On January 23, 2017, the FTC released a long-awaited report regarding the increased incidence of cross-device tracking.  The report, which follows a November 2015 FTC workshop on cross-device tracking, sheds light on the privacy concerns raised by the practice and alerts companies engaged in cross-device tracking of certain best practices for avoiding potential violations of applicable law and regulations.

Background

Cross-device tracking is the practice of using deterministic and probabilistic techniques to associate multiple devices with the same consumer.  Deterministic techniques are used to track consumer behavior based on the affirmative use of a common identifying characteristic, such as log-in credentials.  For example, when a consumer enters his or her log-in credentials to access an online platform on a number of devices, the consumer’s behavior on one device can be used to inform targeted advertising through the same platform on the consumer’s other devices.

By contrast, probabilistic techniques are used to draw inferences about consumer behavior. As noted in the FTC report, a common probabilistic technique is IP address matching, through which devices using the same IP address at the same time—e.g., a smart television, mobile device and tablet on the same local network—are presumed to belong to the same consumer.  Because probabilistic tracking does not involve affirmative consumer action, and may not involve any direct relationship between the consumer and the company engaged in the tracking activity, the practice is less transparent for consumers than deterministic tracking.

The FTC report is based, in part, on a prior FTC staff study on cross-device tracking trends which involved the testing of 100 popular websites on two separate devices. The study found, among other things, that 96 of the 100 websites reviewed collected log-in or other authentication credentials from consumers, the domains of 87 companies known to use cross-device tracking technologies were embedded, directly or indirectly, in such websites, and that 861 third parties were observed connecting to both devices.

Findings and Recommendations of the FTC Report

The FTC report acknowledges that cross-device tracking can produce benefits for both businesses and consumers.  These benefits include enhanced fraud detection and account security (e.g., by requiring additional authentication when a new device is used to access a consumer’s account), an improved consumer experience on online platforms, the use of more targeted, less saturated advertising, and a more equal competitive arena for companies that do not have access to large amounts of deterministic tracking data.  However, notwithstanding these benefits, the FTC report expresses serious concern about risks to consumer privacy associated with such activities.  For example, the FTC found that:

  • Cross-device tracking is employed by a growing number of companies (including both consumer-facing and third-party tracking and analytics companies);
  •  Very few companies using such techniques have disclosed both the fact and scope of their tracking activities;
  •  Many consumers may be unaware that their activities on certain platforms are being tracked, while some consumers may have knowledge of companies’ tracking practices, but little to no ability to limit or opt-out of tracking and data collection;
  •  Data collected through cross-device tracking may include highly-private personal information which, if exposed through a security breach, could result in considerable consumer harm and could reduce the efficacy of knowledge-based authentication (e.g., answering pre-selected security questions); and
  •  Self-regulatory initiatives have improved transparency and consumer choice in the cross-device tracking arena, but many existing practices are not fully disclosed to consumers and may implicate the FTC Act.

Based on these findings, the FTC report makes a number of recommendations to companies engaged in cross-device tracking, including that:

  • Consumer-facing companies should disclose to consumers, fully and truthfully, their use of cross-device tracking practices and the extent of those practices, including the nature of any data collected;
  •  Third-party tracking companies should provide their tracking disclosures both to consumers and to the first-party companies with whom they transact;
  •  Companies should consider providing consumers with clear and conspicuous opt-out mechanisms or other means to limit how their activities are tracked;
  •  Companies should refrain from tracking sensitive information, such as financial, health, or children’s information or precise geolocation data without first obtaining the express consent of the consumers to whom the information belongs; and
  • Companies should track and collect only information that is necessary for their business purposes to reduce the risk of a security breach resulting in significant consumer harm.

Considerations for Companies Engaged in or Considering Undertaking Cross-Device Tracking

Companies engaged in or considering undertaking cross-device tracking—whether consumer-facing or without a direct consumer relationship—may wish to review their tracking and information-collection activities in light of the FTC report. In particular, such entities may wish to examine their practices involving information that is viewed as “sensitive” or which can be reasonably linked to consumer or his or her device(s), even if the information is hashed or is otherwise protected. Companies should also consider reviewing their privacy policies and relevant consumer disclosures to ensure that any cross-device tracking activities, as well as any related opt-out procedures, are described accurately and conspicuously therein.  As the FTC report highlights, consumer-facing companies, such as application developers and website operators, can be exposed to liability for allowing third parties to install tracking technology in their applications and platforms without providing notice to consumers (see our previous Seller Beware post for further reading on prior FTC action in this area).  Similarly, third-party tracking companies may be held liable for misrepresenting the nature or the extent of their tracking techniques to the consumer-facing companies on whose platforms those techniques are deployed.  These reminders of potential liability should not be overlooked by consumer-facing and third-party tracking companies. It can be helpful to review existing and future agreements, as well as all representations made to consumers, to limit the potential for claims of misrepresentation regarding tracking practices, policies and procedures.