On January 23, 2017, the Federal Trade Commission (“FTC”) released a staff report on cross-device tracking (“Report”). The Report follows the discussions from the FTC’s November 2015 Cross-Device Tracking Workshop, which was part of a series of efforts to promote self-regulation and develop principles for the online behavioral advertising industry.
The Report provides insight into how the agency views cross-device tracking, but perhaps most notable is the concurring statement of then-Commissioner and now interim Chair Maureen Ohlhausen. Commissioner Olhausen stated that the Report “does not alter the FTC’s longstanding privacy principles but simply discusses their application in the context of a new technology.”
It certainly seems clear, in the new chair’s view at least, that no new ground was intended to be broken.
Against that backdrop, here are some highlights.
Benefits and Challenges of Cross-Device Tracking
The Report first catalogs the agency’s view of the benefits and challenges presented by cross-device tracking. The FTC has made a practice of acknowledging the benefits of new technologies, even as it warns against their possible abuse, and the Report is no exception.
- Benefits. The Report notes that cross-device tracking enables a seamless experience for consumers, by allowing them to log into their email or social media accounts from multiple devices and transfer from device to device without interrupting their user sessions, video playback or the like. Cross-device tracking also can improve account security and prevent fraud by allowing multiple methods of authentication and notification. Third, it can provide consumers with a better online experience by effective targeting and avoidance of saturation of ads. Finally, cross-device tracking may enhance competition in the advertising arena by allowing companies without “deterministic” data (such as log-in information) to target advertising to a user just as a first-party entity might do.
- Challenges. Turning to the challenges, the most significant cited by the commission is the potential lack of transparency. Consumers may be unaware that tracking may extend across devices, from viewing patterns on their smart televisions to health information from a wearable device, or even to shopping habits at brick-and-mortar stores. The FTC also expressed concern over the limited choices offered to consumers to control cross-device tracking. While many opt to delete cookies and install ad blockers based on privacy concerns, some of these choices may not apply to cross-device tracking. Third, the agency noted security-related concerns that highly private information may be released without authorization and accessed by wrongdoers.
The Report’s recommendations, as Chairperson Ohlausen noted, largely track the agency’s existing guidance.
- Transparency. All companies involved in cross-device tracking, including publishers and device manufacturers, should truthfully disclose their tracking activities. Failure to provide truthful information about the operation of cross-device tracking, the categories of data collected and the scope of any opt-out mechanism may be challenged as deceptive practices in violation of Section 5 of the FTC Act.
- Choice. Companies should offer consumers choices about how their cross-device activity is tracked. The FTC encourages that the opt-out choice be provided on a device-by-device basis, rather than across the entire graph of connected devices.
- Sensitive Data. Companies should refrain from engaging in cross-device tracking on sensitive topics, including health, financial and children’s information, without consumers’ affirmative express consent. These categories of data warrant higher level of protection.
- Security. Companies should maintain reasonable security in order to avoid future unexpected and unauthorized uses of data by hackers and other wrongdoers.
The FTC currently is comprised of only two commissioners – interim-Chair Ohlausen and Commissioner Terrell McSweeny. That leaves three vacancies, two of which are reserved to Republicans and one to a Democrat. It will be interesting to see who is appointed to those vacancies and whether the agency charts an aggressive path forward in this area. However, if Chairperson Ohlausen’s statement and past remarks are any guide, we would expect the agency to focus on those cases that are egregious in their deceptiveness or that result in real, actual harm to consumers.
PH Privacy is Paul Hastings’ Privacy, Cybersecurity and Data Governance blog. We welcome your feedback. Please contact our blog editor with any thoughts or suggestions.