Privacy, Cross-device Tracking and the Internet of Things

The ways in which data is collected, compiled, stored and analyzed has changed over time. According to the Federal Trade Commission’s (FTC) workshop held last November, Chairwoman Edith Ramirez explained that we are no longer just talking about tracking on a single browser or single computer.

Rather, advertisement companies aim to follow consumers on various Internet of Things (IoT) devices, such as wearables, smart TVs, tablets, smartphones, desktop computers, laptops and more. This is commonly known as cross-device tracking. Cross-device tracking digitally follows a consumer in an effort to tell advertisers that the person seeing an ad on a smartphone is also the same person making a purchase on a desktop computer.

The degree of linking that occurs across devices is based on two models: deterministic and probabilistic. Deterministic linking is information that a consumer actively provides to a website or service, like inputting information onto a Facebook account.

The probabilistic technique is a form of passive collection based on inferences on shared IP addresses or geolocation information in order to demonstrate that the devices are frequently used together. On this note, an episode of HBO’s “Silicon Valley” even coined the phrase “outed by Wi-Fi!”

Further, panelist Joseph Turow opined that loyalty programs are essentially ways of collecting data through cross-device platforms as well. Such programs play out in different ways from airline miles, to hotel rewards, to what happens in Safeway.

With the example of Safeway, Club Card members insert their information at gas stations for points and whenever making in-store purchases. Such information is subsequently used by advertisers for personalized coupons and rewards.

Although sophisticated tracking techniques may also help companies in the realm of fraud protection programs, (through learning which devices are most often used to access consumer accounts), they raise multiple privacy issues, including transparency.

As Chairwoman Ramirez mentioned, “more extensive tracking allows companies to connect more and more of consumers’ offline activities with their online activities. This results in more detailed and more personalized consumer profiles that are assembled, traded and shared by a growing number of entities in the data ecosystem.”¹

Such data may be misused by unauthorized third parties and are left vulnerable to security breaches when stored in large quantities for long periods of time. Additionally, consumers may not be fully aware of such tracking, which increases the need for consumer education, as “there are almost no tools that allow individuals to know what devices are linked.”

Moreover, while opting out may exist in some aspects, “most controls do not allow opting out of the underlying data collection and linking of identifiers.” Thus, opting out is primarily applicable to targeted advertisements alone.

The FTC’s Justin Brookman gave helpful background information on cross-device tracking and explained the intricacies of the two different models. He shared that the browsing experience is much more fragmented today than in previous times because consumers use more devices generally. Devices are also getting smarter; even gaming consoles are growing more similar to computers. To this end, Brookman gave the example of TVs in saying that “Vizio updated their privacy policy to say they now have the ability to monitor and share information about what you’re viewing with third parties.”

Brookman went on to state that social services platforms embed companies engaging in tracking onto their own sites and that email is used in large part for deterministic matching. In this way, because there is a “traditional reluctance to share personally identifiable information … they would share just a hashed version of that identifying information” instead.

This would generate the same output and utilize email when a consumer uses it to log onto their desktop, iPad and more. Advertisement companies may also “embed a unique URL into the email,” therefore allowing companies to know “that the browser that opened” the ad is associated with a particular email.

Probabilistic matching companies often partner with deterministic companies in using cookie syncs to show devices are related. Advertisement companies are also using Bluetooth and microphones “to listen to physical beacons or TV advertisements,” creating additional privacy concerns.

Going forward, the Digital Advertising Alliance (DAA) and the Network Advertising Initiative (NAI) “have taken steps to enhance privacy protections in the online advertising space. These organizations’ self-regulatory principles encourage members to provide increased transparency and offer consumers control over data collection.” These organizations have also developed useful opt-out tools and enforcement in the mobile environment.

Finally, as Maneesha Mithal mentioned in her closing remarks, “companies must be mindful of the representations they make, [because] if they are unclear, or deceptive, or creating opt out, or communicating the opt out in a way that conflicts with consumers’ understanding, there may be room for a Section 5 deception action.”

Section 5 of the Federal Trade Commission Act is perhaps the most critical piece of U.S. Privacy Law. It reads, “unfair or deceptive acts or practices in or affecting commerce, are hereby declared unlawful.”² The FTC has enforced privacy and security violations over the decades and Congress has granted the Commission additional privacy-related responsibilities over time through federal statute as well.³

[1] https://www.ftc.gov/system/files/documents/public_statements/881513/151116cross-devicetracking.pdf.
[2] 15 U.S.C. § 45(a)(1).
[3] https://www.ftc.gov/system/files/documents/public_statements/735201/150813section5enforcement.pdf.