Advertisers looking to use cross-device tracking need to update their privacy practices to make users aware of it, and provide opportunities to opt out. That was the message from a panel of privacy experts hosted by Adobe chief privacy officer MeMe Jacobs Rasmussen at Adobe’s annual summit in Salt Lake City, Utah.
The technology to connect users’ identities across their desktop and mobile devices is relatively new to the ad tech landscape. Until recently, siloed mobile and desktop systems prevented marketers from using the same audience data across devices – desktop behavioural data, collected and applied with cookies, couldn’t be used to target mobile ads, since it wasn’t possible to identify the same user on mobile.
Say what you do, do what you say, and don’t surprise the user
MeMe Jacobs Rasmussen, Adobe
But now companies like Google, Facebook and Adobe are beginning to offer cookieless cross-device user identification, which allows marketers to connect audience profiles to users on whatever device they’re on. That means a user logging in from home, at work or on the go will be identified and targeted using the same data about their past behaviour and preferences.
“We urge everyone to provide transparency,” said panelist Laura Berger, senior attorney at the FTC’s Privacy and Identity Protection division. “Cross-device tracking… may not be transparent to users. And if it involves device fingerprinting, they may not have any choice. And choice is a key privacy practice.”
Consumers likely haven’t realized that their behaviour on branded mobile app can impact their desktop permissions, and vice versa, Berger said. They’re more likely to see mobile and desktop experiences as separate, and they expect the privacy decisions they make in those environments are limited to those environments.
For example, if a user gives an app permission to collect their location data, they likely don’t take that to mean the developer can collect and use location data the next time they log in from a work computer.
“Consumers’ expectations change, but I don’t think right now the average consumer can be reasonably expected to think that what she does on her laptop will be tied together with what she does on her desktop, her smart TV and her cellphone,” said Reed Freeman, partner and cybersecurity expert at WilmerHale. “Where there is a lack of reasonable expectation of the activity happening, that provokes an obligation for notice and opt-out.”
Marketers need to be especially careful with probabilistic cross-device tracking, he said. While some cross-device technologies use user logins to identify users on multiple devices (called “deterministic” tracking), many marketers use probabilistic tracking, which uses behavioural signals and predictive algorithms to assess the probability that user on device A is the same as user on device B.
The problem arises when the technology attempts to apply users’ opt-out choices probabilistically.
“When you are using a probabilistic cross-device methodology – in other words, it’s not based on a login – the opt-in that you utilize in that context needs to be persistent, and apply across all the devices that user is using,” said Adobe lead counsel for digital marketing Wade Sherman. “It has to work across [a consumer’s] laptop, smartphone, tablet and desktop.”
Accidentally violating opt-outs by making the wrong guess about a user’s identity is a no-fly zone, Freeman said.
“Make sure, above all else, even if you have a probabilistic way of identifying devices one to the other, that the opt out is deterministic,” he said. “You cannot have an opt-out that is [only] likely to work. It must work. You can have ads that might work, but you can’t have an opt-out that might work.”
But an updated TOS may not be enough, Freeman added. In certain jurisdictions, like the U.S., companies can still be held liable for practices deemed unreasonably invasive or unfair, even if they’re outlined in the terms of service.
This has given rise to a practice called “notice in time,” where the marketer informs the user before collecting any data they wouldn’t reasonably expect. For example, if you’re collecting precise geographic information, but you’re not a map service and the user would not expect you to do so, it’s important to give the user direct notice, not just hide it on the seventh page of a TOS document.