Cross-device tracking raises consumer privacy concerns

Experts present best practices as technology races ahead of user expectations

Advertisers looking to use cross-device tracking need to update their privacy practices to make users aware of it, and provide opportunities to opt out. That was the message from a panel of privacy experts hosted by Adobe chief privacy officer MeMe Jacobs Rasmussen at Adobe’s annual summit in Salt Lake City, Utah.

The technology to connect users’ identities across their desktop and mobile devices is relatively new to the ad tech landscape. Until recently, siloed mobile and desktop systems prevented marketers from using the same audience data across devices – desktop behavioural data, collected and applied with cookies, couldn’t be used to target mobile ads, since it wasn’t possible to identify the same user on mobile.

Say what you do, do what you say, and don’t surprise the user

MeMe Jacobs Rasmussen, Adobe

But now companies like Google, Facebook and Adobe are beginning to offer cookieless cross-device user identification, which allows marketers to connect audience profiles to users on whatever device they’re on. That means a user logging in from home, at work or on the go will be identified and targeted using the same data about their past behaviour and preferences.

“We urge everyone to provide transparency,” said panelist Laura Berger, senior attorney at the FTC’s Privacy and Identity Protection division. “Cross-device tracking… may not be transparent to users. And if it involves device fingerprinting, they may not have any choice. And choice is a key privacy practice.”

Consumers likely haven’t realized that their behaviour on branded mobile app can impact their desktop permissions, and vice versa, Berger said. They’re more likely to see mobile and desktop experiences as separate, and they expect the privacy decisions they make in those environments are limited to those environments.

For example, if a user gives an app permission to collect their location data, they likely don’t take that to mean the developer can collect and use location data the next time they log in from a work computer.

“Consumers’ expectations change, but I don’t think right now the average consumer can be reasonably expected to think that what she does on her laptop will be tied together with what she does on her desktop, her smart TV and her cellphone,” said Reed Freeman, partner and cybersecurity expert at WilmerHale. “Where there is a lack of reasonable expectation of the activity happening, that provokes an obligation for notice and opt-out.”

Marketers need to be especially careful with probabilistic cross-device tracking, he said. While some cross-device technologies use user logins to identify users on multiple devices (called “deterministic” tracking), many marketers use probabilistic tracking, which uses behavioural signals and predictive algorithms to assess the probability that user on device A is the same as user on device B.

The problem arises when the technology attempts to apply users’ opt-out choices probabilistically.

“When you are using a probabilistic cross-device methodology – in other words, it’s not based on a login – the opt-in that you utilize in that context needs to be persistent, and apply across all the devices that user is using,” said Adobe lead counsel for digital marketing Wade Sherman. “It has to work across [a consumer’s] laptop, smartphone, tablet and desktop.”

Accidentally violating opt-outs by making the wrong guess about a user’s identity is a no-fly zone, Freeman said.

“Make sure, above all else, even if you have a probabilistic way of identifying devices one to the other, that the opt out is deterministic,” he said. “You cannot have an opt-out that is [only] likely to work. It must work. You can have ads that might work, but you can’t have an opt-out that might work.”

Panelists also said that marketers must be careful to make sure their company’s privacy policy aligns with what they’re actually doing online. With the rapidly evolving digital marketing ecosystem – and the lack of transparency in the ad tech supply chain – technologies like cross-device tracking may be implemented faster than terms of service [TOS] agreements can be updated.

“Say what you do, do what you say, and don’t surprise the user,” said Adobe’s Rasmussen. “You’re all saying what you do. That’s in your privacy policy. But your lawyers wrote that policy. You should go back and read that policy, and make sure you’re doing what you and your lawyers are saying you are doing. If you’re not, go call up your friendly lawyer and discuss it. Because you need to have those two match.”

But an updated TOS may not be enough, Freeman added. In certain jurisdictions, like the U.S., companies can still be held liable for practices deemed unreasonably invasive or unfair, even if they’re outlined in the terms of service.

This has given rise to a practice called “notice in time,” where the marketer informs the user before collecting any data they wouldn’t reasonably expect. For example, if you’re collecting precise geographic information, but you’re not a map service and the user would not expect you to do so, it’s important to give the user direct notice, not just hide it on the seventh page of a TOS document.

“Take your policy out and highlight anything that would surprise your mother,” Freeman said. “All of those things are things that the FTC says are not appropriate for disclosure solely in a privacy policy, but should be disclosed just-in-time, or in some other more robust way.”

Add a comment

You must be to comment.

Tech Articles

Canadians warm up to social commerce

PayPal and Ipsos research shows "Shop Now" buttons are gaining traction

Online ad exchange AppNexus cuts off Breitbart

Popular online ad exchange bans site for violating hate speech policy

Videology brings Bryan Segal on board

Former Engagement Labs CEO to lead Canadian operations

A CEO’s tips for using DIY video in consumer marketing (Column)

Vidyard's Michael Litt argues against outdated 'text tunnel vision'

Facebook buys facial analysis software firm

FacioMetrics acquisition could lead to a new kind of online emoting

4 ways to reimagine marketing with martech

Data is the new language in a hyper-connected world

Lyft taps retail tech to connect drivers to smartphones

U.S. brand shaves the 'stache and moves to beacons

Facebook tweaks race-based online ad targeting

Social giant says discriminatory ads have "no place" on its platform