Ten Questions that the Federal Trade Commission Should Answer on Cross-Device Online Tracking of Individuals.

1. Why has the FTC waited so long to review this serious threat to our privacy?

The Federal Trade Commission’s November 16, 2015, workshop (link is external) on cross-device tracking is a examination of a very disturbing practice that emerged several years ago. The online industry’s business model of identifying specific individuals and following them on whatever device they may use (PCs, mobile, etc.), so their behaviors can be analyzed for more effective micro-targeting, is well-known. For example, companies such as Drawbridge, which “track how [an] individual user traverses the web on his or her smartphone, tablet, laptop and PC,” and analyze “billions” of pieces of data on us, has been around since 2010.[1] Cross-device targeter Tapad has been operating since 2011.[2] During the last few years there has been a veritable explosion of cross-device tracking of individuals—illustrating how our privacy has been lost regardless of what device we may use.[3]

The FTC should be monitoring much more closely industry developments to expand their data-driven profiling and targeting techniques. The serious erosion of our privacy is reported daily by leading trade publications and is not a secret.[4] The commission—and other agencies responsible for consumer privacy, such as the FCC and CFPB—need to become much more proactive if they are to actually protect the public.

2. Why isn’t the FTC bringing complaints against both Google and Facebook under their respective “consent decrees” for their own cross-device surveillance of consumers?

Both Facebook and Google—as the two dominant online marketing companies—have significantly expanded their own collection, analysis, and use of data from individuals for cross-device tracking. Both companies are under 20-year legal agreements with the FTC that is supposed to ensure that their practices protect our privacy.[5] But the commission has been silent regarding a major violation of our privacy, given the range of Facebook and Google cross-device practices. For example, Facebook’s acquisition of Atlas and its incorporation of new ways to engage in cross-device tracking have not been challenged by the agency.[6] Nor has the FTC pursued Google’s cross-device tracking as a consent decree matter.[7] The commission’s consent decrees are only as good as their enforcement. The FTC’s inaction regarding Facebook’s and Google’s expansion of cross-device data harvesting undermines its claims that its decrees actually protect our privacy.

3. How has the FTC’s and Department of Justice’s (DoJ) failure to stop “Big Data” mergers furthered the expansion of cross-device gathering of our information?

As one of two U.S. antitrust and competition regulators, the FTC plays a key role reviewing mergers and acquisitions. Yet the agency has approved Big Data-related mergers that have further weakened consumer privacy and expanded the ability of marketers to track our behaviors across devices. While the FTC’s consumer protection and competition bureaus are separate, the commission has a responsibility to protect the public. Even with mergers reviewed by the DoJ, the FTC should speak out against deals that erode privacy and place consumers at further disadvantage through the use of Big Data. For example, Oracle was allowed to acquire both BlueKai and Datalogix—significantly expanding its sources of data used to profile Americans and to engage in cross-platform targeting. Alliance Data Systems was permitted to acquire Conversant, which bolstered its cross-device applications. The FTC should acknowledge that it is helping weaken the privacy of the American public by allowing data-driven mergers to be approved without effective consumer safeguards.[8]

4. Isn’t cross-device tracking and targeting just a part of an ever-growing commercial Big Data surveillance complex that continually gathers and uses all our information?

Anyone who follows the online industry recognizes that our privacy is being continually undermined. Every major company has become its own “data broker,” harvesting all the data they directly gather on a person (when you come to their site, for example). They now merge that data with the abundance of so-called third-party information available for sale or use today. A key goal is to engage in what they call “identity management, ”which means using information on us to help influence our actions, purchases, and behaviors. Cross-device tracking is made possible through the unlimited ability companies now have to use our online and offline information without any serious consideration of our privacy.[9]

5. What is the role that Big Data companies and technologies—such as Data Management Platforms (DMPs)—play in cross-device tracking of individuals?

