On January 23, 2017, the FTC released a Staff Report (the Report) on cross-device tracking, a commonly used practice that allows companies to associate multiple internet-based devices with the same consumer in order to track behavior across devices.

The Report follows the FTC’s Workshop on cross-device tracking, and alerts companies engaged in cross-device tracking of certain best practices for avoiding potential violations of applicable law and regulations.

Specifically, the Report recommends that companies engaged in cross-device tracking: (1) be transparent about their data collection and use practices; (2) provide choice mechanisms that give consumers control over their data; (3) provide heightened protections for sensitive information, including health, financial, and children’s information; and (4) maintain reasonable security of collected data.

Overview of Cross-Device Tracking

Tracking allows companies to track a consumer’s activity across smartphones, tablets, desktop computers, and other connected devices. This provides advertisers with a much stronger understanding of the consumer, which has valuable implications for advertising. For example, retailers that use tracking technology would be able to see that a customer made a purchase on her smartphone after seeing an ad on her work computer. It can also help advertisers tailor ads to consumers, for example, to send advertisements about a belt to match a pair of shoes she previously bought from the retailer.

To engage in cross-device tracking, companies use both “deterministic” and “probabilistic” techniques. Deterministic techniques are used to track consumer behavior based on the affirmative use of a consumer-identifying characteristic, such as the consumer’s login credentials. For example, when a consumer logs in to an online platform on a number of devices, the consumer’s behavior on one device can be used to inform targeted advertising through the same platform on the consumer’s other devices.

Probabilistic approaches, by contrast, involve inferring which consumer is using a device, even when a consumer has not logged in to a service. A common example of this is IP address matching, whereby devices using the same IP address — e.g., a cell phone, laptop, and smart television on the same local network — are presumed to belong to the same consumer. Similarly, if a consumer’s smartphone uses the same IP address as her work computer during business hours, and then uses the same IP address as her home computer during non-business hours, an ad platform might infer that the work computer, smartphone, and home computer belong to the same person. Or if several devices visit the same unusual combination of websites, a platform might infer that the devices belong to the same user.

Often, companies that collect and use deterministic data — e.g., email providers, social networks, or shopping sites — will work with entities engaged in probabilistic tracking in order to learn even more about the consumer’s behavior.

The FTC’s Report

The FTC Report is based, in part, on FTC research relating to cross-device tracking, which involved testing 100 popular websites on two separate devices. The study found, among other things, that third-party technology tracking technology was embedded in at least 87 of the 100 websites, and that 861 third parties were observed connecting to both devices. The study also found that 96 of the 100 websites allowed consumers to submit a username or email address, and 16 of the websites shared the username or email with third parties.

The FTC Report recognized that tracking has several benefits, such as giving consumers a more seamless user experience across their devices, providing increased fraud detection and security, and allowing marketers to provide a better experience for consumers by delivering more relevant ads.

The Report focused more heavily on privacy challenges tied to cross-device tracking. For example, many consumers do not realize that they are being tracked across devices, especially by probabilistic approaches. Consumers may also not realize that cross-device tracking is often not limited to cell phones, tablets, and laptops, but that their information may also be tracked from smart televisions, wearable devices, and even in-person purchases made in brick-and-mortar stores. The number and variety of entities with access to consumer information, including third-party advertising networks that have no relationship to the consumer, creates an additional privacy concern. Additionally, data collected through cross-device tracking may include highly-private personal information which, if exposed through a security breach, could result in considerable consumer harm. For example, by connecting searches made from a smart phone about baby monitors to a laptop search for maternity clothes, a company could infer that the user is pregnant; an additional search of “preeclampsia” could lead the data aggregator to infer that the user may have a high-risk pregnancy, a medical condition that the user may not have intended to share.

The Report makes a number of recommendations to companies engaged in cross-device tracking, namely:

  • That companies engaged in cross-device tracking fully disclose to consumers their use of cross-device tracking practices and the extent of those practices, including the nature of any data collected. That such companies provide opt-out tools or other ways for consumers to limit cross-device tracking.
  • That companies refrain from engaging in cross-device tracking of sensitive information, including financial, health, children’s information, or precise geolocation data, without first obtaining the express consent of the consumers to whom the information belongs.
  • That companies take necessary security steps to protect the data they collect in the process of tracking consumers’ activity across devices.

The Report recognized that the Network Advertising Initiative (NAI) and Digital Advertising Alliance (DAA) have already taken steps to self-regulate with regard to non-cookie tracking (and for the DAA, cross-device tracking more specifically), but advises that both organizations could strengthen their efforts to address cross-device tracking.

In a concurring statement on the Report, FTC Commissioner Maureen K. Ohlhausen said, “[T]oday’s Report does not alter the FTC’s longstanding privacy principles but simply discusses their application in the context of a new technology.” The Commission voted 3-0 to issue the Report.

Considerations for Companies Engaged in Cross-Device Tracking

In light of the FTC Report, companies engaged in cross-device tracking should review their current practices, and ensure that their privacy policies and other relevant consumer-facing policies adequately describe any cross-device tracking activities and provide a way for customers to opt out of being tracked. Companies that fail to fully, conspicuously, or accurately disclose the extent of tracking activities may face liability. (See my previous post, here.)