Well over a year after holding a workshop addressing privacy issues associated with cross-device tracking, Federal Trade Commission (“FTC”) staff have issued a report. The report sets the stage by describing how cross-device tracking works, noting its “benefits and challenges,” and reviewing (and largely commending) current self-regulatory efforts. The report also makes recommendations, which—while building upon the staff’s traditional themes of transparency and choice—do not introduce any materially new suggestions for compliance. The staff’s recommendations do not have the force of law, but they do indicate the steps that the staff believes a company should take in order to avoid a charge of unfairness or deception under Section 5 of the FTC Act.
A Quick Review of Cross-Device Tracking
As more consumers utilize multiple devices in their daily lives, more and more companies are using new technologies to attempt to ascertain that multiple devices are connected to the same person. This is generally done through the use of either deterministic information (e.g., by recognizing a user through the log-in credentials he or she uses across different devices) or probabilistic information (i.e., by inferring that multiple devices are used by the same person based on information about the devices, such as IP address, location, and activities on the devices). As the FTC staff note in the report, cross-device tracking provides many benefits. For instance, it enables a seamless experience for users across their devices and can also help improve fraud detection by identifying devices not previously associated with a known user. Moreover, cross-device tracking facilitates a better online advertising experience by, among other things, more effectively targeting advertisements to users. The practice also, however, raises privacy concerns because it may not be adequately disclosed to consumers, and consumers may not be able to readily control it.
State of Play
In response to earlier FTC statements on the privacy issues raised by cross-device tracking, industry expanded the existing interest-based advertising (“IBA”) self-regulatory regime to specifically address cross-device tracking. As we noted this past fall, enforcement of the Digital Advertising Alliance (“DAA”) cross-device tracking principles will begin on February 1, 2017. The principles apply the DAA’s IBA self-regulatory notice-and-choice regime to cross-device tracking if browsing activity on one device is used to deliver ads on another device. In such scenarios, the DAA principles require that consumers be provided with a device-specific opt-out from both (1) the collection of data on the specific device in order to deliver IBA on other devices; and (2) the delivery of IBA on that device based on information collected from another device.
The Staff Report—Status Quo Preserved?
While the report commends the IBA self-regulatory efforts of both the DAA and the Network Advertising Initiative, it also suggests that they could “strengthen their efforts.” Importantly, however, the report does not suggest changes to the notice and choice required by the DAA principles at this time. There had been some speculation that the staff might recommend that consumers be given a single way to opt out across all of their linked devices. It did not. Instead, staff acknowledged that current technological limitations would make it difficult to offer such a universal opt-out. The staff did suggest that companies “continue to reassess technical limitations and simplify consumer choices whenever possible.”
While not upsetting the current self-regulatory approach, the report, nonetheless, provides suggestions about how basic privacy principles can be adapted to cross-device tracking:
Transparency. The report recommends increased transparency and truthfulness, including about the types of data collected and how it is used and shared. Reinforcing statements by outgoing FTC Chairwoman Edith Ramirez (see here), the report states that personally identifiable information includes any information that can be reasonably linked to a consumer or a consumer’s device. The staff accordingly suggests that “companies that provide raw or hashed email addresses or usernames to cross-device tracking companies should refrain from referring to this data as anonymous or aggregate, and should be careful about making blanket statements to consumers stating that they do not share ‘personal information’ with third parties.”
Choice. Any opt-out that a company offers must be clear and effective. Moreover, its scope must be accurate and not misleading. For example, if an opt-out is effective only with respect to the device from which it is exercised, that fact should be clear from the opt-out instructions, and consumers should not be led to believe that the opt-out extends to all of their devices.
Opt-In for Sensitive Data. Consistent with the FTC’s overall approach to sensitive data, the report recommends that companies obtain express consent to collect four types of sensitive information: health, financial, precise geolocation, and children’s information. Companies are encouraged to take a broad approach in this regard, given the ease with which sensitive information may be pieced together from activity across devices. For example, the use of a diabetes mobile app or a visit to an AIDS education website could be tantamount to the collection of sensitive information.
Security. The report recommends that companies have reasonable security measures in place to avoid unauthorized access to and use of the personal information within their control. As part of this, and consistent with the FTC’s standard refrains regarding data minimization and deletion, the report recommends that companies keep only the information that is necessary for their business purposes.
Cross-device tracking is becoming more prevalent, and the FTC is paying attention. Companies involved in tracking and targeting users across devices should consider the report’s recommendations when designing or revisiting their compliance strategies.