The most powerful U.S. companies are using sophisticated data engines and analytics to gather data on individuals. The growing use of technologies such as DMPs, along with the real-time data targeting now embraced by the industry (known as “programmatic”) is at the core of cross-device practices.[10] While the FTC is aware of these practices, it has not taken any actions to protect consumers.[11]

6. Isn’t the gathering of information from our use of mobile phones, including for cross-device targeting, a major privacy violation?

The answer is yes. The mobile phone is the digital spy in our pockets that we take and use nearly everywhere. Gaining access and insights from our mobile phones serves as a veritable digital gold mine for brands and advertisers. Marketers continually research how we use mobile devices, in order to help their clients identify our actual or intended location, as well other data about us (such as income, race, ethnicity, and gender). Companies such as Facebook, Google, and many others have developed ingenious ways to encourage consumers to use “apps” that, once they are downloaded, report on our actions. Google, for example, explains they can help marketers understand how to take advantage of what they call a person’s “micro-moments”—when through the use of our mobile phone we reveal we are searching for a product, store, activity or location.[12] Cross-device tracking and targeting is fueled by the unchecked data gathering from our mobile devices.[13]

7. Will the FTC address how cross-device tracking is helping marketers and brands reach us when we are in retail, grocery stores, and other “real-world” locations?

As we use our phone or tablet to search for information, download coupons, or scan for price information, these signals allow marketers to learn about our location and quickly connect data they have about us. So-called “hyper-location” tracking enables companies to identify what neighborhoods we live and work in, for example. As stores deploy so-called “beacons,” Wi-Fi-networks, “geo-fences,” and other ways to connect to people in and around stores, the data they gather from our use of multiple devices becomes more complex and valuable to them.[14] Online and offline distinctions are quickly fading, as cross-device tracking merges with sophisticated data targeting services.

8. Can the FTC protect consumers from cross-device tracking when we watch video online?

There is an explosion of video consumption, as more people use their mobile devices to watch online video content. Internet-delivered video to TV’s (so-called “over-the-top”) is another key way we see such programming. Incorporating our video viewing as part of the cross-device tracking apparatus is the latest way our media behaviors are being closely observed, whether we watch on small or large-screen devices.[15]

9. Will the FTC investigate how consumers are tracked and analyzed by cross-device “measurement” services?

Measurement is built in to today’s tracking and targeting online system. Marketers wish to know whether we see an ad or promotional message and how we responded. Since we use multiple devices, measurement techniques now reflect an analysis of what we do on all our devices. With advances in measurement having a direct impact on our privacy, as well as with the transactions we make, the commission should investigate the impact of cross-platform “attribution” techniques now broadly deployed.[16]

10. Will the FTC call on the online industry to “cease and desist” from cross-device tracking until privacy safeguards can be proposed and implemented?

The online ad lobby has—for decades—worked to keep the FTC relatively powerless to protect privacy. It has opposed calls to provide the agency with “rulemaking” authority so it could develop safeguards that would protect the public.[17] The lack of FTC authority to effectively address privacy threats is a key reason why U.S. data-driven marketers are able to expand their commercial surveillance activities.

Despite its lack of power to require companies to engage in a moratorium on cross-device tracking, the FTC should use its moral authority. The commission should declare that the use of cookie syncing, probabilistic or deterministic attribution, unique identifiers, and other methods of stealthily following us from device to device should not be permitted. Leading data companies such as Google and Facebook, digital marketing trade groups such as the Interactive Advertising Bureau and Mobile Marketing Association, data brokers such as Axciom, Oracle, and Merkle, and cross-platform companies such as Tapad and Drawbridge should all be asked to support the commission’s call to stop the tracking of individuals across devices. During the period established for the data-gathering moratorium, the FTC should propose safeguards. The commission’s policies should empower individuals to decide whether and how they can be tracked and analyzed on any device.

It’s time for action by the FTC. It knows that Americans confront the loss of their privacy—and it should speak out against the eavesdropping practices that enable online companies to gather data on us—whether we use a PC, mobile phone, or even TV.