Earlier this month, the FTC announced that a third-party study and report on cross-device tracking had been completed by the Office of Technology, Research and Investigation (“OTech”), following up on their presentation on this topic at the FTC’s 2015 workshop. The FTC released its own report on cross-device tracking last week, which will be covered in a subsequent blog post. OTech’s study focused on: 1) what information companies are collecting and may be using to track consumers across devices, and 2) what companies are disclosing about their cross-device tracking in privacy policies or otherwise (the answer is not much!).
OTech’s report underscores the fact that, while increasingly sophisticated data tracking and matching technologies are being developed and used regularly by those in digital advertising, the data subjects (i.e., regular consumers like you and me, who browse the internet across multiple devices) are often kept in the dark about how their data is used and tracked for these purposes. OTech’s study, along with the FTC’s 2015 workshop and their own recently released staff report, make clear that this is an area of concern for government regulators, not to mention other self-regulatory bodies in this space – notably, the Digital Advertising Alliance plans to enforce its 2015 guidance on cross-device tracking for its members beginning in February 2017. Read on to see what steps companies should be taking to ensure they comply with the latest best practices on cross-device tracking, as per the OTech report.
Taking a Step Back… What is Cross-Device Tracking and Why Do Advertisers Use It?
Cross-device tracking is the practice of tracking and identifying web users across multiple devices. Or, put another way, cross-device tracking involves the collection, sharing, and matching of data gathered from multiple internet-connected devices (phone, desktop computer, tablet, smartTV, etc.), in order to confirm that those devices are being used by the same person.
This tracking can be used to generate a detailed profile about a particular user’s online behavior across multiple devices. Advertisers, in particular, find this information valuable for market research, retargeting ads to consumers based on their specific preferences and interests, and measuring conversion rates across devices (i.e., measuring those instances where a particular consumer clicks on an ad on one device and then makes a related purchase on another device).
There are two widely-recognized types of cross-device tracking: Deterministic and probabilistic.
- Deterministic cross-device tracking is when users are asked to log in to websites and apps on every device they use. This allows the operators of those platforms to track their users across devices, linking the devices to a single user account with the same login information. Examples include Facebook, Twitter and Google, which require users to log in no matter what device is used to access those platforms.
- Probabilistic cross-device tracking involves the collection and use of various data points, such as device type, operating system, IP address, location services, and browsing history, to link multiple devices to a single user, based on predictive algorithms that take into account typical patterns of consumer engagement with multiple devices. Probabilistic tracking can be more concerning from a privacy perspective because, as the FTC noted in connection with its 2015 workshop, it’s “generally invisible to consumers, and unlike tracking through cookies, the consumer has no ability to control it.”
The OTech Study – What It Found and What It Didn’t
As part of its study, OTech visited the top 20 sites for news, sports, shopping, games and reference (100 sites total) on two different devices to determine what information was being collected and shared across the two devices.
Here’s what they found: While there was no definitive evidence that companies observed in the study were engaged in cross-device tracking, they had the capacity to do so. The visited websites collected and shared with other third-party sites all kinds of information that would allow them to track user behavior across the different devices, as demonstrated in the findings below.
- 861 third-party domains collected data on both devices, including domains associated with companies who specialize in probabilistic cross-device linking
- 106 third-party domains shared unique, browser-specific cookie identifiers with 210 other third-party firms including dedicated cross-device tracking companies
- At least 16 of the 100 sites reviewed shared personally identifiable information — or hashed personally identifiable information – including email addresses or user names — with 60 different third-party domains.
Here’s what they didn’t find: Despite the figures listed above, many of which suggest cross-device tracking was likely happening, there was barely any disclosure of such tracking in the companies’ applicable privacy policies.
The report notes that the privacy policies for the websites it observed “contained little explicit discussion of cross-device tracking specifically, or whether consumers had the ability to turn off cross-device linkage.” Of the 100 websites assessed, OTech found that just three provided any information about enabling third-party cross-device tracking.
As cross-device tracking technologies become more sophisticated, advertisers will rely on such technologies with increasing frequency to create and serve more effective and innovative advertising. The FTC’s workshop and this third-party study demonstrate, however, that regulators consider cross-device tracking to be a potential minefield for privacy concerns, both because the technology is becoming more complicated and because consumers have limited visibility into how it works and when it’s even being used. Those in the digital advertising space should take heed of this report and the DAA’s guidance by applying the core privacy principles of transparency, notice, and choice to these practices.
In particular, advertisers and related parties engaged in cross-device tracking should:
Be Transparent and Provide Notice
- Clearly disclose in privacy policies whether they (or any third parties with whom they share information) are engaged in cross-device tracking and how such “device-aggregated” data is being used;
- Consider updating agreements with clients and service providers to ensure they have disclosures on cross-device tracking in their privacy policies
Give Users Choices and Honor Their Preferences
- Tell users in privacy policies (or other notifications, if applicable) how they can opt-out of device linkage, including by providing links to any third-party sites where consumers can indicate these preferences. For users, this could involve the laborious process of opting out on each of their devices and browsers and checking regularly to ensure those preferences are maintained.
- Honor consumer opt-outs across all devices associated with that user. This means that if a user opts out of cross-device tracking on one device, data collected from that device should not be used to serve them ads (or for any other purpose) on any of their other devices, or shared with unaffiliated third parties.