FTC issues report and guidelines on cross-device tracking

Given audience fragmentation across devices and platforms, there has been a dramatic increase in the use of tracking and data to get a more complete view of the customer. Cross-device tracking is now on the Federal Trade Commission’s (FTC’s) radar, as a kind of more sophisticated sibling of behavioral targeting.

Last fall, the FTC held a workshop for stakeholders and interested parties in Washington, D.C. Earlier this week, it released a report based on on that meeting providing an overview of the state of cross-device tracking and making recommendations about privacy, consumer consent and security.

The FTC report discusses the two types of tracking: probabilistic (data matching) and deterministic (signed-in usage). In its research, the agency found that nearly 90 percent of the sites it examined were engaged in some version of cross-device tracking, either through first-party logins or device/data matching.

However, the agency didn’t condemn cross-device tracking. Indeed, it identified five primary benefits:

• Helps create a seamless experience for consumers across their devices.
• Improves fraud detection and account security.
• Enables marketers to provide consumers with a better online experience.
• Helps companies avoid the oversaturation of ads and deliver more relevant ads.
• Enhances competition in the advertising arena.

On the other hand, the FTC flagged a number of concerns and privacy issues:

• Most consumers are not aware of how extensive cross-device tracking is.
• Consumers are largely unaware of data matching and probabilistic tracking when they’re not signed in.
• Most companies are not discussing cross-device tracking in their privacy policies.
• Consumers are not aware of the sharing of data with many third party services and networks.
• Consumers who aren’t happy about cross-device tracking don’t have many options to control its use.
• Cross-device tracking and corresponding mass data aggregation may represent a hacking/security concern.

In the report, the FTC lauded self-regulatory efforts by the Network Advertising Initiative (NAI) and the Digital Advertising Alliance (DAA) but concluded that they didn’t go far enough. The agency makes a set of recommendations it would like to see implemented accordingly. I have paraphrased the recommendations at the highest level:

• Transparency: Companies engaged in cross-device tracking — both the companies themselves and publishers who hire these companies — should truthfully disclose their tracking activities. Another aspect of transparency is making truthful claims about the categories of data collected.
• Choice: Companies should offer consumers choices about how their cross-device activity is tracked. When companies offer such choices, the FTC Act requires that companies respect them. To the extent opt-out tools are provided, any material limitations on how they apply or are implemented with respect to cross-device tracking must be clearly and conspicuously disclosed.
• Data sensitivity: Companies should refrain from engaging in cross-device tracking on sensitive topics, including health, financial and children’s information, without consumers’ affirmative express consent. They should also refrain from collecting and sharing precise geolocation information without consumers’ affirmative express consent.
• Security: Companies must maintain reasonable security, in order to avoid future unexpected and unauthorized uses of data, including by hackers and other wrongdoers who could access the data via a data breach. Companies should keep only the data necessary for their business purposes and properly secure the data they do collect and maintain.

There are nuances with each of the above, as well as examples discussed — including companies that have run afoul of the guidelines. It’s worth taking a look because the FTC implies that failure to abide by its recommendations could subject companies to sanctions.