Last year, the Federal Trade Commission (FTC) released a staff report on Cross-Device Tracking, which added to the FTC's efforts to regulate emerging issues in the ever-evolving area of online behavioral advertising. The advertising in question involves the collection of data from a particular computer or device regarding a user's Internet-viewing behavior over time and across non-affiliate websites. Ostensibly, this technology obtains user preferences or interests. Cross-device tracking is the logical next step for this technology.

This cross-device tracking enables online behavioral advertising to be coordinated across a user's various devices such as smartphones, tablets, computers, game consoles and Internet-connected televisions. Using both behavioral advertising and cross-device tracking has grown since the release of the FTC study and shows no signs of stopping in 2018.

Within the guidance, the FTC acknowledges the benefits of both behavioral and cross-device tracking, but remains concerned with the privacy and consumer protection challenges raised by these systems. On the one hand, the FTC cites the benefits of a seamless experience for consumers across their devices, such as when they check email, read a book or watch a movie. Cross-device tracking also enables improved fraud detection and account security by providing companies with more options to protect a consumer by identifying a new device and requiring authentication through a known device. On the other hand, however, the FTC raises concerns over consumer transparency with the technology, particularly given that the scope of cross-device technology in this space is not understood by a majority of the public.

The Drawbacks

A large issue with both behavioral advertising and cross-device tracking is that the approach to the practice is not uniform.

Vendors for financial services firms can create many different user experiences and deploy various technologies that can accomplish the goal in different ways. For example, a vendor can track a user through traditional cookies, flash cookies, Web beacons and countless other technologies, all of which may require different optout methods. A vendor can also positively identify the same user across multiple devices using login information or other personally identifiable information commonly called the "deterministic method."

Alternatively, a vendor can track and identify a probable user through nonpersonal data, such as an IP addresses. This practice is known as a "probabilistic method." As the proprietor of a website, a vendor must understand the technology and the methods being utilized by its marketing partners to properly disclose the practices and technology to the proprietor's consumers. This requires a level of due diligence that many proprietors fail to perform. Without proper controls and policies governing these practices, a website proprietor's regulatory, reputational and litigation risks all increase dramatically.

For those in the financial services industry, these leaps in technology can pose greater threats to those utilizing the services than those in less heavily regulated industries. For example, if lenders employed these technologies to capture data that contain contact information, the lenders can find themselves in violation of federal consumer protection regulations such as the Fair Debt Collections Protection Act (FDCPA), the Telephone Consumer Protection Act (TCPA), Equal Credit and Opportunity Act (ECOA), or the Dodd-Frank Act protections under the Unfair Deceptive or Abusive Acts (UDAAP) regulations.

Lenders are put under greater scrutiny regarding how they are using and storing the data collected and how these processes are disclosed to their consumers. Legal and compliance departments within lenders are often surprised at the magnitude of regulatory liability these practices can create. For example, if your advertising department has free reign to create the parameters of whom your institution is targeting for behavioral advertising, will any thought be given to the fair lending impact those choices may have? In another hypothetical, is your marketing department deploying technology that may return contact information for borrowers? If so, is your institution aware of how that data is stored and utilized? If not, the lender may be facing violations under the TCPA and the FDCPA.

Best Practices

To avoid these risks, address privacy concerns and improve consumer transparency regarding cross-device tracking and behavioral advertising, financial services industry professionals should take the following steps:

1. Be transparent about your data collection and use practices by truthfully disclosing your tracking activities. Draft and deploy both an enterprise-wide privacy policy and an online privacy policy.

2. Provide choice mechanisms that give consumers control over their data and, when you offer such choices, ensure that they are respected. To the extent opt-out tools are provided, any material limitations on how they apply or are implemented regarding cross-device tracking must be clearly and conspicuously disclosed.

3. Provide heightened protections for sensitive information, such as financial information, meaning express consent should be granted by a consumer prior to engaging in cross-device tracking on these and other sensitive topics.

4. Maintain reasonable security over the collected data. Companies should keep only the data necessary for their business purposes and they should properly secure the data they collect and maintain.

5. Create controls around which departments can unilaterally deploy third-party online marketing vendors. Many times, smaller lenders may be unaware of what their marketing departments are doing within the digital space and may be unaware of the regulatory risks these activities could create.

6. When negotiating the scope of services with digital advertising vendors, ensure that your legal and compliance partners review any change in technology or scope.

7. Review your online privacy disclosure annually to ensure the necessary updates are made to the policy.


With the technology that drives data collection evolving daily, the regulators of financial serves are taking notice. The best way to avoid the reputational, litigation and regulatory risks associated with this space is to: 1) fully (if not, over-) disclose your activity and technology to your consumers; 2) maintain strict controls over the deployment of the services and technology; and 3) maintain a robust third-party vendor oversight function, which contemplates the regulatory implications that occur within the digital marketing space.