But you might also consider using this data for other purposes, like analytics and advertising. No matter how you're using the data, you might have questions about what kind of notice you should provide consumers, how you secure the data and whether you should provide choices to consumers.
The Federal Trade Commission recently released a report on cross-device tracking, exploring these very issues. It also discusses the application of established privacy principles in the context of this new cross-device tracking technology.
First things first
Companies use a mixture of both 'deterministic' and 'probabilistic' techniques to perform cross-device tracking. Generally, deterministic techniques track consumers across devices through a consumer-identifying characteristic, such as a login. Companies are then able to connect a consumer's activity on one device with activity they observe on other devices associated with that account.
Companies can also use a probabilistic approach to infer which consumer is using a device, even when a consumer has not logged into a service. A common method of probabilistic tracking is IP address matching. Because devices on the same local network often have the same public IP address, an ad platform might infer that devices that use the same public IP address belong to the same household. Companies will often combine deterministic and probabilistic techniques to improve the accuracy of cross-device tracking models.
There are both benefits and challenges that flow from companies' abilities to link consumers across different devices. Consumers benefit in the form of a seamless experience across their devices, more relevant ads without oversaturation and improved fraud detection and account security where companies can require additional authentication if a device is not associated with a consumer.
Cross-device tracking technology may also enhance competition as companies without deterministic data may be able to compete with first-party entities that do have that ability through leveraging the technology.
Cross-device tracking also creates privacy challenges. Because the practice of cross-device tracking is often not obvious, consumers may be surprised to find that their browsing behaviors on one device will inform the ads they see on another device. Consumers may also be unaware of the potential scope of cross-device tracking, where a device graph includes not only laptops, tablets and smartphones, but also smart televisions — and even health information from a wearable device. Another challenge is that consumers who may be uncomfortable with the tracking have only limited choices to control it because choices to opt out of traditional online tracking may not apply to cross-device tracking.
There are both benefits and challenges that flow from companies’ abilities to link consumers across different devices.
The staff report included several recommendations that companies engaged in cross-device tracking should consider. First, the report recommends companies — both cross-device tracking companies and consumer-facing entities — be transparent about their data collection and use practices. Companies, including those that develop Internet of Things devices (such as smart televisions) that track consumers should also explain to consumers what information is collected, the entities that are collecting information and how they use and share the information collected. By providing meaningful information, consumers will be able to decide whether to use existing opt-out tools, whether to attempt to silo their activities or whether to stop using a website, app or service altogether.
Truthful claims should also be made about the categories of data collected. For example, companies that provide email addresses or usernames to cross-device tracking companies should refrain from referring to this data as anonymous or aggregate and should be careful about making blanket statements to consumers stating that they do not share personal information with third parties.
Disclosure is key
The report also recommends companies provide choice mechanisms to give consumers control over their data and the companies should ensure that choice is honored. For example, consumer-facing companies that utilize third-party companies for cross-device tracking, such as app developers, should coordinate efforts to ensure they are making truthful claims, particularly where they embed third-party ad networks into their apps in order to display ads and generate advertising revenue. Companies should continue to reassess technical limitations and simplify consumer choices wherever possible.
Companies should therefore consider keeping only the data necessary for business purposes and properly secure what they do maintain.
The report also recommends not tracking consumers without their express affirmative consent for sensitive information, such as health, financial or children's information. In addition, the report recommends that companies refrain from collecting and sharing precise geolocation information without that same level of consent.
These recommendations are consistent with the message businesses have been hearing for years: that companies maintain reasonable security and practice good data hygiene to avoid enabling unauthorized access to information, including by hackers in the case of a data breach. Companies should therefore consider keeping only the data necessary for business purposes and properly secure what they do maintain.