November 19, 2018

November 16, 2018

Subscribe to Latest Legal News and Analysis

Cross-Device Tracking: An FTC Staff Report

On January 23, the Federal Trade Commission (FTC) released “Cross-Device Tracking: An FTC Staff Report,” which explains how cross-device tracking is used to track consumers across multiple devices, sets out the benefits and challenges of tracking, and discusses industry efforts to manage these challenges, as well as outlines recommended best practices with respect to transparency, choice, and security. The report follows the FTC’s November 2015 Cross-Device Tracking Workshop, an information-gathering event attended by various organizations, academics, industry experts, and consumer advocates.

What Is Cross-Device Tracking?

Cross-device tracking links a single consumer’s activity across multiple devices, such as smartphones, computers, tablets, or other Internet-connected devices. The report outlines how companies may cross-device track consumers via “deterministic” (tracking consumers using an identifying characteristic, such as a login) and “probabilistic” (inferring which consumer is using a device without logging in, such as tracking an IP address) techniques.  

Benefits and Challenges

The report states that although cross-device tracking is primarily used for analytics or advertising purposes, it may also aid in improving fraud detection and account security and create a better online experience for consumers.

While recognizing these benefits, the report notes that consumers typically do not know they are being tracked or understand the scope of such tracking. For example, a consumer may not expect that downloading an app related to a medical condition at home will trigger ads on other platforms related to that condition. Consumers are generally very limited in their ability to control such tracking—the report notes that many companies using cross-device tracking do not explicitly disclose cross-device tracking in their privacy policies.

Best Practices Recommendations

The report outlines some recommended best practices for publishers, companies engaging in cross-device tracking, and self-regulatory organizations:

Transparency:

  • Companies engaging in cross-device tracking at all phases should truthfully disclose their tracking activities, provide meaningful information to consumers regarding opt-out tools, and make truthful claims about the categories of collected data.

  • Cross-device tracking companies should provide truthful disclosures to consumers and first-party companies on whose websites and apps they appear. Consumer-facing companies, publishers and device manufacturers should also practice transparency. Under certain circumstances, failure to provide truthful tracking information could violate the FTC Act.

Choice:

  • Companies should offer choices on how consumers’ cross-device activity is tracked and ensure that consumer choice is respected. When companies offer these choices, the FTC Act requires that the companies respect them.

  • To the extent opt-out tools are provided, any material limitations on how they apply or are implemented with respect to cross-device tracking must be clearly and conspicuously disclosed.

  • Consumer-facing companies that utilize third-party companies for cross-device tracking as well as the cross-device tracking companies should coordinate efforts to ensure that all actors are making truthful claims about the choices afforded to consumers.

Sensitive Data:

  • Companies should refrain from engaging in cross-device tracking relating to sensitive information and topics (e.g., financial, health, and children’s information) and from collecting and sharing precise geolocation information without consumers’ affirmative express consent.

  • The principles and codes of conduct governing the online advertising industry generally recognize the need for explicit consent for sensitive data. The Network Advertising Initiative Code of Conduct and the Digital Advertising Alliance Principles of Transparency and Control to Data Used Across Devices each requires members to obtain prior consumer opt-in consent before using sensitive data or location information for interest-based advertising.

Security:

  • The FTC Act requires companies to maintain reasonable security to avoid unexpected and unauthorized use of data via a data breach.

  • Companies should retain only the data necessary for their business purposes and properly secure the data they do collect and maintain, especially when the information retained is tied to personally identifiable information (e.g., email addresses or usernames).

Copyright © 2018 by Morgan, Lewis & Bockius LLP. All Rights Reserved.

TRENDING LEGAL ANALYSIS


About this Author

Vito Petretti, Morgan Lewis, Technology Lawyer
Partner

Vito Petretti’s practice focus is technology and outsourcing matters. Clients regularly turn to him to draft and negotiate domestic and international outsourcing service agreements for a variety of business processes, such as information technology, finance and accounting, human resources, and procurement. Within the realm of information technology, Vito drafts and negotiates agreements for software licensing, hardware purchases and leases, data licensing and subscriptions, website hosting and development, and other technology-related agreements, including system...

215-963-5001
Valerie A. Gross, Business Technology Attorney, Morgan Lewis
Associate

Valerie A. Gross focuses her practice on business technology transactions, including technology and business process outsourcing; systems integration; commercial agreements, including professional services and consulting agreements; and licensing and other technology-related agreements.

212.309.6953