Shortly after FTC staff published the results of their study on cross-device tracking (described in this prior blog post), the FTC issued its own comprehensive report on the topic.  In addition to highlighting many of the same benefits and privacy concerns raised by cross-device tracking, the FTC report provides an update on industry self-regulatory efforts in this area, along with practical recommendations for those involved in cross-device tracking, based on learnings from past FTC enforcement actions.

Self-Regulatory Efforts

In its report, the FTC praises the steps that have been taken by the National Advertising Initiative (the “NAI”) and the Digital Advertising Alliance (“DAA”) to address cross-device tracking thus far, but also notes certain areas that could benefit from clarification from both organizations.

  • In May 2015, the NAI released a guide for its members, which sets forth best practices for providing transparency about non-cookie technologies. One of its recommendations is that NAI members describe the non-cookie tracking in their privacy policies and make a “reasonable effort” to ensure that their publisher-clients include information about it in their privacy policies.
  • In November 2015, the DAA released its own guidance on the application of DAA Principles to cross-device tracking, confirming that the transparency and consumer control obligations in its existing principles apply to cross-device tracking. The DAA has said it would begin enforcing its 2015 guidance no later than this month – February 2017.
  • Notwithstanding these efforts, the FTC would like the organizations to provide further clarity on the effective dates of their various codes and principles, and the scope of their applicability. The FTC noted that the NAI’s May 2015 guidance did not officially update or amend the NAI Code of Conduct, and the guidance is not currently enforced by the NAI.  The FTC also noted that it isn’t clear whether NAI’s Code of Conduct, which applies to “data collected across web domains,” would include smart TVs and other new technologies which are not strictly web-based.

FTC Recommendations to Address Cross-Device Tracking

While the FTC’s recommendations largely track those announced in the prior Office of Technology, Research and Investigation report (and even more well-established principles enunciated in 2009 in the FTC’s Staff Report on Self-Regulatory Principles for Online Behavioral Advertising) , the FTC’s report provides helpful real-world examples drawn from prior FTC enforcement actions.

  • Be Transparent. All companies engaged in cross-device tracking should disclose their tracking activities so consumers can make meaningful decisions about whether to opt-out of certain tracking, silo their activities, or stop using a particular website, app, or service altogether. Be careful to:
    • Provide truthful information about your tracking practices. By way of example, Epic Marketplace was alleged to have engaged in deceptive practices under the FTC Act for promising that its tracking was “limited” when it actually used “history sniffing” technology to track consumers across the internet.
    • Notify consumers of third-party installations that may enable tracking on your services or devices. In March 2017, the FTC sent warning letters to app developers who had allowed software called Silverpush to be installed without informing consumers. The software is able to monitor TV content being played near the user’s mobile phone, which could then be used for targeted advertising and analytics.  The warning letters noted that none of the app developers disclosed to consumers that the apps could monitor the users’ television-viewing habits.
    • Provide notice to consumers of devices they may not expect to collect their information for cross-device tracking (e.g., smart TVs).
    • Be up front about the categories of data collected. The FTC highlighted the MySpace action as instructive, since MySpace had told consumers it did not share personal information with third parties even though it provided a FriendID to advertisers, which could easily be used to access consumers’ personal information. Remember that email addresses and usernames can contain personal information if they include actual names, and even hashed usernames and email addresses can often be subject to reidentification.
  • Give Consumers Choices – Companies should offer consumers choices with respect to their tracking activities and honor such choices. Be careful to:
    • Disclose any material limitations on the opt-out tools you offer. If you only offer an opt-out for certain tracking technologies, but not all, that should be clearly and conspicuously disclosed.
      • The FTC brought actions against two online advertising companies for alleged misrepresentations concerning the scope of the opt-out tools offered – one company claimed consumers could opt out of tracking with their browser-based opt-out tools, but the company continued to track consumers using flash cookies (which could not be addressed by a browser-based opt-out tool), and another continued to target ads to consumers through an identifier despite telling consumers they could opt out of interest-based advertising by instructing their browser to stop accepting cookies.
    • Coordinate disclosures with all parties involved – i.e., companies who engage third parties for cross-device tracking and the companies doing the cross-device tracking themselves.
      • In a past action brought against mobile ad network inMobi, the FTC alleged InMobi falsely represented to its app developer customers that its software would only track consumers’ locations when they opted in to such tracking via their device settings, even though it continued to track the locations of those consumers who had denied permission.
    • Inform consumers that they likely need to opt-out of tracking on all of their devices unless a single opt-out solution is available.
  • Sensitive Data. Companies should not engage in cross-device tracking on sensitive topics such as health, financial and children’s information and do not collect or share precise geolocation data, without obtaining affirmative opt-in consent.

Security.  Companies should only collect data that they need and should not keep it any longer than necessary for business purposes.

As with so many areas of privacy and data security, the pace of technological change in this space far surpasses the speed with which regulators can meaningfully assess the risks and benefits. The more businesses playing in the cross-device tracking space can build privacy considerations into their product development and advertising campaigns up front, and treat data management as another element of enhancing a positive consumer relationship, the better.