When it comes to cross-device tracking, privacy policies are not up to snuff – and the Federal Trade Commission is digging in.
In a paper penned by the FTC Office of Technology Research and Investigation (OTech for short), it was revealed that the majority of Alexa’s 100 most popular websites have policies that reserve the right to allow for third-party tracking and data collection, including browser data.
Which is fine.
But those same policies contain little or no explicit discussion of cross-device tracking or whether a consumer has the ability to turn it off.
Although the paper doesn’t represent the FTC’s official stance on cross-device – it was published Thursday in a privacy journal called “Proceedings on Privacy Enhancing Technologies” – it’s surely an indication of the commission’s general sentiments.
“Our research demonstrates that websites share extensive data with third-party services that could allow those third parties to track user behavior across multiple devices, and consumers lack the necessary information to determine precisely whether and when this information is used for cross-device tracking,” the authors wrote.
OTech researchers visited each of the 100 sites four times, resulting in 1,130 distinct connections to additional domains. Many of those domains are owned by companies that don’t participate in the self-regulatory programs run by the Digital Advertising Alliance and the Network Advertising Initiative.
In other words, there’s a vast universe of third parties that aren’t being regulated. Several of the most frequently detected domains were not covered by one or both programs, and of the top 10 third-party services detected, the DAA opt-out regime only applied to six, while the NAI opt-out only applied to five.
Most of the sites under review – 96 out of 100 – allowed users to log in, thereby creating a persistent identifier and a potential trove of deterministic data.
While the report acknowledged several benefits related to cross-device tracking – saving credit card information, past purchase history, shipping information, et cetera – it’s also possible for companies to match cross-device data to offline data without the consumer being aware. Privacy policies were resoundingly mum on whether this was happening or to what extent.
Facebook was recently called out for doing just that by ProPublica in a late December piece that claimed the company was buying sensitive information from data brokers about consumers’ offline lives, including their income and the number of credit cards they have.
But the disclosure of that activity on Facebook’s site only says that it collects info about its users “from a few different sources.”
At the FTC’s workshop last November, the commission did warn that spotty opt-outs and disclosures could trigger an enforcement action.
Companies providing opt-outs “need to be careful about what they’re saying and what it means to opt out,” said Maneesha Mithal, associate director for the FTC’s Division of Privacy and Identity Protection, speaking at the time. “If they are unclear or deceptive in creating the opt-out or communicating the opt-out in a way that conflicts with a consumer’s understanding, there may be room for a Section 5 deception action.”
Although the report did not review the privacy disclosures of third-party companies, the authors did note that it might be a “useful avenue for future research.”
The FTC has historically been a big proponent of self-regulation in the online ad industry, but the vast ad tech ecosystem of third parties out there is putting a strain on self-reg.
Although 67 of the 100 sites studied by OTech provided links to industry self-reg controls, like the DAA’s AdChoice program, which consumers can utilize to limit the collection and use of data for online behavioral targeting, few and far between was the policy that included details on how consumers could prevent cross-device tracking.
When consumers visit sites that they know and trust, they’re not necessarily expecting to have “dozens, 50-plus, 100-plus third-party relationships fired off that that moment,” Digital Content Next CEO Jason Kint pointed out at the workshop.
Even Stanford University Ph.D. candidates like Jonathan Mayer, currently the CTO of the Federal Communications Commission, have trouble sometimes.
“If it’s hard for researchers to figure out what’s going on,” Mayer said at the time, “it’s hard for the general public.”