The Federal Trade Commission (FTC) recently released its staff report on Cross-Device Tracking.
Cross-device tracking refers to the tracking of consumer activity across multiple devices such as smartphones, desktops, tablets and other connected devices. It helps companies understand consumer behavior better. The tracking can be deterministic (where a user logs into multiple devices affirmatively identifying the device as his/hers) or probabilistic (companies infer cross-device activity using factors like common IP address). Benefits include account security, fraud detection, targeted advertising and a seamless online experience.
While there are benefits, the report identifies challenges in protecting consumer privacy and offers recommendations to address them. The key areas of focus in the report are transparency, choice, heightened protections for sensitive data and reasonable security.
Transparency
The report observed that out of hundred popular websites reviewed by the FTC staff, cross-device tracking was enabled in 87 of them. Out of those, only three policies expressly mentioned that third-party cross device tracking was enabled.
The report recommends providing meaningful information to consumers about cross-device tracking to help consumers decide whether to use existing opt-out tools, attempt to silo their activities or stop using a website, app or service. For cross-device tracking companies, the report recommends that they provide truthful disclosures to consumers and to first party companies on whose websites and apps the tracking occurs, so that these first party companies can further make adequate disclosures. The report places the onus of transparency on publishers and device manufacturers as well. Specifically, it also recommends transparency as to the types of data collected.
Choice
Companies must offer choice to consumers as to how their activity is being tracked across devices and must respect choices made. If opt-out tools are provided, material limitations on how they apply or are implemented must be clearly and conspicuously disclosed.
Heightened Protection for Sensitive Data
The report recommended that companies refrain from tracking on sensitive topics including health, financial, and children’s information without a consumer’s affirmative express consent. In addition, it recommended refraining from collecting and sharing geolocation information without affirmative express consent. This is in line with the FTC’s prior statements on this issue that these types of data warrant higher levels of protection.
Reasonable Security
The report discusses the obligation of companies using cross-device tracking to maintain reasonable security. It calls for data minimization, i.e., recommends that companies only keep data necessary for business purposes and secure the data they collect or maintain.
While the report commends the industry self-regulatory efforts by the Network Advertising Initiative (NAI) and Digital Advertising Alliance (DAA) to address cross-device tracking, it also suggests that these organizations could strengthen their efforts further in line with this report. NAI’s guidance on non-cookie technologies as referenced in this FTC report is here. DAA’s cross-device guidance (available here) which it intends to enforce from February, 2017 is also referenced in the report.