Home Data Full Disclosure: The FTC Has Its Eye On Cross-Device Tracking

Full Disclosure: The FTC Has Its Eye On Cross-Device Tracking

SHARE:

When it comes to cross-device tracking, privacy policies are not up to snuff – and the Federal Trade Commission is digging in.

In a paper penned by the FTC Office of Technology Research and Investigation (OTech for short), it was revealed that the majority of Alexa’s 100 most popular websites have policies that reserve the right to allow for third-party tracking and data collection, including browser data.

Which is fine.

But those same policies contain little or no explicit discussion of cross-device tracking or whether a consumer has the ability to turn it off.

According to the findings, which were first presented by lead author and OTech policy director Justin Brookman during the FTC’s cross-device tracking workshop in November 2015, only three of the 100 sites tested linked to a privacy policy that clearly acknowledge enabling third-party cross-device tracking. [Read the full report here.]

Although the paper doesn’t represent the FTC’s official stance on cross-device – it was published Thursday in a privacy journal called “Proceedings on Privacy Enhancing Technologies” – it’s surely an indication of the commission’s general sentiments.

“Our research demonstrates that websites share extensive data with third-party services that could allow those third parties to track user behavior across multiple devices, and consumers lack the necessary information to determine precisely whether and when this information is used for cross-device tracking,” the authors wrote.

OTech researchers visited each of the 100 sites four times, resulting in 1,130 distinct connections to additional domains. Many of those domains are owned by companies that don’t participate in the self-regulatory programs run by the Digital Advertising Alliance and the Network Advertising Initiative.

In other words, there’s a vast universe of third parties that aren’t being regulated. Several of the most frequently detected domains were not covered by one or both programs, and of the top 10 third-party services detected, the DAA opt-out regime only applied to six, while the NAI opt-out only applied to five.

Determining Disclosures

Most of the sites under review – 96 out of 100 – allowed users to log in, thereby creating a persistent identifier and a potential trove of deterministic data.

Subscribe

AdExchanger Daily

Get our editors’ roundup delivered to your inbox every weekday.

While the report acknowledged several benefits related to cross-device tracking – saving credit card information, past purchase history, shipping information, et cetera – it’s also possible for companies to match cross-device data to offline data without the consumer being aware. Privacy policies were resoundingly mum on whether this was happening or to what extent.

Facebook was recently called out for doing just that by ProPublica in a late December piece that claimed the company was buying sensitive information from data brokers about consumers’ offline lives, including their income and the number of credit cards they have.

But the disclosure of that activity on Facebook’s site only says that it collects info about its users “from a few different sources.”

Third-Party Problems

At the FTC’s workshop last November, the commission did warn that spotty opt-outs and disclosures could trigger an enforcement action.

Companies providing opt-outs “need to be careful about what they’re saying and what it means to opt out,” said Maneesha Mithal, associate director for the FTC’s Division of Privacy and Identity Protection, speaking at the time. “If they are unclear or deceptive in creating the opt-out or communicating the opt-out in a way that conflicts with a consumer’s understanding, there may be room for a Section 5 deception action.”

Although the report did not review the privacy disclosures of third-party companies, the authors did note that it might be a “useful avenue for future research.”

The FTC has historically been a big proponent of self-regulation in the online ad industry, but the vast ad tech ecosystem of third parties out there is putting a strain on self-reg.

Although 67 of the 100 sites studied by OTech provided links to industry self-reg controls, like the DAA’s AdChoice program, which consumers can utilize to limit the collection and use of data for online behavioral targeting, few and far between was the policy that included details on how consumers could prevent cross-device tracking.

When consumers visit sites that they know and trust, they’re not necessarily expecting to have “dozens, 50-plus, 100-plus third-party relationships fired off that that moment,” Digital Content Next CEO Jason Kint pointed out at the workshop.

Even Stanford University Ph.D. candidates like Jonathan Mayer, currently the CTO of the Federal Communications Commission, have trouble sometimes.

“If it’s hard for researchers to figure out what’s going on,” Mayer said at the time, “it’s hard for the general public.”

Must Read

Comic: Alphabet Soup

Buried DOJ Evidence Reveals How Google Dealt With The Trade Desk

In the process of the investigation into Google, the Department of Justice unearthed a vast trove of separate evidence. Some of these findings paint a whole new picture of how Google interacts and competes with its main DSP rival, The Trade Desk.

Comic: The Unified Auction

DOJ vs. Google, Day Four: Behind The Scenes On The Fraught Rollout Of Unified Pricing Rules

On Thursday, the US district court in Alexandria, Virginia boarded a time machine back to April 18, 2019 – the day of a tense meeting between Google and publishers.

Google Ads Will Now Use A Trusted Execution Environment By Default

Confidential matching – which uses a TEE built on Google Cloud infrastructure – will now be the default setting for all uses of advertiser first-party data in Customer Match.

Privacy! Commerce! Connected TV! Read all about it. Subscribe to AdExchanger Newsletters
In 2019, Google moved to a first-price auction and also ceded its last look advantage in AdX, in part because it had to. Most exchanges had already moved to first price.

Unraveling The Mystery Of PubMatic’s $5 Million Loss From A “First-Price Auction Switch”

PubMatic’s $5 million loss from DV360’s bidding algorithm fix earlier this year suggests second-price auctions aren’t completely a thing of the past.

A comic version of former News Corp executive Stephanie Layser in the courtroom for the DOJ's ad tech-focused trial against Google in Virginia.

The DOJ vs. Google, Day Two: Tales From The Underbelly Of Ad Tech

Day Two of the Google antitrust trial in Alexandria, Virginia on Tuesday was just as intensely focused on the intricacies of ad tech as on Day One.

A comic depicting Judge Leonie Brinkema's view of the her courtroom where the DOJ vs. Google ad tech antitrust trial is about to begin. (Comic: Court Is In Session)

Your Day One Recap: DOJ vs. Google Goes Deep Into The Ad Tech Weeds

It’s not often one gets to hear sworn witnesses in federal court explain the intricacies of header bidding under oath. But that’s what happened during the first day of the Google ad tech-focused antitrust case in Virginia on Monday.