If you or your third-party providers are engaged in cross-device tracking, you must adequately disclose the practice to your end users, provide them control over their information, and exercise care when collecting sensitive information. These are the key recommendations from a staff report released this week by the Federal Trade Commission (FTC).

What is Cross-Device Tracking?

If your laptop displays advertisements for girls' rain boots when your spouse was using your home computer to search for them the night before—you likely have been subject to cross-device tracking. Cross-device tracking allows companies to associate multiple devices with a single person, linking that person's behaviors and personal information to create a detailed customer profile. Devices include smartphones, tablets, wearable devices, smart TVs, and computers. Cross-device tracking can be a valuable tool for advertisers and provide consumers with more relevant content. However, the collection and use of this information, especially when done without consumers' knowledge or consent, also raises privacy concerns.

The FTC recommends that companies engaged in cross-device tracking take the following steps:

  • Be transparent about what data you collect and what you do with it. Companies are advised to disclose that cross-device tracking is taking place, what type of information is being collected, and the intended use of that information. If you are consumer-facing, you can make the disclosure on your privacy notice. If you are providing services for other businesses, be sure to fully disclose your practices to them, so they can provide adequate consumer notice. This is particularly relevant to companies that develop Internet of Things devices that track consumers. Failure to provide truthful information about tracking practices could be deemed an unfair or deceptive practice in violation of Section 5 of the FTC Act. In its case against Epic Marketplace, Inc., the FTC alleged that the company engaged in deceptive practices when it informed consumers that it only engaged in limited tracking when in fact it used a "history sniffing" technology to track consumers across the internet.

  • Provide mechanisms that give consumers control over their data. If a consumer opts out of tracking on one device, you should not use information collected from that device to inform behavioral ads on other devices. This FTC recommendation endorses the requirement set forth by the Digital Advertising Alliance (DAA) in its Self-Regulatory Principles for Online Behavioral Advertising. The FTC also recommends that companies clearly and conspicuously disclose any material limitations on how end-user choices apply or are implemented with respect to cross-device tracking. If you offer end users an opt-out that only applies to certain types of tracking technologies, you must clearly and conspicuously disclose the limits of the opt-out to avoid misleading consumers. In its enforcement action against ScanScout, Inc., the FTC alleged that the company violated Section 5 of the FTC Act when it told consumers that they could opt out of tracking by using their browser-based opt-out tools. However, in fact, the company continued to track consumers using Flash cookies for which a browser-based opt out is ineffective. A similar violation was alleged in the FTC's enforcement action against Turn Inc.

  • Provide heightened protections for sensitive information. Companies should refrain from collecting sensitive information through cross-device tracking unless they obtain consumers' affirmative express consent. Sensitive information includes precise geolocation, health, financial, and children's information.

  • Maintain reasonable security of the data you collect. You should collect and retain only the data necessary for your business purposes. In addition, you should protect all the data you collect using reasonable controls in order to avoid future unexpected and unauthorized uses of data.

Ballard Spahr’s Privacy and Data Security Group provides a full range of counseling, transactional, regulatory, investigative, and litigation services across industry sectors. Our cross-disciplinary team of attorneys helps clients around the world mitigate cyber risk, investigate and respond to cyber incidents, and navigate post-incident enforcement, compliance, and litigation risk. We regularly assist client in managing the protection of information they collect and in drafting consumer-facing privacy disclosures.

Copyright © 2017 by Ballard Spahr LLP.
(No claim to original U.S. government material.)

All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, including electronic, mechanical, photocopying, recording, or otherwise, without prior written permission of the author and publisher.

This alert is a periodic publication of Ballard Spahr LLP and is intended to notify recipients of new developments in the law. It should not be construed as legal advice or legal opinion on any specific facts or circumstances. The contents are intended for general informational purposes only, and you are urged to consult your own attorney concerning your situation and specific legal questions you have.

Related Practices