FTC Releases Cross Device Staff Report
Transparency, choice, and protection of sensitive data. The FTC staff’s recently-released “Cross-Device Tracking: A Staff Report” (“Staff Report”) provides recommendations to companies that use cross-device tracking. These recommendation are in line with industry self-regulatory groups such as the DAA’s guidance in November 2015.
The Staff Report is also informed by the FTC’s 2015 Cross-Device Tracking Workshop, which explored new technologies that enabled behavioral advertising based on consumer’s actions across multiple devices. As we discussed in our summary of the workshop, this type of targeting has become increasingly essential to advertisers.
At the time of the FTC’s 2015 workshop, FTC staff and panelists questioned whether hashed PII should be treated as identifiable PII. The FTC now confirms that, in its view, hashed PII is in fact PII (at least, in many cases), because it “can be vulnerable to reidentification.” Thus, in an important take-away for many companies, the FTC emphasizes:
[C]onsumer-facing companies that provide raw or hashed email addresses or usernames to cross-device tracking companies should refrain from referring to this data as anonymous or aggregate, and should be careful about making blanket statements to consumers stating that they do not share “personal information” with third parties.
Similarly, the FTC recommends that companies collecting raw or hashed email addresses and passing them to a third party, like an analytics service that assists in cross device targeting, should inform consumers that they engage in the practice. The Staff Report notes that the failure to provide truthful information about tracking and analytics practices could violate the FTC Act, as the FTC alleged in the Epic Marketplace settlement. There, the FTC had alleged that even though the company disclosed that it had engaged in behavioral tracking, its omission of an express disclosure about its “history sniffing” technologies was a deceptive practice that violated Section 5 of the FTC Act. Companies should review their privacy policies and ensure that any analytics practices are reflected in the policy.
The FTC also warns companies to respect choices made by consumers, and to clearly explain material limitations in how opt-out tools function. It notes that the DAA’s self-regulatory guidance for cross device tracking (if it involves Cross-App or Multi-Site Data) requires that an opt-out on a consumer’s device, such as a mobile phone, should prevent any data from that device from being used to serve behavioral advertising on the consumer’s other devices, such as a tablet or laptop computer. (The DAA’s guidance does not, on the other hand, require companies to create a “unified” opt-out in those cases, such as by linking IP address data – although some third party platforms do provide that type of opt-out mechanism.)
Commissioner Ohlhausen released a concurring statement noting that the report is consistent with earlier FTC guidance, such as the 2009 Self-Regulatory Behavioral Advertising Report.
Finally, the FTC reminds companies to maintain reasonable security to protect the information gathered from consumers, and to offer heightened protection for sensitive data such as health or financial data, or any information collected from children. Although there are privacy challenges, the FTC recognizes the benefits offered by cross device integrations, such as seamless experiences across devices and improved fraud detection.