[Report] Cross-Device Tracking - An FTC Staff Report

Title: Cross-Device Tracking - An FTC Staff Report (Januray 2017)

Summary: The Federal Trade Commission has examined online behavioral advertising since the mid-1990s, when the internet first emerged as a commercial medium. Since then, the FTC has hosted workshops, issued reports, promoted self-regulation, and developed principles for the online behavioral advertising industry. Throughout this time, the FTC has worked to keep pace with new technological developments in this area, from the use of cookies to track consumers’ browsing behavior, to the use of non-cookie technologies, to cross-app tracking, and now, to the tracking of consumers across their numerous devices. The FTC’s workshop on cross-device tracking is part of a series of efforts to explore emerging issues in the area of online behavioral advertising. 

Cross-device tracking occurs when platforms, publishers, and ad tech companies try to connect a consumer’s activity across her smartphones, tablets, desktop computers, and other connected devices. The goal of cross-device tracking is to enable companies to link a consumer’s behavior across her devices.

Cross-device tracking serves several purposes. It can enable consumers to log into their email or social media accounts from multiple devices and have a seamless experience. It can also allow consumers to “maintain state,” so they can pick up where they left off in a book or movie that they were viewing on a different device. Cross-device tracking also facilitates companies’ efforts to prevent fraud, as they learn which devices typically access consumers’ accounts.1 For instance, if there is an unrecognized device, a company can take steps—such as sending an authentication code to an email address or phone number—to ensure that the new device belongs to the consumer who is trying to access an existing account. Finally, companies can analyze an individual consumer’s activities based not only on her habits on one browser or device, but on her entire “device graph”—the map of devices that are linked to her, her household, or her other devices. Often, companies combine the information from a consumer’s device graph with offline behavior, such as purchases at brick-and-mortar stores. Companies then can use this data for analytics or personalized advertising. Cross-device tracking is most easily performed by first-party services with a direct relationship with the consumer—for example, an email service that a consumer logs onto from different devices. However, third-party companies are tracking consumers with increasing accuracy, correlating user behavior across multiple platforms.

This report describes the FTC’s November 2015 Cross-Device Tracking Workshop, which included discussions about how cross-device tracking works, the benefits and challenges of cross-device tracking, and industry efforts to address the privacy and security implications of this practice. It concludes by providing recommendations to businesses on how to apply the FTC’s longstanding privacy principles to cross-device tracking. Specifically, the report recommends that companies engaged in cross-device tracking: (1) be transparent about their data collection and use practices; (2) provide choice mechanisms that give consumers control over their data; (3) provide heightened protections for sensitive information, including health, financial, and children’s information; and (4) maintain reasonable security of collected data.

View / Download the report | View all papers