The cookie, which has reigned supreme in digital marketing for more than 15 years, is finding its dominance under siege. A new wave of digital ID technologies and methodologies offered by companies such as Drawbridge, Tapad and BlueCava has emerged, specifically tailored for a multiscreen world in which, according to one recent British study, users can switch from laptop to smartphone to tablet an average of 21 times in a single hour. Cookies, given their limited utility in a mobile and app-driven environment, can no longer keep up.
The technologies replacing the cookie hold promise for solving the primary riddle facing digital marketers today: How do you pitch your advertisements to the same consumer across multiple devices? But just as the privacy concerns relating to cookies were being resolved via solutions such as notice/consent requirements and do-not-track, cross-device tracking is raising a raft of new privacy issues that pose novel challenges.
Last year, the Digital Advertising Alliance (DAA) decided to get in front of these cross-device privacy concerns by issuing a “compliance warning” to clarify that its Self-Regulatory Principles for Online Behavioral Advertising (OBA) were applicable “irrespective of the technology employed to collect and use consumer web-surfing activity to serve interest-based ads” and “no matter by what technical means data for OBA is collected.”
In the DAA’s view, the cornerstones of the OBA Principles, transparency through real-time notice and consumer control through an easy-to-use opt-out mechanism, are just as applicable to alternative ID technologies as to cookies. But while HTTP cookies are relatively easy to locate, view and delete via common browser options, that's not necessarily the case with the new ID techniques. Inevitably, the question is raised whether, in a post-cookie world, a new regulatory regime is necessary to protect privacy.
The DAA demonstrated how the current OBA Principles apply to cross-device ID methodologies when it challenged the data-collection practices of BlueCava in 2012. BlueCava uses a proprietary technology to determine the likelihood that multiple devices are associated with the same household. According to the DAA decision in this matter, BlueCava explained in its privacy policy how the technology worked and provided consumers with an opt-out, but the policy was vague as to whether the opt-out mechanism was effective across multiple devices or worked only on the device from which the consumer exercised the opt-out. In response to the DAA investigation, BlueCava clarified its privacy policy to state that the opt-out was effective only on a single device. BlueCava now offers its clients a cross-screen opt-out mechanism.
While the Federal Trade Commission (FTC) has not yet brought an enforcement action specifically targeting cross-device tracking, it appears clear that the FTC’s broad authority under Section 5(a) of the FTC Act to prevent “unfair or deceptive acts or practices” would allow it to do so. Certainly it has exercised its regulatory muscle to deal with novel tracking technologies such as, for example, Flash cookies (ScanScout, Inc.) and history-sniffing scripts (Epic Marketplace, Inc.).
Undoubtedly, other post-cookie ID technologies could be subject to enforcement actions if found to be unfair or deceptive to consumers.
Not everyone agrees, however, that the current regulatory and self-regulatory regime is sufficient. The Center for Digital Democracy, in comments submitted to the FTC last year, said, “Current self-regulatory approaches are ineffective and do a disservice to consumers by falsely claiming to provide privacy protection and user control.” Sen. Edward J. Markey (D-MA) has called for an FTC investigation of “the expansion of tracking across consumer devices.”
One challenge to coming up with any kind of targeted regulatory “solution” is that the technology for cross-device tracking comes in different flavors. Broadly speaking, there are two approaches:
- Deterministic
If a user can be positively identified across multiple devices, for instance, because the user has logged into a platform such as Google, Facebook, Yahoo or Twitter, it can be “determined” who the user is for purposes of targeted advertising. Deterministic tracking has the virtue of being highly accurate but also raises the greatest privacy concerns because accuracy is made possible by use of personally identifiable information. It also has limitations of scale outside of the “walled gardens” of the major platforms with millions of users, although it is also possible to stitch together data from multiple publishers that have logged-in users.
2. Probabilistic
Probabilistic tracking depends upon collecting nonpersonal data regarding device attributes like operating system, device make and model, IP addresses, ad requests and location data, and making statistical inferences to link multiple devices to a single user. While the purveyors of probabilistic methodologies argue that they do not compromise privacy, there is a degree of black-box mystery to their statistical data-gathering and analytical practices, which use proprietary algorithms and are therefore closely guarded. The more accurate the probabilistic methods, the more likely they could allow identifying a specific individual.
Some digital marketing companies are combining the deterministic and probabilistic approaches. For instance, “device graphs” can be created by combining nonpersonal data regarding use of smartphones and other devices with personal log-in information.
While the technological and regulatory environment remains in flux, what is the digital marketer to do? Here are a few tips:
- Be Transparent
Nothing is more certain to raise the ire of the FTC than failure of a company to fully disclose its consumer tracking and data collection practices. A clear, meaningful and prominent notice of data collection and use practices should be provided at the point of data collection, whether on a website or within an app. Try to follow the “surprise minimization” principle advocated by the California Office of the Attorney General, which proposes that privacy policies be supplemented with enhanced measures like just-in-time notices that alert users to the potentially unexpected ways their data is being collected, e.g., location data, and give them an opportunity to prevent the practice.
- Provide a Clear Opt-Out
Users should be provided with a clear mechanism for withdrawing consent to the collection and use of their data. Either opt-outs should be honored across multiple devices, perhaps by links to back-end servers, or there should be an explanation of how opt-out can be exercised for different devices and data collection methods, e.g., in browsers vs. iOS or Android mobile applications. Employing Privacy by Design principles will help ensure that methods for opting out are built into apps and ID technologies at the product development stage. Make sure your vendors and partners play by the same opt-out rules and include opt-out commitments in your services contracts.
- Be Wary of Making Broad “No PI Collected” Claims
Privacy policies commonly assert that cookies used by a website operator collect no personal information or that data collected is “anonymous.” That assertion may not be true of some cross-device ID methods, which enable identification of specific individuals. Moreover, the definition of “personal information” is constantly shifting (and expanding): witness the 2013 revisions to the Children’s Online Privacy Protection Rule, which now defines “personal information” to include “a persistent identifier that can be used to recognize a user over time and across different websites or online services.” Note that unique device identifiers are explicitly included within this definition.
The cross-device privacy arena is one to be watched closely for developments, both technological and regulatory, in 2015.