US companies are expected to explain how consumers are being tracked across devices, so that the company knows a consumer accessing its website from smartphone, tablet, television, laptop or other devices. Until now, US companies were expected to provide transparency about intricate tracking techniques, but the FTC has specifically staked out requirements for explaining cross-device tracking of consumers. To be safe, revise your company’s privacy policy to reflect any cross-device tracking, and stay off the FTC’s enforcement list.
On January 23, 2017, the FTC released its report Cross-Device Tracking, insisting on transparency, consumer choice, security and protection of sensitive data for consumers. Of these challenges, transparency and consumer choice can be addressed in a company’s privacy policy. A privacy policy allows companies to be transparent about their collection and use of personal information and other non-personal information collected from consumers, whether on websites or mobile applications. If a company participates or otherwise enables cross-device tracking, it should disclose when and how it occurs.
Companies also should respect consumers’ choices not to have their activity tracked across devices. If a company provides opt-out mechanisms, then it should honor a choice to opt-out. Further, the FTC noted that if there are material limitations on opt-out tools, then companies must disclose those limitations clearly and conspicuously or risk FTC action.
Companies engaged in cross-device tracking may also have compliance obligations to industry groups and self-regulatory bodies. For example, the Digital Advertising Alliance (DAA) released the Application of the DAA Principles of Transparency and Control to Data Used Across Devices in November 2015. The DAA has previously announced that it would begin enforcing the guidance beginning on February 1, 2017.
Under the DAA Transparency Principle, entities engaged in cross-device tracking should include a notice on their own site or mobile app that accurately describes their data collection and use practices. Are companies collecting data on their own site or mobile app? Are they also collecting data from third-party sites or apps?
Where applicable, entities should disclose that data collected is linked to the browser or device where it was collected or that the data may be transferred to a linked browser or device. Further, companies should indicate to consumers that exercising their choice to opt-out will limit cross-device linking. Finally, entities should provide a “clear, meaningful, and prominent link” to a disclosure regarding the choice mechanism or that individually lists third parties participating in cross-device tracking. Under the DAA Control Principle, consumers must be able to exercise choice with cross-device tracking. This means that if a consumer opts-out of data collection on one device, then data collected from that device cannot be used on other devices. Further, data collected from other devices cannot be used on the opted-out device.
The FTC report highlights the benefits and challenges of cross-device tracking, reminding readers of the DAA’s promise to enforce its cross-device tracking guidance, and recommending best practices for companies in this space. Acting FTC Chairman Ohlhausen wrote a concurring statement, indicating that this report is consistent with current FTC practices in regulating consumer privacy and that the policies are likely to hold into the next administration.
In its report, the FTC recognized the DAA’s efforts, but also noted that it would like to see continued effort in combatting the FTC’s identified privacy challenges. Even without new regulations directed to cross-tracking devices, the FTC report and DAA guidance, and promise to enforce its guidance, are instructive.
The FTC report “discusses [FTC privacy principles] in the context of new technology.” The FTC is interested in this “new technology,” at least in part, because consumers may not expect cross-device linking when they purchase and use cross-linked devices or service. This report discusses recommendations to prevent consumer surprise and to avoid FTC or self-regulatory body enforcement.
According to the FTC, cross-device tracking offers several benefits, including a “seamless experience for consumers,” “improved fraud detection and account security,” ability for marketers “to provide consumers with a better online experience” by sending relevant advertisements, and enhanced competition in advertising.
So how can the FTC and DAA concerns be addressed? One way is for companies to revisit their privacy policies. If your company participates or otherwise enables cross-device tracking, identify whether your policies include disclosures regarding cross-device tracking, and if not, add them because the FTC and DAA are warning that transparency is needed. Additionally, examine any practices related to honoring consumers’ opt-out preferences. These steps may proactively limit risk of enforcement action from the FTC or DAA.