Avoiding Company Liability When Using Cross-Device Tracking Data

Posted on 06-07-2017

 

By: Nicholas R. Merker and Blaine L. Dirker, ICE MILLER LLP

As Internet-connected mobile devices (e.g., smartphones, laptops, tablets, wearables, smart appliances, etc.) have become seemingly ubiquitous, consumers now have more ways than ever to access the Internet to interface with social media accounts, check e-mail, purchase goods and services, seek medical advice, watch cat videos, etc. However, consumers may not realize that such browsing behavior and account accesses can be monitored.

TRADITIONAL BROWSER TRACKING METHODS, SUCH AS web cookies and local shared objects, have typically not been as reliable in the mobile space. As such, the traditional methods are being replaced or supplemented with a method for tracking consumer behavior across multiple devices, commonly referred to as cross-device tracking.

In practice, various entities (e.g., service providers, content publishers, advertising companies, etc.) actively monitor consumer behavior, both online and offline, to generate detailed profiles of consumers. Cross-device tracking allows companies to further refine such profiles using data gathered for consumers across more than one of their devices. For example, a consumer may browse a particular vendor’s website for an article of clothing via a web browser on their tablet, and an advertisement for that same vendor and/or article of clothing may show up in their social media feed accessed on their smartphone.

Two Main Approaches to Cross-Device Tracking

Advertisers typically rely on two main approaches to cross-device tracking: deterministic matching and probabilistic matching. Deterministic matching relies on some explicit identification by the consumer themselves, such as a username, e-mail address, mobile phone number, etc. Probabilistic matching methods may be used to associate the consumer between their devices by using device information such as the operating system, device make and model, IP address, etc. For example, if both devices have accessed content using the same IP address, one can make a calculated guess that the same consumer is using both devices. Further, if both devices have been used to access the same e-mail address, a stronger inference can be made that both devices are associated with the same consumer.

Privacy Concerns

While cross-device tracking can provide certain benefits to the user, such as a seamless experience across devices and applications, and provide a level of fraud protection and account security, crossdevice tracking also presents a number of privacy concerns. As the International Association of Privacy Professionals (IAPP) noted in its practice guide to cross-device tracking, “[t]he variety of technologies used for cross-device tracking creates challenges for consent, notice, and opt-out standards.”1 For example, the data gathered as a result of monitoring consumer behavior can be stored, aggregated, and analyzed by various entities, all unbeknownst to the consumer. As a result, government agencies and industry trade groups alike have introduced guidelines and self-regulatory initiatives to address such privacy concerns.

Guidelines and Self-Regulatory Initiatives to Address Privacy Concerns

In one such example, in May 2015, the Network Advertising Initiative (NAI), an industry trade group of third-party network advertisers that develops self-regulatory standards for online advertising, introduced its Guidance for NAI Members: Use of Non-Cookie Technologies for Interest-Based Advertising Consistent with the NAI Code of Conduct.2 The NAI Guidance covers, among other things, the transparency and notice requirements for NAI members. In particular, the NAI Guidance requires that for noncookie technology, the privacy policy includes whether data is being collected using a non-cookie technology and a description of an easy-to-use opt-out mechanism that allows consumers to opt out of Internet-Based Advertising (IBA) with respect to a particular browser or device.

Another such example is from the Digital Advertising Alliance (DAA), an independent non-profit organization led by the leading advertising and marketing trade associations, which released specific guidance on the Application of the Self-Regulatory Principles of Transparency and Control to Data Used Across Devices3— enforcement of which began on February 1, 2017.4 Similar to the NAI Guidance, the DAA’s Principles require an opt-out mechanism; however, the DAA’s Principles further require a disclosure that lists all third parties engaged in the collection of cross-device tracking data. Additionally, in accordance with the DAA’s Principles, data collected from an opted-out device cannot be used for behavioral advertising on other devices, nor can data collected from other devices inform advertising on the opted-out device.

