On January 23, 2017, the FTC released a new report outlining its recommendations for companies using cross-device tracking. The report focused on the FTC’s continued commitment to consumer choice, transparency, and security.

What is cross-device tracking?

Cross-device tracking occurs when companies attempt to connect a consumer’s activities across multiple devices. For example, a consumer begins streaming a television show on her computer and then pauses the program. Later when she continues to watch the same program on a different device, the show resumes exactly where she left off.

Generally, cross-device tracking can be categorized into two groups: deterministic or probabilistic. Deterministic cross-device tracking is the most familiar to consumers and requires the consumer to make an affirmative decision to identify themselves on a device. For example, when a consumer logs into a social media account on her smart phone and her laptop. By signing-in, the website identifies the devices as the users. The social media site then uses its functionalities to track the user. Because of this, a search for cooking recipes on a smart phone may led to advertisements on the consumer’s laptop for related cookware and products.

However, companies that use cross-device tracking do not always need consumers to affirmatively identify themselves. Companies that use probabilistic cross-tracking focus on matching IP addresses to determine whether devices are used by the same consumer or household. For example, if multiple devices like a work laptop and a smart phone share the same IP addresses during business hours and non-business hours, the companies infer that the devices belong to the same person and target the person’s advertisement and content accordingly.

What is the FTC’s guidance?

Although companies that advocate for cross-device tracking argue that such programs enhance the consumer experience, in its new report, the FTC stresses that companies must be sensitive to possible consequences for consumers and tailor their practices accordingly.

Specifically, in the report, the FTC noted its concern that companies “do not appear to be explicitly discussing cross-device tracking practices in their privacy policy.” The FTC reminded companies that, under FTC principles, companies must be truthful with consumers. Because of this, the FTC recommended that companies that engage in cross-device tracking disclose the practice and the type of information they are collecting. Failure to provide adequate disclosures, the FTC warned, may violate the FTC Act.

The FTC also stressed the importance of allowing and respecting consumers’ choices regarding what and how their information is being tracked. The FTC reminded companies to be clear on how any opt-out they offer affects cross-tracking. The report also suggested that companies avoid engaging in cross-device tracking on sensitive information such as finances and health data because such information may trigger heightened protections.

Finally, the FTC reminded companies that the FTC Act mandates that companies “maintain reasonable security, in order to avoid future unexpected and unauthorized use of data.” This includes information that may have been gleaned through cross-device tracking. In fact, according to the FTC, companies should be aware that hackers are increasingly targeting this type of data.