Cross-device tracking is a hot new issue for regulators. Companies engaged in the practice should take note of two recent developments. On November 16, 2015, the Federal Trade Commission (FTC) hosted a workshop on the issue and, perhaps not coincidentally, on the same day the Digital Advertising Alliance (DAA) addressed the applicability of its interest-based advertising (IBA) self-regulatory regime to the practice.
Cross-device tracking enables companies to ascertain—either definitively or with a high degree of probability—that multiple devices are connected to the same person. There are two ways to do this.
The first way is through deterministic identifiers, such as login information. For instance, if a user logs into web-based email on two devices (a laptop and mobile phone, for example), the email service can determine that the two devices belong to the same user.
The second way is probabilistic identification, which uses information collected from separate devices (such as an IP address, location, and activities on those devices) to infer that the devices are used by the same person.
At the FTC workshop, panelists, FTC staff and FTC Chairwoman Edith Ramirez all expressed concern that cross-device tracking is inherently different from tracking users on a single device. In particular, they noted that, while the technology provides benefits to consumers (such as a seamless cross-device experience), it has the potential to be harmful from a privacy perspective because it crosses physical borders that consumers may intentionally establish between their devices. That is, consumers may not want anybody to know that their work devices, their personal laptops, and their tablets all reflect activities by the same person.
The FTC seemed to differentiate two aspects of information collection and use related to cross-device tracking: (1) information collected and used for the purposes of tying two or more devices to the same user and (2) information collected and used for IBA purposes, which may include information collected to tie devices together.
At its workshop, the FTC appeared to signal that it expects companies to provide a robust notice and choice regime not only with respect to the ways in which data is collected and used to facilitate cross-device tracking (i.e., to simply tie devices together), but also with respect to the use of data collected and collated across devices for IBA purposes. That is, first parties (such as website publishers and apps) should disclose that information may be collected from users for purposes of cross-device tracking, and users should be able to opt out of the collection of information from a device for purposes of linking it to other devices—and not just for purposes of IBA.
Furthermore, FTC staff also suggested that a failure to precisely describe the scope of an opt-out (such as by suggesting that opting out of cross-device tracking by a user from one device would propagate to all of the user’s devices) may be considered an unfair or deceptive practice in violation of Section 5 of the FTC Act.
The new DAA cross-device principles do not go as far as the FTC would appear to like, but they do apply the DAA notice and choice regime to cross-device tracking. (For more on this regime, see our June 19, 2015 Privacy Minute on the DAA’s mobile guidance.) As a result, the new guidance require entities that collect data for IBA purposes from one device for use on a different device to provide notice that, among other things, “data collected from a particular browser or device may be used with another computer or device that is linked to the browser or device on which such data was collected.” In other words, users need to be provided with notice if their browsing activity on one device may be used to deliver advertising to them on another device.
In addition, the principles affirm that users must be provided with choice regarding the collection and/or use of their information for IBA from a particular device or from sharing with another party. That is, instead of requiring a global opt-out, which is what the FTC seems be advocating, the DAA requires only a device specific opt-out from: (1) collecting data on the device to deliver IBA on another device and (2) delivering IBA on a device based on information collected on another linked device.
In light of the DAA’s foray into cross-device tracking, and the FTC’s heightened interest in this space, companies should tread cautiously if they track and/or target users across devices.