More recently, in January 2017, the Federal Trade Commission (FTC) released a Staff Report detailing the findings of a Cross-Device Tracking Workshop conducted by the FTC in November 2015 (Cross-Device Tracking: A Federal Trade Commission Staff Report (January 2017)). Research undertaken by the FTC concluded that an increasing number of companies have advertised using cross-device tracking services. To that end, the FTC Staff Report provided the following recommendations for those companies engaged in cross device tracking:

  • Be transparent about data collection and use practices.
  • Provide choice mechanisms that give consumers control over their data.
  • Provide heightened protections for sensitive information, including health, financial, and children’s information.
  • Maintain reasonable security of collected data.

Further, the FTC Staff Report highlighted various circumstances in which cross-device tracking companies, publishers, and device manufacturers can run afoul of the Federal Trade Commission Act (FTC Act). Such circumstances that could implicate the FTC Act can include:

  • Failure to provide truthful information about tracking practices5
  • Failure to disclose cross-device tracking as a data collection/ tracking method6
  • Failure to properly identify the types of information being collected and used7
  • Failure to clearly and conspicuously disclose the limits of an optout that is limited to only certain types of tracking technologies8 To safeguard data collection practices associated with cross-device tracking, the FTC Staff Report advises companies to:
  • Clearly and conspicuously disclose cross-device tracking practices by explaining to consumers what information is collected from the device, the entities that are collecting the information, and how they use and share the information collected.
  • Offer consumers choices about how their cross-device activity is shared, and respect those choices.
  • Do not refer to raw or hashed usernames/e-mail addresses as anonymous or aggregated data—the FTC has repeatedly held that data that is reasonably linked to a consumer or a consumer’s device is personally identifiable. Accordingly, do not make blanket statements to consumers about not sharing personal information with third parties if such data is being shared.
  • Refrain from engaging in cross-device tracking on data that the FTC has recognized as sensitive, warranting higher levels of protection, including health, financial, and children’s information, as well as precise geolocation information, without the consumer’s affirmative express consent.
  • Take efforts to maintain reasonable security and properly secure data in order to avoid unexpected and/or unauthorized uses of data (e.g., as may be otherwise compromised via a data breach).

Conclusion

In summary, if your company uses data collected via cross-device tracking collection methods, be transparent about the data collected, how it is collected, and the intended use for the data. Additionally, allow consumers to have control over their data (e.g., opt-out mechanisms), recognize how collected and disseminated data collected via cross-device tracking can be classified (e.g., as personal information, sensitive data, etc.), and maintain reasonable security.

1. https://iapp.org/resources/topics/cross-device-tracking/. 2. Network Advertising Initiative, Guidance for NAI Members: Use of Non-Cookie Technologies for Interest-Based Advertising Consistent With the NAI Code of Conduct 2 (2015) (“Beyond Cookies”), http://www.networkadvertising.org/sites/default/files/NAI_BeyondCookies_NL.pdf. 3. Digital Advertising Alliance, Application of the Self-Regulatory Principles of Transparency and Control to Data Used Across Devices 2 (2015), https://www.aboutads.info/sites/default/files/DAA_Cross-Device_Guidance-Final.pdf 4. Press Release, Dig. Advert. All., Digital Advertising Alliance Announces Enforcement of Cross-Device Guidance to Begin February 1, 2017 (Jan. 31, 2017), http://digitaladvertisingalliance.org/press-release/digital-advertising-alliance-announcesenforcement- cross-device-guidance-begin.


Nicholas R. Merker is a partner at Ice Miller LLP and co-chair of its Data Security and Privacy Practice. Blaine L. Dirker is of counsel in the firm’s Intellectual Property and Data Security and Privacy practices. The authors may be reached at nicholas.merker@icemiller.com and blaine.dirker@icemiller.com, respectively.

To find this article in Lexis Practice Advisor, follow this research path:

RESEARCH PATH: Intellectual Property & Technology > Technology Transactions > Mobile Apps & Device > Articles

Related Content

For more information on privacy policies, see

> DRAFTING PRIVACY POLICIES

RESEARCH PATH: Intellectual Property & Technology > Technology Transactions > Mobile Apps & Devices > Practice Notes

For a discussion of privacy considerations for mobile apps, see

> MOBILE APP PRIVACY CONSIDERATIONS

RESEARCH PATH: Intellectual Property & Technology > Technology Transactions > Mobile Apps & Devices > Practice Notes