Have you ever been on your smartphone, browsing your favourite online retailer, only to later find their ads appear on your desktop?

This is a common example of cross-device tracking, which occurs when companies connect a consumer’s activities across their smartphones, tablets and desktop computers. The Federal Trade Commission’s (FTC) (the US equivalent of the ACCC) recent report on cross-device tracking advises companies using the technology on how to improve transparency, choice and information security for consumers.

Who uses cross-device tracking and how does it work?

Companies that provide goods and services use cross-device tracking to learn about consumers’ online behaviour and target their ads accordingly. Third-party advertising platforms and analytics companies also use it.

Cross-device tracking can be done through consumer-identifying characteristics, which is usually a login. Even if a consumer hasn’t logged in, companies can still infer which consumer is using a device e.g. by matching the IP address on devices.

Problems with cross-device tracking

The drawbacks outlined in the FTC report are:

  • lack of consumer awareness that cross-device tracking is happening or the scope of it
  • the risk of unauthorised access to the large amounts of often highly sensitive information being collected e.g. health information collected through wearable apps
  • limited ways for consumers to limit or opt-out of cross-device tracking.

What should companies do to protect consumers?

The FTC has recommended that companies using cross-device tracking:

  • tell consumers about what information is collected, the entities collecting information and how they use and share it
  • offer consumers tools to limit or opt out of cross-device tracking and disclose any limitations to them
  • refrain from cross-device tracking on health, financial and children’s information without consumers’ express consent
  • retain only the data needed for their business purposes and properly secure this data.

In many ways the FTC recommendations align with the principles of Australian privacy and spam laws designed to protect consumers. In Australia, businesses and agencies must comply with the privacy legislation when collecting personal information. For example, the business or agency must notify individuals of certain matters when collecting their personal information, such as the fact that they’re collecting it, the purpose for collection and other entities to whom the personal information is usually disclosed (Australian Privacy Principle 5). SPAM laws are also relevant when sending ‘electronic commercial messages’ such as SMS advertising (as a general rule, consent is required to send a commercial electronic message).

Final thoughts

Cross-device tracking is only likely to become more appealing as companies strive to further personalise their marketing via increasingly available consumer data. Australian companies taking advantage of cross-device tracking should ensure that their collection, use and disclosure of data which is personal information complies with the applicable privacy legislation. Any electronic marketing must comply with privacy and SPAM laws.

It will also be interesting to see if Australian regulators specifically address cross-device tracking given the precedent set by the FTC. Watch this space.