Cross-device tracking raises privacy concerns
Marketers want to track you across multiple devices
By Dinah Wisenberg Brin | Published: June 29, 2015
Several years ago, you may have reached the Internet through only a desktop or laptop computer, where advertisers could gather information on your activities and interests through cookies that tracked the places you visited online.
Today, you may be using a laptop, a tablet, a mobile phone and a desktop to roam the Web. Add a wireless fitness gadget or other connected device and it gets very challenging for companies to seamlessly track where you've been and to judge the effectiveness of their online advertisements.
To better keep tabs on your online movements in the multiple-device age, advertisers are turning to cross-device tracking programs, which help them determine if, say, you opened your laptop to buy the product that was advertised on your smartphone. While the technology may hold benefits for marketers and consumers, it's also raising privacy concerns.
Cybersecurity and privacy attorney Michael Morgan, of counsel at Jones Day, says mobile advertising agencies are looking to cross-device tracking to better show clients the value of mobile advertising "and to be able to point to desktop purchases or purchases on iPads that may have been the result of advertisements that were first presented to consumers on a smartphone or other device."
"As more of our lives migrate to the online world, companies are able to have a more clear picture and better understanding of their customers and potential customers," says Morgan.
That could benefit consumers in certain ways. Say you start shopping at your favorite e-tailer on your home computer, then abandon your cart and later try to finish your purchase on your phone. The website may be able to tailor your experience so you don't have to re-add items to your shopping cart or re-enter credit card information.
But to get that level of convenience, you will have to give up some privacy. "The privacy advocates have raised some concerns about the level of information, or the amount of information [that] currently can be known about a consumer from all of their various online activities," says Morgan.Sign of a post-cookie world
The Federal Trade Commission will hold a workshop Nov. 16 to explore privacy issues, security risks and potential benefits arising from cross-device tracking of consumers for advertising and marketing purposes. "With the advent of new tracking methods ... it's important to ensure that consumers' privacy remains protected as businesses seek to target them across multiple devices," said Jessica Rich, director of the FTC's Bureau of Consumer Protection, in a news release in March.
The agency noted the decreasing effectiveness of cookies in tracking consumers' online activities. "A cookie may paint an incomplete picture of the consumer who switches between different Web browsers at home and at work. Further, a cookie stored on a consumer's browser cannot provide insight into the consumer's activities or preferences within the 'sandboxed' apps on the consumer's phone," the FTC said.
As more of our lives migrate to the online world, companies are able to have a more clear picture and better understanding of their customers and potential customers.
|-- Michael Morgan
Attorney and data privacy expert Michael Whitener, a partner in the VLP Law Group in Washington, D.C., sees significance in the FTC's decision to hold the workshop. "It reflects the fact that we're entering a post-cookie world, and so the FTC is trying to get a handle on the privacy implications of the new cross-device tracking technologies," he says.
The self-regulatory industry group Network Advertising Initiative, meanwhile, has said it will issue guidance on cross-device, interest-based advertising and has asked its members to provide comments on the relevant standards, according to Whitener. The NAI recently issued member guidance on use of non-cookie technologies but explicitly said it doesn't cover cross-device identification or data collection yet, says Whitener.
Logins and 'digital fingerprints'
The industry uses different approaches to try to follow consumers. It can be as simple as requiring you to log in to a site or service from whatever device you're using. But there are also complex analytics programs that assemble user characteristics to try to identify you from one device to another.
This "probabilistic" tracking method involves the collection of such information as device type, operating system, fonts and Internet Protocol address "to create a digital fingerprint to link a user to different devices," the FTC says. This kind of tracking "is generally invisible to consumers and, unlike tracking through cookies, the consumer has no ability to control it. Accordingly, this practice raises a number of privacy concerns and questions."
Digital Advertising Association Executive Director Lou Mastria considers cross-device privacy an emerging area for the industry, which has been focused most recently on mobile-environment privacy issues. The group will conduct a review of what cross-device means and what privacy protections can be provided, he told CreditCards.com.
The Better Business Bureau, the DAA's partner in applying industry self-regulatory policies, issued a compliance warning in 2014 noting that the DAA's privacy principles are enforceable "irrespective of the technology employed to collect and use consumer web surfing activity to serve interest-based ads."
Attorney Whitener says he agrees with the position that privacy principles should apply regardless of the tracking technologies being used. He thinks the industry's self-policing may ward off any new regulations. "The FTC may well take the position it took after its workshop on the Internet of Things, which is that specific legislation would be premature and could stifle innovation in this area."
While there are a number of up-and-coming tracking companies, BlueCava, Tapad, and Drawbridge are the big names, Whitener says. The firms gather various pieces of information about Internet users to try to connect them to specific devices. They also offer opt-out mechanisms.
[W]e're entering a post-cookie world.
Partner, VLP Law Group
Tapad, for instance, says on its website that its proprietary technology "assimilates billions of data points to find the human relationship between smartphones, desktops, laptops, tablets, connected TVs and game consoles." The firm says its algorithms provide "the highest possible probability that devices are related."
Among the data it may collect is an "obfuscated user identifier, such as email address, but only to evaluate the probability and nature of connections between devices, never to identify the individual." The firm says it's involved in developing industrywide standards for consumer privacy, including clear notice and opt-out choices complying with the Digital Advertising Alliance program for advertising linked to consumer online behavior.
"Notice plus opt-out opportunity is the gold standard in the current environment," says Whitener.
Consumers should keep in mind, however, that the clients of these technology firms -- the websites you interact with -- will have their own privacy policies, which could allow for data collection beyond what the vendor's policy provides, according to Whitener. Ideally, the website will spell out both how it and its service providers collect data, he says.
Writing on the International Association of Privacy Professionals blog early this year, Whitener suggested that digital marketers be fully transparent regarding their data collection and consumer tracking practices; that they provide clear opt-out abilities; and that they be cautious about making no-personal-information-collected claims.
"Privacy policies commonly assert that cookies used by a website operator collect no personal information or that data collected is 'anonymous,'" Whitener wrote. "That assertion may not be true of some cross-device ID methods, which enable identification of specific individuals."
"I am opposed to any tracking by any entity," wrote Blanche Wallace of Florida. "If I desire a product or service, I am quite capable of locating a provider. There should be a quick, easy, and obvious way to opt out of tracking."
Jonathan Bernstein of Illinois wrote: "The most obvious thing to do would be to require any company that tracks any consumer to notify the consumer exactly who is tracking, what is being tracked, and where that data can be shared, each time the consumer logs onto a site that is party to tracking, either with a pop-up window or an email, in real-time at the point of tracking."
See related: Mobile shopping apps raise privacy and security issues, Retailer beacons track your phone as you shop, raising privacy issues, Privacy disclosure statements let you opt out of info sharing
- DIY credit card arbitration: You may be able to opt out – Consumers can preserve their right to go to court instead of private arbitration in many cases by going through and opt-out process ...
- CFPB rule: Consumers should be able to band together and sue – Banks, GOP oppose measure that would end "mandatory arbitration" clauses that prevented class-action suits ...
- Bluesnarfing is newest card fraud at gas pumps and ATMs – With a skimmer and Bluetooth technology, fraudsters can sit nearby and intercept your payment transaction details ...