Full Disclosure and Cross-Device Tracking
Full Disclosure: The FTC Has Its Eye On Cross-Device Tracking
When it comes to cross-device tracking, privacy policies are not up to snuff – and the Federal Trade Commission is digging in.
In a paper penned by the FTC Office of Technology Research and Investigation (OTech for short), it was revealed that the majority of Alexa’s 100 most popular websites have policies that reserve the right to allow for third-party tracking and data collection, including browser data.
Which is fine.
But those same policies contain little or no explicit discussion of cross-device tracking or whether a consumer has the ability to turn it off.
“Our research demonstrates that websites share extensive data with third-party services that could allow those third parties to track user behavior across multiple devices, and consumers lack the necessary information to determine precisely whether and when this information is used for cross-device tracking,” the authors wrote.
OTech researchers visited each of the 100 sites four times, resulting in 1,130 distinct connections to additional domains. Many of those domains are owned by companies that don’t participate in the self-regulatory programs run by the Digital Advertising Alliance and the Network Advertising Initiative.
In other words, there’s a vast universe of third parties that aren’t being regulated. Several of the most frequently detected domains were not covered by one or both programs, and of the top 10 third-party services detected, the DAA opt-out regime only applied to six, while the NAI opt-out only applied to five.
Most of the sites under review – 96 out of 100 – allowed users to log in, thereby creating a persistent identifier and a potential trove of deterministic data.
While the report acknowledged several benefits related to cross-device tracking – saving credit card information, past purchase history, shipping information, et cetera – it’s also possible for companies to match cross-device data to offline data without the consumer being aware. Privacy policies were resoundingly mum on whether this was happening or to what extent.
Facebook was recently called out for doing just that by ProPublica in a late December piece that claimed the company was buying sensitive information from data brokers about consumers’ offline lives, including their income and the number of credit cards they have.
But the disclosure of that activity on Facebook’s site only says that it collects info about its users “from a few different sources.”