On January 23, 2017, fourteen months after hosting a workshop to review the multi-device, multi-platform digital landscape, the FTC issued a staff report on cross-device tracking. The report summarizes the FTC’s 2015 workshop on cross-device tracking and provides a set of related recommendations. The report’s recommendations for cross-device tracking echo the FTC’s guidance and enforcement priorities for other online practices—transparency, choice, affirmative consent for sensitive data collection, and reasonable security. The report also echoes themes from the FTC’s 2009 Self-Regulatory Principles for Behavioral Advertising report. Commissioner Maureen Ohlhausen noted in a concurring statement that the new guidance “does not alter the FTC’s longstanding privacy principles but simply discusses their application in the context of a new technology.”
In this post, we look at the FTC’s previous advice on cross-device tracking, key takeaways from the FTC report, and how the guidance aligns with the Digital Advertising Alliance’s (DAA) self-regulatory principles for cross-device tracking, which become enforceable on February 1, 2017.
The FTC explores the potential benefits and challenges of cross-device tracking, many of which were addressed in the 2015 workshop. Benefits recognized in the report include:
Improving consumer experience as they move between devices: As consumers increasingly consume content across a multitude of devices, tracking the devices consumers use allows companies to provide a seamless experience across these connected devices, without requiring repeated logins.
Reducing fraud and increasing security: When companies learn which devices a consumer uses they can alert the consumer when new devices are used to sign into accounts. And by reducing the number of times a user has to sign into an account the risk of bad actors obtaining login credentials is reduced.
Increasing ad quality: Graphing a consumer’s devices allows advertisers to deliver fewer and more relevant ads to the consumer.
Increasing competition in the advertising marketplace: Third parties that participate in cross-device marketing efforts can increase competition and innovation in the advertising ecosystem.
Challenges recognized in the report include:
Perceived lack of transparency: Consumers may not be aware that they are being tracked across devices, especially when tracking is based on probabilistic algorithms that infer the links between devices and consumers or when the tracking extends to wearables, smart TVs, or other connected devices. When consumers are not aware of cross device tracking, there is a possibility that interest-based advertising could be delivered in unexpected ways. The FTC illustrates this by noting that a teenager may not understand that advertising based on interests inferred from mobile device usage could be delivered on smart TVs or other devices used by family members. Such advertising could result in the inadvertent disclosure of information that the teenager would prefer to keep private, such as the teenager’s sexual orientation.
Effective opt outs: The FTC states that studies indicate that while Internet users are attempting to control the amount of data being collected about them, many of the current control mechanisms do not limit cross-device tracking.
Security concerns: The FTC asserts that cross-device tracking leads to greater aggregation of data—both personal and non-personal—about individual consumers, and that the data profiles will be an attractive target for hackers looking to obtain sensitive information or commit identity theft.
The FTC encourages companies to achieve the benefits and address the challenges of cross-device tracking by adopting the following principles:
- Companies engaged in cross device tracking (first or third party) should provide clear, meaningful disclosures about collection and use of data across devices.
- Disclosures should truthfully describe: (1) the information collected by a device, (2) the entities that are collecting that information, and (3) how the entities use and share the information they collect.
- Companies that claim they do not share personal information must not share data that is reasonably linkable to a consumer or a consumer’s device. The FTC takes the position that if data, including hashed email addresses, can reasonably be linked to an individual, it is personally identifiable information and companies should not refer to it as anonymous or aggregate.
- Companies should provide consumers with choices about cross-device tracking.
- The FTC recognizes the difficulty of providing a universal opt-out and instead suggests companies provide consumers with device-level choice mechanisms.
- If companies do offer a choice regarding cross-device tracking, the choice must extend to all tracking technologies unless the scope of the mechanism is clearly and conspicuously limited.
Affirmative Express Consent for Sensitive Data Collection
- Companies should not conduct cross-device tracking with sensitive data (including health, financial, children’s information, and precise geolocation data) unless a consumer provides affirmative express consent.
- Companies must “maintain reasonable security to avoid future unexpected and unauthorized uses of data.”
- Companies should limit data retention to the data necessary for business purposes and properly secure the data they do collect and maintain.
The FTC’s report is the latest in a series of FTC and self-regulatory guidelines for online advertising. FTC reports from 2009 and 2012 also address transparency and consumer control, reasonable security and limited retention for consumer data, and affirmative express consent for the use of sensitive data, among other things.
The DAA, an association formed by leading industry groups and consumer advocates, was formed soon after the 2009 report was published. Since 2009, the DAA has released a series of guidance documents, set up a program for companies to commit to these principles, created a consumer facing “ad-options” program that allow for consumers to opt-out of certain interest based advertising, and conducted dozens of interest-based advertising reviews as well as settled cases where companies failed to adhere to their guidelines. Notably, while companies may join the DAA through a process that involves a public commitment to DAA principles, the DAA can and has enforced its principles against non-member companies.
As noted above, the DAA’s November 2015 cross-device tracking principles will be enforceable as of February 1, 2017. The DAA principles apply prior behavioral advertising notice, choice, affirmative consent for sensitive data collection, and reasonable security. Key differences between the DAA principles and the FTC’s recommendations include the DAA’s more limited definition of “sensitive data” (health and precise geolocation data only) and that the DAA provides more context around legitimate uses that do not warrant consumer choice. For example, the DAA principles do not require that companies provide consumers with the ability to limit cross-device tracking when the information is used solely for operational or systems management (such as billing or product fulfillment), market research, or when the data will go through a de-identification process soon after it is collected. And the FTC’s report notes that the DAA principles are not clear if they apply to non-traditional connected devices such as connected televisions, wearables, appliances, cars, and the multitude of other connected devices.
The FTC’s report, which follows a January 5, 2017 publication by their Office of Technology Research and Investigation that utilized a quantitative approach to reach similar conclusions, indicates that FTC staff views cross-device online advertising and profiling practices as an important issue warranting continued attention At this time it is unclear whether and how the FTC’s enforcement practices will change under the new administration. But if the FTC ends up being less active on the enforcement front, state attorneys general and the DAA’s enforcement bodies may step up efforts to safeguard consumers by ensuring companies involved in cross-device tracking abide by the principles of transparency, choice, and security. For companies with a global footprint, many of the same considerations addressed in the FTC report are addressed in the EU’s General Data Protection Regulation (GDPR), particularly when it comes to profiling or may be addressed in the EU’s forthcoming e-privacy regulation.
Charlie Wood, an associate in our Washington, D.C. office, contributed to this post.