Cross-Device Tracking: An FTC Staff Report
On January 23, the Federal Trade Commission (FTC) released “Cross-Device Tracking: An FTC Staff Report,” which explains how cross-device tracking is used to track consumers across multiple devices, sets out the benefits and challenges of tracking, and discusses industry efforts to manage these challenges, as well as outlines recommended best practices with respect to transparency, choice, and security. The report follows the FTC’s November 2015 Cross-Device Tracking Workshop, an information-gathering event attended by various organizations, academics, industry experts, and consumer advocates.
What Is Cross-Device Tracking?
Cross-device tracking links a single consumer’s activity across multiple devices, such as smartphones, computers, tablets, or other Internet-connected devices. The report outlines how companies may cross-device track consumers via “deterministic” (tracking consumers using an identifying characteristic, such as a login) and “probabilistic” (inferring which consumer is using a device without logging in, such as tracking an IP address) techniques.
Benefits and Challenges
The report states that although cross-device tracking is primarily used for analytics or advertising purposes, it may also aid in improving fraud detection and account security and create a better online experience for consumers.
While recognizing these benefits, the report notes that consumers typically do not know they are being tracked or understand the scope of such tracking. For example, a consumer may not expect that downloading an app related to a medical condition at home will trigger ads on other platforms related to that condition. Consumers are generally very limited in their ability to control such tracking—the report notes that many companies using cross-device tracking do not explicitly disclose cross-device tracking in their privacy policies.
Best Practices Recommendations
The report outlines some recommended best practices for publishers, companies engaging in cross-device tracking, and self-regulatory organizations:
Companies engaging in cross-device tracking at all phases should truthfully disclose their tracking activities, provide meaningful information to consumers regarding opt-out tools, and make truthful claims about the categories of collected data.
Cross-device tracking companies should provide truthful disclosures to consumers and first-party companies on whose websites and apps they appear. Consumer-facing companies, publishers and device manufacturers should also practice transparency. Under certain circumstances, failure to provide truthful tracking information could violate the FTC Act.
Companies should offer choices on how consumers’ cross-device activity is tracked and ensure that consumer choice is respected. When companies offer these choices, the FTC Act requires that the companies respect them.
To the extent opt-out tools are provided, any material limitations on how they apply or are implemented with respect to cross-device tracking must be clearly and conspicuously disclosed.
Consumer-facing companies that utilize third-party companies for cross-device tracking as well as the cross-device tracking companies should coordinate efforts to ensure that all actors are making truthful claims about the choices afforded to consumers.
Companies should refrain from engaging in cross-device tracking relating to sensitive information and topics (e.g., financial, health, and children’s information) and from collecting and sharing precise geolocation information without consumers’ affirmative express consent.
The principles and codes of conduct governing the online advertising industry generally recognize the need for explicit consent for sensitive data. The Network Advertising Initiative Code of Conduct and the Digital Advertising Alliance Principles of Transparency and Control to Data Used Across Devices each requires members to obtain prior consumer opt-in consent before using sensitive data or location information for interest-based advertising.
The FTC Act requires companies to maintain reasonable security to avoid unexpected and unauthorized use of data via a data breach.
Companies should retain only the data necessary for their business purposes and properly secure the data they do collect and maintain, especially when the information retained is tied to personally identifiable information (e.g., email addresses or usernames).