Practical GuidanceFree Trial
Register to request a downloadable copy
Learn More AboutPractical Guidance
By: Nicholas R. Merker and Blaine L. Dirker, ICE MILLER LLP
As Internet-connected mobile devices (e.g., smartphones, laptops, tablets, wearables, smart appliances, etc.) have become seemingly ubiquitous, consumers now have more ways than ever to access the Internet to interface with social media accounts, check e-mail, purchase goods and services, seek medical advice, watch cat videos, etc. However, consumers may not realize that such browsing behavior and account accesses can be monitored.
TRADITIONAL BROWSER TRACKING METHODS, SUCH AS web cookies and local shared objects, have typically not been as reliable in the mobile space. As such, the traditional methods are being replaced or supplemented with a method for tracking consumer behavior across multiple devices, commonly referred to as cross-device tracking.
In practice, various entities (e.g., service providers, content publishers, advertising companies, etc.) actively monitor consumer behavior, both online and offline, to generate detailed profiles of consumers. Cross-device tracking allows companies to further refine such profiles using data gathered for consumers across more than one of their devices. For example, a consumer may browse a particular vendor’s website for an article of clothing via a web browser on their tablet, and an advertisement for that same vendor and/or article of clothing may show up in their social media feed accessed on their smartphone.
Advertisers typically rely on two main approaches to cross-device tracking: deterministic matching and probabilistic matching. Deterministic matching relies on some explicit identification by the consumer themselves, such as a username, e-mail address, mobile phone number, etc. Probabilistic matching methods may be used to associate the consumer between their devices by using device information such as the operating system, device make and model, IP address, etc. For example, if both devices have accessed content using the same IP address, one can make a calculated guess that the same consumer is using both devices. Further, if both devices have been used to access the same e-mail address, a stronger inference can be made that both devices are associated with the same consumer.
While cross-device tracking can provide certain benefits to the user, such as a seamless experience across devices and applications, and provide a level of fraud protection and account security, crossdevice tracking also presents a number of privacy concerns. As the International Association of Privacy Professionals (IAPP) noted in its practice guide to cross-device tracking, “[t]he variety of technologies used for cross-device tracking creates challenges for consent, notice, and opt-out standards.”1 For example, the data gathered as a result of monitoring consumer behavior can be stored, aggregated, and analyzed by various entities, all unbeknownst to the consumer. As a result, government agencies and industry trade groups alike have introduced guidelines and self-regulatory initiatives to address such privacy concerns.
Another such example is from the Digital Advertising Alliance (DAA), an independent non-profit organization led by the leading advertising and marketing trade associations, which released specific guidance on the Application of the Self-Regulatory Principles of Transparency and Control to Data Used Across Devices3— enforcement of which began on February 1, 2017.4 Similar to the NAI Guidance, the DAA’s Principles require an opt-out mechanism; however, the DAA’s Principles further require a disclosure that lists all third parties engaged in the collection of cross-device tracking data. Additionally, in accordance with the DAA’s Principles, data collected from an opted-out device cannot be used for behavioral advertising on other devices, nor can data collected from other devices inform advertising on the opted-out device.
More recently, in January 2017, the Federal Trade Commission (FTC) released a Staff Report detailing the findings of a Cross-Device Tracking Workshop conducted by the FTC in November 2015 (Cross-Device Tracking: A Federal Trade Commission Staff Report (January 2017)). Research undertaken by the FTC concluded that an increasing number of companies have advertised using cross-device tracking services. To that end, the FTC Staff Report provided the following recommendations for those companies engaged in cross device tracking:
Further, the FTC Staff Report highlighted various circumstances in which cross-device tracking companies, publishers, and device manufacturers can run afoul of the Federal Trade Commission Act (FTC Act). Such circumstances that could implicate the FTC Act can include:
In summary, if your company uses data collected via cross-device tracking collection methods, be transparent about the data collected, how it is collected, and the intended use for the data. Additionally, allow consumers to have control over their data (e.g., opt-out mechanisms), recognize how collected and disseminated data collected via cross-device tracking can be classified (e.g., as personal information, sensitive data, etc.), and maintain reasonable security.
1. https://iapp.org/resources/topics/cross-device-tracking/. 2. Network Advertising Initiative, Guidance for NAI Members: Use of Non-Cookie Technologies for Interest-Based Advertising Consistent With the NAI Code of Conduct 2 (2015) (“Beyond Cookies”), http://www.networkadvertising.org/sites/default/files/NAI_BeyondCookies_NL.pdf. 3. Digital Advertising Alliance, Application of the Self-Regulatory Principles of Transparency and Control to Data Used Across Devices 2 (2015), https://www.aboutads.info/sites/default/files/DAA_Cross-Device_Guidance-Final.pdf 4. Press Release, Dig. Advert. All., Digital Advertising Alliance Announces Enforcement of Cross-Device Guidance to Begin February 1, 2017 (Jan. 31, 2017), http://digitaladvertisingalliance.org/press-release/digital-advertising-alliance-announcesenforcement- cross-device-guidance-begin.
Nicholas R. Merker is a partner at Ice Miller LLP and co-chair of its Data Security and Privacy Practice. Blaine L. Dirker is of counsel in the firm’s Intellectual Property and Data Security and Privacy practices. The authors may be reached at email@example.com and firstname.lastname@example.org, respectively.
RESEARCH PATH: Intellectual Property & Technology > Technology Transactions > Mobile Apps & Device > Articles
For more information on privacy policies, see
> DRAFTING PRIVACY POLICIES
RESEARCH PATH: Intellectual Property & Technology > Technology Transactions > Mobile Apps & Devices > Practice Notes
For a discussion of privacy considerations for mobile apps, see
> MOBILE APP PRIVACY CONSIDERATIONS