FTC Releases Report on Cross-Device Tracking
On January 23, 2017, the Federal Trade Commission (FTC) released a report, Cross-Device Tracking: An FTC Staff Report (Report), that set out recommendations for companies that collect and use consumer data across multiple devices. Although styled “recommendations,” the FTC will likely view deviations from the guidelines set out in the Report as unfair or deceptive practices under Section 5 of the FTC Act. Companies that use and collect data across multiple devices should be aware of the FTC’s recommendations and take steps to ensure that they are acting in accordance with the recommendations.
Background on Cross-Device Tracking
Cross-device tracking links multiple devices (e.g., smartphones, tablets, personal computers, and Internet of Things devices, like wearables and smart televisions) with the same user, thereby providing a greater understanding of a user’s habits. The FTC breaks this tracking down into two categories: deterministic and probabilistic tracking.
Deterministic tracking is when a company is able to link a user to a device through an identifying characteristic, such as a login. Every device that logs into that same account will be associated with the same user. For example, if a user logs into the same Gmail account from an iPhone and work computer, those devices would be linked, allowing for browsing habits on the iPhone to inform ads on the work computer.
Probabilistic tracking is when a company infers that a user is connected to a device through indirect means. Probabilistic tracking can take many forms, but the two most common are IP matching and geolocation. For example, all devices that are linked with a user’s home IP address might be linked. Or two smartphones (a work phone and personal phone) might have similar geolocation data and similar browsing history, suggesting that the two devices should be linked to the same user. Probabilistic tracking is “third party,” meaning that a company does not need to have a direct connection with a user—like a login to an email account—to track their activity.
The FTC recognized that cross-device tracking has benefits. These benefits include more nuanced and nimble advertising. If a user purchases a new pair of shoes on a work phone, the user’s home phone might stop displaying ads for shoes and instead switch to ads for matching belts. The benefits can also be more substantial, including protecting against fraud. For example, financial institutions that have a detailed awareness of the devices in a consumer’s ecosystem are better able to recognize fraudulent activity. If a bank determines that a request to transfer funds is from a smartphone that has never been associated with its customer, it can take steps to require greater authentication before processing that transaction.
The FTC also raised several privacy concerns with cross-device tracking, and in particular with probabilistic tracking. Unlike deterministic tracking, the FTC felt that probabilistic tracking may present particular risks for consumers because it can be done even when a user is not logged into a service on a device. Consumers may have difficulty determining who is collecting their information or what information is being collected.
As the FTC described, “Not only is the practice of cross-device tracking opaque to consumers but so are the myriad entities that have access to, compile, and share data in the tracking ecosystem. While a continuous experience may be intuitive when a consumer logs into the same service on different devices, third-party advertising and analytics companies with which the consumer has no relationship may also track her activity across devices.” The FTC further recognized that because probabilistic tracking does not require a direct relationship with the entity collecting the data, consumers may have few options to control the collection of data.
The FTC made four specific recommendations to companies that engage in cross-device tracking.
First, the FTC stated that due to the “invisible” nature of cross-device tracking, companies should be transparent with users about their practices, including explaining to consumers what information is collected from the device, the entities that are collecting information, and how they use and share the information collected. The FTC stated that this was not just limited to companies that collect data across devices, but that “all companies engaged in cross-device tracking—both the companies themselves and publishers who hire these companies—should truthfully disclose their tracking activities.
Second, the FTC stated that companies should offer consumers choices about how their activity is tracked. The FTC endorsed an opt-out regime for the cross-device collection of all data not considered “sensitive data.” Specifically, the FTC stated that, “To the extent opt-out tools are provided, any material limitations on how they apply or are implemented with respect to cross-device tracking must be clearly and conspicuously disclosed.”
- Sensitive Data
Third, the FTC stated that companies should provide heightened protections for sensitive information, including health, financial, children’s information, and location information. Unlike the opt-out regime for non-sensitive data, the FTC recommends an opt-in regime for these data types. The FTC said that these types of data could only be collected across devices with a “consumer’s affirmative express consent.”
- Maintain reasonable security of collected data
Finally, the FTC recommends that companies maintain “reasonable security” to protect data collected across devices, adding that “companies should keep only the data necessary for their business purposes and properly secure the data they do collect and maintain.”
Greatest Risk of Future Enforcement Actions
The FTC’s recommendations for higher protections for certain sensitive categories of data and “reasonable” cybersecurity are in line with past FTC pronouncements. The FTC’s recommendations for transparency and choice in the context of cross-device tracking, however, present new challenges to implementation, as discussed below.
The FTC’s call for transparency goes beyond recommending that a company be truthful about its own practices. Recognizing that cross-device tracking covers multiple companies, many of whom do not interact directly with consumers, the FTC expressed concern that consumers would not get complete information about cross-device tracking based solely on their interactions with “first-party” companies. To remedy the “invisibility of data collection,” the FTC recommends that companies “coordinate” throughout a user’s ecosystem to create transparency.
Specifically, the FTC recommends that, “In order to ensure that all actors in the ecosystem are making truthful claims about the choices afforded to consumers, consumer-facing companies that utilize third-party companies for cross-device tracking—and the cross-device tracking companies themselves—should coordinate efforts.” The FTC clearly envisions that this coordination will reach beyond just “first-party” data collectors that directly interact with consumers, stating, “Behind-the-scenes third-party tracking companies may themselves be subject to liability when they misrepresent to app developers the types of information they collect and use ... .”
The FTC’s recommendation to “coordinate efforts” to provide transparency across a user’s ecosystem may be particularly challenging. The technical nature of cross-device tracking necessarily involves devices, apps, browsers, websites, and advertisers from the numerous companies that constitute a user’s ecosystem. Despite the complexity of this ecosystem, the FTC puts the burden on these companies—many of whom are competitors and do not have existing relationships—to provide transparency across the ecosystem. Whether this is possible from a technological perspective or feasible in the marketplace is not clear.
The FTC’s recommendation to respect any opt-out choices by consumers will create challenges in the context of cross-device tracking. The nature of cross-device tracking makes it virtually impossible for any company to effectuate an opt-out of tracking across every device in a consumer’s ecosystem. Not only are the devices involved often sold by different companies, but the nature of probabilistic tracking means that companies have imperfect knowledge about which devices are associated with a user. As a result, instead of endorsing a “single opt-out,” the FTC recommended that, “[i]f a company offers an opt-out that is limited to only certain types of tracking technologies, the company must clearly and conspicuously disclose the limits of the opt-out to avoid misleading consumers.”
Although relieved of the impossible—a single opt-out—companies face a different challenge: clearly communicating to consumers the limits of any opt-out offered. In particular, the nature of third-party probabilistic tracking makes honoring opt-out requests difficult. Third-party advertisers do not have a direct relationship with a consumer. That lack of direct communication will make communicating limits on data collection and opt-out requests difficult. That difficulty is heightened by the probabilistic nature of cross-device tracking. Third-party advertisers do not know with certainty that two devices are in fact operated by the same person, and issues will arise in determining whether to implement a do-not-track request on devices that may or may not be associated with the same user.
Companies must carefully review their policy statements that allow users to opt out of any means of data collection to ensure that the statements are appropriately limited to what a company can actually do. Policy statements that purport to give users the ability to control the collection of their data or to stop data collection on “all their devices” should be given particular attention.