Did you know that your devices are following you and talking amongst themselves? Creepy, right? From ordering products from your smartphone that you added to your shopping cart on your laptop’s browser to streaming a movie from your smartphone that you didn’t finish watching on your desktop, our online and mobile devices have integrated themselves into our lives and taken liberties that may not be apparent to us.
To address this lack of awareness, the Federal Trade Commission (FTC) recently examined technological developments, such as cross-device tracking, in an effort to promote awareness and protect consumers. On January 23, 2017, the FTC issued a Staff Report that discusses the privacy and security implications of cross-device tracking and provides recommendations to businesses about how to apply traditional consumer protection principles such as transparency, choice and security to this relatively new practice.
In general, cross-device tracking occurs when platforms, publishers and advertising tech companies connect a consumer’s activity across his or her devices—such as smartphones, tablets, desktop computers, and certain wearable devices—to enable companies to link the consumer’s behavior across those devices for a variety of purposes, such as to provide a seamless customer experience and prevent fraud. Many companies also combine cross-device information with information about consumers’ offline habits for marketing, advertising and other purposes.
The FTC recognizes that cross-device tracking provides certain consumer benefits, but also raises some privacy and security concerns. For example, cross-device tracking is often not apparent. It is a bit unsettling to see advertising in your social media app related to a product you shopped for on your desktop web browser. To address these concerns, the FTC encourages publishers, companies engaged in cross-device tracking, and self-regulatory organizations to consider the following recommendations:
- Transparency. A business should truthfully disclose its tracking activities and the type of data collected. In particular, the FTC reminds businesses that data that is reasonably linkable to a consumer or a consumer’s device (including raw or hashed emailed addresses or usernames) is personally identifiable information, and not anonymous or aggregate information.
- Choice. A business should offer consumers choices about how their cross-device activity is tracked and should respect their choices. In particular, the FTC recommends that cross-device tracking companies and consumer-facing businesses that utilize third parties for cross-device tracking should coordinate efforts to ensure they provide accurate disclosures about the choices available to consumers.
- Sensitive Data. A business should refrain from engaging in cross-device tracking on sensitive topics related to health, finances or children without the consumer’s affirmative express consent. In addition, the FTC recommends that businesses refrain from collecting and sharing geolocation information without a consumer’s affirmative express consent.
- Security. A business should maintain reasonable security in order to avoid future unexpected and unauthorized uses of data and keep only data necessary for their business purposes.
The FTC’s Staff Report and its recommendations specifically draw upon comments and discussions from a November 2015 Cross-Device Tracking Workshop. But the FTC has been examining online behavioral advertising since the mid-1990s. As the sophistication of gathering consumer information increases, the FTC has made it a priority to ensure businesses’ disclosures and practices keep up so that consumers are not duped or harmed. Businesses should evaluate their cross-device tracking practices and disclosures in light of the FTC’s recommendations. The FTC is serious about policing bad actors, as evidenced by the numerous enforcement actions referenced in the Staff Report.