FTC / DAA Extend Data Privacy Focus to Cross-Device Tracking
Enforcement of the Digital Advertising Alliance “Application of the Principles of Transparency and Control to Data Used Across Devices” (DAA Cross-Device Principles) officially began on February 1, just a week after the FTC issued a staff report discussing the application of the FTC Online Behavioral Advertising Principles in the context of “Cross Device Tracking” and suggesting that the DAA Cross-Device Principles, while commendable, could be stronger.
The DAA Cross-Device Principles are an extension of existing Self-Regulatory Principles for Online Behavioral Advertising, which require entities collecting data from particular devices over time and across non-affiliate web sites to take certain steps to provide consumers with notice, transparency and control with respect to such practices. The DAA Cross-Device Principles include requirements for providing such transparency and control when data collected from different devices is linked to track user behavior across such devices. Specifically, an entity collecting such data must include cross-device collection practices in its website notice regarding data collection and choice. Additionally, when a consumer opts out of data collection and use on a specific device, data collected from that device can’t be used for purposes on that device or any other device, and data collected from other devices can’t be used for purposes on the opted-out device.
The DAA Self-Regulatory Principles for Online Behavioral Advertising, issued in July 2009, were created to correspond with the FTC Staff Report on Self-Regulatory Principles for Online Behavioral Advertising issued in February of that year. In 2015, the FTC held a Cross-Device Tracking Workshop, which prompted the DAA to issue the Cross-Device Principles, enforceable February 1, 2017. The FTC’s staff report issued last week acknowledged and commended the DAA’s efforts (and efforts from the Network Advertising Initiative issuing guidance regarding use of non-cookie technologies, which is not yet enforced), but made additional recommendations to encourage publishers, cross-device tracking companies, self-regulatory organizations and even device manufacturers to further address issues arising from cross-device tracking. The FTC staff report recommendations include the following for companies engaged in cross-device tracking:
All companies engaged in cross-device tracking should truthfully disclose their tracking activities.
Cross-device tracking companies should provide truthful disclosures to both consumers and the first-party companies on whose websites and apps the cross-device tracking occurs, including the types of information they collect and use.
Developers and manufacturers of devices that track consumers should explain to consumers what information is collected from the device, the entities that are collecting information, and how they use and share the information collected.
Consumer-facing companies that provide raw or hashed email addresses or usernames to cross-device tracking companies should refrain from referring to the data as anonymous or aggregate and should be careful about making blanket statements to consumers stating that they do not share “personal information” with third parties.
Companies should offer consumers choices about how their cross-device activity is tracked and should respect those choices.
Any material limitations on how opt-out tools apply or are implemented with respect to cross-device tracking must be clearly and conspicuously disclosed.
If an opt-out tool is limited to only certain types of tracking technologies, the company must clearly and conspicuously disclose the limits of the opt-out.
Companies should continue to reassess technical limitations and simplify consumer choices wherever possible.
Sensitive Data—companies should refrain from engaging in cross-device tracking on sensitive topics (e.g., health, financial and children’s information), and from collecting and sharing precise geolocation information, without consumer affirmative express consent.
Security—Companies should keep only the data necessary for their business purposes and properly secure the data they do collect and maintain.
Since the FTC staff reports appears to be encouraging a level of consumer protection beyond that provided by the DAA and NAI, Companies should re-evaluate their cross-device tracking procedures in light of both the industry codes and FTC recommendations.