January 2017

FTC Sets Expectation For Cross Device Tracking

The FTC has issued its long awaited report on Cross Device identification (XDID). The report summarizes the FTC’s position using data from the recently released paper published by FTC staffers (Cross-Device Tracking: Measurement and Disclosures https://petsymposium.org/2017/papers/issue2/paper29-2017-2-source.pdf). The report raises concerns over:

  • alleged number of entities the FTC supposes are engaged in cross device tracking (per the paper, the FTC could not conclusively determined data observed was used for cross-device identification), and about consumer expectations, particularly where probabilistic identification is performed (where no direct relationship may exist, and the identification may not be expected).
  • perceived lack of notice of XDID (again per the paper “we detected 20 domains syncing their cookies with companies that specialize in probabilistic cross-device tracking. … several privacy policies we reviewed had been last updated several years ago, before third party advertising and analytics companies began to seriously explore cross-device tracking“).
  • consequences of a breach of information
    • such as embarrassment or blackmail
    • potentially reducing the effectiveness of knowledge-based authentication mechanisms.

The report does acknowledge consumer benefits, including providing a better, seamless online experience, as well as benefits to business such as improved fraud detection, account security, and enhanced competition.

To strike a balance, the report recommends the following areas be addressed:

  • Notice (Transparency)
    • Companies should disclose to consumers cross device tracking, where data is collected and how it is shared
      • Consider all sources where collected (e.g., web, mobile app, TV, etc.)
      • Disclose all categories of data collected
        • The FTC warns against calling certain information non-personal, or making blanket statements like “don’t share personal information”
          • Some in the FTC think persistent anonymous identifiers, or hashed values can still be personal
            • Although it seems Chairwoman Ohlhausen doesn’t seem to think so. (Footnote 76)
    • Third parties should in turn disclose to their clients/partners whether they are engaging in cross device identification
  • Opt-Out (Choice)
    • Honor any opt-outs offered
      • to the extent opt-out tools are provided, any limitations must be disclosed
    • First-Parties should coordinate with Third-Parties
      • But not concrete guidance as to how or on what
    • Praise for the DAA’s opt-out approach, which the FTC interprets to mean:
      • once a device is opted-out, that device can no longer receive OBA ads
      • once a device is opted-out, data collected from that device cannot be used for OBA on other devices
    • Device specific opt-outs are okay
      • For now…
  • Opt-In (Sensitive Data)
    • For cross-device tracking on sensitive topics, including health, financial, and children’s information
      • Use the broader NAI definition for sensitive health information
    • For Precise Geolocation Information
  • Security
    • keep only data necessary
    • properly secure data collected/maintained

jbho: Note also that the DAA published a compliance warning that Cross Device enforcement is now in effect. The warning reminds companies:

  • The rules apply to both deterministic and probabilistic identification techniques
  • First and Third parties are expected to collaborate in meeting the rules
  • Enhanced Notice should explain ” data collected from a particular browser or device may be used with another computer or device that is linked to the browser or device on which such data was collected”
  • After opt-out, a device should be thought of as a ‘black hole’ from which no data for IBA can escape
    • includes sharing with third parties for IBA
  • Opt-out mechanism must be easy to use, and the scope of opt-out clearly defined

The warning also recommends companies to make sure all links work properly after updating a privacy policy.


September 2016

DMA Releases RFI On Cross-Device Identification

The Direct Marketing Association (DMA) Cross-Device Identification (XDID) Structured Innovation Program has released a Request for Information intended to standardize terminology and expectations around cross-device tracking solutions. The draft requests information from industry on a business’s scope of services, data sources, and how opt-outs are handled.

The RFI defines three levels of XDID:
• Person-specific, using PII: The personally-identifiable information layer (PII) provides confidence in the link between verified individuals and devices. PII is often foundational to tying offline data and signals to addressable matches online.
• Person-specific using anonymized data: Anonymous, non-personally identifiable information can also be used to associate an individual with one or more devices. For example, multiple devices can be connected to the same anonymized marketer-provided hash-code that represents a unique individual.
• Device-specific: There are many use-cases that endeavor simply to connect related devices with a limited understanding of the person behind the devices. For example, three devices that frequently connect via the same residential IP address can be identified as related devices. This approach does not inform an understanding of the individual.
jbho: The main focus is establishing a baseline for how well tracking is done, but at least privacy got a small mention. No mention of any out-of-the-box opt-out solutions.

Leave a Reply