Legal tips on cross-device tracking
Cross-device tracking has permeated the advertising industry.
As consumers connect to the Internet on multiple devices, including smartphones, tablets, televisions and wearable devices in addition to their computers, marketers are not only forced to look beyond the traditional ways of tracking consumers through cookies, but they must consider the privacy and security risks associated with new tracking technologies as well.
Cross-device tracking has many perceived business benefits, mostly regarding tracking and consumer convenience.
Consumers no longer need to re-add items to their online shopping carts, or re-enter credit card information.
Businesses tout a myriad of societal benefits as well, including healthcare (body monitoring devices that allow people avoid trips to the doctor), conservation and energy efficiency (air conditioning and sprinkler meters) and public safety (connected cars, which, admittedly, has come under its own safety and security scrutiny lately triggering Congress and regulators to take note).
Without cross-device tracking, marketers face a number of challenges in their marketing strategies.
Multiple devices simply hinder a marketer’s ability to understand a consumer’s habits, which can be a problem for accurate targeting by marketers and their advertising agencies.
Even more difficult, Internet browsers and applications operate differently, making it challenging to track users as they move from one device to the next, such as desktop computers to smartphones.
Historically, HTTP cookies were stored in Web browsers on desktop and laptop computers. However, cookies can only track activity on a single device, and often do not work in applications.
How cross-device platforms work
Data matching can take the following two forms in cross-device tracking:
(1) Deterministic: Consumer logins are used to identify a user for tracking purposes. Because a user is logged into sites such as Facebook, Yahoo, Google or Twitter, that consumer is “determined” for the purposes of targeted advertising.
Tracking is made possible by using consumers’ personal identifiable information (PII), which has raised privacy concerns with governmental agencies, including the Federal Trade Commission (FTC).
(2) Probabilistic: Arguably less accurate, this approach uses comprehensive analytics programs to identify a consumer across multiple devices.
Probabilistic tracking depends on data to make tracking very accurate such as the make and model of a device, location data and IP addresses to identify a user.
Marketers analyze thousands of data points to determine a statistically probable match for a consumer as he or she moves across different devices to provide targeted marketing.
Legal issues and the FTC
The FTC has paid particular attention to Internet-based advertising of late. On Nov. 16, 2015, the FTC will hold a workshop to discuss:
(1) How cross-device tracking works
(2) The types of data companies can glean from such technologies, as well as benefits
(3) Privacy risks to consumers, and whether industry self-regulation covers this rapidly evolving area adequately; and
(4) Potential benefits to consumers of effective cross-device tracking, examining the potential privacy and security risks in the process
What can marketers and agencies be doing now?
(1) Conduct privacy assessments, using a chief privacy officer (CPO) or outside resources. A thorough review of how obtained data is stored and encrypted at all levels, along with retention limits, is recommended
(3) Be cautious about making no-personal-information-collected claims, as this can be a slippery slope. Privacy policies frequently allege that cookies collect no personal data, but this is largely not the case with cross-device tracking materials
(4) Avoid surprises. If consumer data is collected and used in unexpected ways, companies and the industry, as a whole, have an obligation to alert the consumer.
Providing or obtaining notice
The FTC offers several suggestions for how marketers and agencies can give or obtain notice, including:
(1) Offer choice at point of sale
(2) Direct customers to online tutorials
(3) Print QR codes on the device that take customers to a website for notice and choice
(4) Provide choices during initial set-up
(5) Provide icons to convey important privacy-relevant information, such a flashing light that appears when a device connects to the Internet
(6) Provide notice through emails or texts when requested by consumers
(7) Make use of a user experience approach, such as personalizing privacy preferences based on the choices that a customer already made on another device
(8) Implement personnel practices that include educating staff on privacy policies as well as social media policies via employee handbooks; and
(9) Review agreements with third-party providers. In the services agreement, ensure they are complying with appropriate privacy policies and discuss indemnity and insurance. Companies should provide sufficient oversight of their service providers and require reasonable security by contract
WITH SENATORS Ed Markey (Massachusetts) and Al Franken (Minnesota) being the most vocal proponents for action, many in the industry are speculating that the FTC will publish a post-workshop report calling on Congress to establish consumer protections associated with cross-device tracking.
Companies will likely need to update their privacy principles.
Additionally, the Digital Advertising Alliance (DAA) recently launched tools that provide in-app notices and give consumers a choice regarding tracking.
The cross-device regulatory umbrella is sure to evolve along with the technologies they seek to regulate.
Keeping abreast of the changes and using policies that are proactive and transparent are a marketer’s best bet for staying compliant.