an email address is hashed in a manner so that it is not reasonably linkable to a consumer or a consumer’s devices, it would not be personally identifiable information.”)

• Choice. The FTC encourages companies to offer consumers choices with respect to cross-device tracking. The report recognizes that there are valid reasons for an opt-out choice to apply on a device-by-device basis, rather than across the entire graph of connected devices. If, however, an opt-out tool is limited to only certain types of tracking technologies or is otherwise limited in scope, companies should clearly and conspicuously disclose the limits of the opt out to avoid misleading consumers.  In addition, third-party tracking companies must avoid misrepresenting to app developers and website publishers the types of information they collect and use or the scope of their opt-out mechanisms.

• Sensitive Data. The FTC recommends that companies refrain from engaging in cross-device tracking on sensitive topics without consumers’ affirmative express consent.  Such  topics include health, financial, children’s information, and precise geolocation information.

• Security. As in other areas, the FTC Act requires that companies maintain “reasonable security.” The FTC staff noted that cross-device tracking companies may have rich data sets that are often tied to individuals, and which may be an attractive target for malicious actors.  Accordingly, the FTC encourages companies to keep only the data necessary for their business purposes and to properly secure the data they do collect and maintain.

Self-Regulatory Efforts

The FTC also discussed self-regulatory efforts to address cross-device tracking, namely by the Digital Advertising Alliance (DAA) and the Network Advertising Initiative (NAI).  The staff noted that, on February 1, 2017, the DAA will begin enforcing its Cross-Device Guidance. Under this guidance, an opt out for behavioral ads on one device not only stops behavioral advertising on that specific device but also prevents data from that opted-out device from being used for behavioral advertising on a user’s other linked devices.

In general, the staff commended the DAA’s and NAI’s self-regulatory efforts to improve transparency and choice with respect to cross-device tracking. Staff encouraged heightened levels of protection for sensitive information, clear effective dates for the self-regulatory principles and codes, and defined scope of their application.

Although the Commissioner’s voted unanimously to issue the staff report, Commissioner Ohlhausen issued a concurring statement to emphasize that the report “does not alter the FTC’s longstanding privacy principles but simply discusses their application in the context of a new technology.”

Ted Karch is the author of this article.