Cross-device tracking and other data matching techniques are becoming common place in the ad tech industry. Now self-regulatory organizations and regulators are catching up. Therefore, every participant in this ecosystem should ensure they are following best practices as a customer or provider of such solutions.
2. 1
»Digital Advertising Alliance (DAA)
»Network Advertising Initiative (NAI)
»Federal Trade Commission (FTC)
»Legislation
»B2B contracts
»Q&A
CROSS-DEVICE TRACKING
Don’t Get Crossed Up With Cross-Device Tracking
3. »The Digital Advertising Alliance (DAA) is a consortium
of the leading national advertising and marketing trade
groups who together deliver effective, self-regulatory
solutions to online consumer issues
THE DIGITAL ADVERTISING ALLIANCE
(DAA) WWW.ABOUTADS.INFO
Don’t Get Crossed Up With Cross-Device Tracking2
5. SELF-REGULATORY PRINCIPLES FOR
ONLINE BEHAVIORAL ADVERTISING
»Seven principles
- Education
- Transparency
- Consumer Control
- Data Security
- Material Changes
- Sensitive Data
- Accountability
Don’t Get Crossed Up With Cross-Device Tracking4
6. SELF-REGULATORY PRINCIPLES FOR
ONLINE BEHAVIORAL ADVERTISING
»Key requirements
- Enhanced notice on ads
- Notice on websites with data collection
- Third party liability
- Statement of adherence
- Enforcement (name and shame)
Don’t Get Crossed Up With Cross-Device Tracking5
7. DIGITAL ADVERTISING
ALLIANCE
»Principles
- Self-Regulatory Principles for Online Behavioral
Advertising
- Self-Regulatory Principles for Multi-Site Data
- Application of Self-Regulatory Principles to the
Mobile Environment
- Application of DAA Principles of Transparency
and Control to Data Used Across Devices
»More: eDAA, Digital Advertising Alliance of Canada
Don’t Get Crossed Up With Cross-Device Tracking6
8. APPLICATION OF
SELF-REGULATORY
PRINCIPLES TO THE
MOBILE ENVIRONMENT
»Precise Location Data
»Cross-App Data
»Personal Directory Data
Don’t Get Crossed Up With Cross-Device Tracking7
10. DAA – DATA USED ACROSS DEVICES
1. Transparency
and
2. Consumer
Control
“on the browser
or device on
which choice is
being
exercised…”
Don’t Get Crossed Up With Cross-Device Tracking9
11.
12. NETWORK ADVERTISING
INITIATIVE
»Network Advertising Initiative
- NAI Code of Conduct
- NAI Mobile Application Code
- Guidance on the Use of Non-Cookie Technologies
for Interest-Based Advertising
Don’t Get Crossed Up With Cross-Device Tracking11
13.
14. CROSS-DEVICE TRACKING
STAFF REPORT (JANUARY 2017)
»Recommendations
- Transparency
- Choice
- Sensitive information
- Reasonable security
»Benefits
- Seamless user experience
- Fraud detection and account security
- Better online experience
13 Don’t Get Crossed Up With Cross-Device Tracking
15. CROSS-DEVICE TRACKING
STAFF REPORT (JANUARY 2017)
»Focus on first parties
»Offline and online data
»DAA definition of sensitive information is unduly narrow
»Probabilistic targeting “might be less apparent to consumers”
»Companies don’t discuss cross-device tracking in their privacy
policies (3 out of 100 policies reviewed mentioned it)
»Relevant enforcement actions: Epic Marketplace; ScanScout;
Turn; InMobi
»DAA device-by-device opt-out vs. single opt-out
14 Don’t Get Crossed Up With Cross-Device Tracking
16. FEDERAL TRADE COMMISSION
ACT SECTION 5
»“Unfair methods of competition in or affecting
commerce, and unfair or deceptive acts or practices in
or affecting commerce, are hereby declared unlawful.”
- Deception = Misrepresentations or omissions likely to
mislead consumers acting reasonably under the
circumstances
- Unfairness = Causes or is likely to cause substantial
consumer injury, not reasonably avoided by the
consumer, and not outweighed by countervailing
benefits to consumers or competition
15 Don’t Get Crossed Up With Cross-Device Tracking
17. FTC – IN THE MATTER OF
SCANSCOUT, INC. (DECEMBER 2011)
»Video ad network
»ScanScout privacy policy – “You can opt-out of
receiving a cookie by changing your browser settings
to prevent the receipt of cookies.”
»However, changing browser settings did not remove
or block the Flash cookies used by ScanScout
»Deception claim
16 Don’t Get Crossed Up With Cross-Device Tracking
18. FTC – IN THE MATTER OF NOMI
TECHNOLOGIES, INC. (APRIL 2015)
»In-store beacon technology
»Nomi privacy policy – “Nomi pledges to ... Always allow
consumers to opt-out of Nomi’s service on its website as
well as at any retailer using Nomi’s technology.”
»FTC – “It’s vital that companies keep their privacy
promises to consumers when working with emerging
technologies, just as it is in any other context. If you tell a
consumer that they will have choices about their privacy,
you should make sure all of those choices are actually
available to them.”
17 Don’t Get Crossed Up With Cross-Device Tracking
19. FTC VS. TURN (DECEMBER 2016)
»Turn worked with telco to sync a unique ID with the cookies
and device identifiers of users, even those who had exercised
the choice to turn off tracking
»Turn’s privacy policy stated that consumers could turn off
tracking
»Policy did not disclose this type of tracking
Don’t Get Crossed Up With Cross-Device Tracking18
20. MASSACHUSETTS V. COPELY ADVERTISING
(APRIL 2017)
»Geofencing project
»Copely targeted ads to “abortion-minded women” while in
waiting rooms a health clinics.
»Tagged device IDs when near certain locations for up to 30
days.
»Sensitive data issues
»Consent issues
Don’t Get Crossed Up With Cross-Device Tracking19
21. LEGISLATIVE –
“DO NOT TRACK ONLINE ACT OF 2015”
»Do Not Track Online Act
- Proposed in 2015 by Senators Markey and Blumenthal
- Allows individuals to simply and easily indicate a preference
not to have online activities tracked or personal information
collected by online providers (limited exceptions)
- Prohibits certain uses of personal information
- Allows FTC to pursue civil penalties if consumer requests
are not honored
Don’t Get Crossed Up With Cross-Device Tracking20
22. ILLINOIS
(RIGHT TO KNOW ACT – 2017)
»“Consumers must be more than vaguely informed that a
business might share personal information with third parties”
»Privacy policy - Must identify the categories of PII collected,
the categories of third parties with whom PII is shared; and a
description of the customer’s rights to request information
»Within 30 days of a consumer’s request, an operator must
disclose all categories of PII disclosed and the names of all
third parties that received the PII
»Oh, by the way … there’s a private right of action!
Don’t Get Crossed Up With Cross-Device Tracking21
23. B2B CONTRACTS
»MSAs; IOs; SOWs
»Client contracts
»Vendor contracts
»Media contracts
»Obligation to make disclosures
»Obligation to manage opt-outs
»Compliance with standards
»Liability
»B2C – Privacy policy
22 Don’t Get Crossed Up With Cross-Device Tracking