Photo of Julie O'Neill

With much fanfare, the Federal Trade Commission (FTC) continues to take actions relating to so-called “social media influencers” who allegedly fail to disclose material connections to the products or brands they endorse. Recurring enforcement actions and guidance—and the FTC’s ongoing promotion of its own efforts, such as through Twitter chats—make it clear that the FTC believes that its message has still not been heard by all of the players in this advertising ecosystem, including influencers themselves.

In short, any endorsements in any medium where the endorser has a material connection of any kind to the endorsed advertiser must be disclosed.

The most recent developments include an enforcement action against a company—and two of its officers—in connection with endorsements of the company made by the officers in YouTube videos and in social media.  Before turning to this case, however, we provide a brief overview of how the FTC has gotten here. Continue Reading Brands Beware: FTC Continues Campaign on Social Media Influencer Disclosures

Recent challenges to the Federal Trade Commission’s (FTC) authority to police data security practices have criticized the agency’s failure to provide adequate guidance to companies.

In other words, the criticism goes, businesses do not know what they need to do to avoid a charge that their data security programs fall short of the law’s requirements.

A series of blog posts that the FTC began on July 21, 2017, titled “Stick with Security,” follows promises from acting Chair Maureen Ohlhausen to provide more transparency about practices that contribute to reasonable data security. Some of the posts provide insight into specific data security practices that businesses should take, while others merely suggest what, in general, the FTC sees as essential to a comprehensive data security program. Continue Reading More Insight From the FTC on Data Security—or More of the Same?

BigBrotherEye-GettyImages-149355675-600pxIf your company collects information regarding consumers though Internet-connected devices, you will want to take note of the Federal Trade Commission’s (FTC) recent privacy-related settlement (brought in conjunction with the New Jersey Attorney General) with smart TV manufacturer Vizio, Inc. The settlement is significant for four reasons:

  • The FTC reinforces the position it has taken in other actions that the collection and use of information in a way that would surprise the consumer requires just-in-time notice and choice in order to avoid a charge of deception and/or unfairness under Section 5 of the FTC Act.
  • The FTC takes the position that television viewing activity constitutes sensitive data. This marks a departure from its approach of limiting sensitive data to information that, for example, can facilitate identity theft, precisely locate an individual, is collected online from young children or relates to matters generally considered delicate (such as health information).
  • The settlement includes a payment of $1.5 million to the FTC (as well as payment of civil penalties to New Jersey), but the legal basis for the FTC payment is not stated. This could suggest that the FTC will more aggressively seek to obtain injunctive monetary relief in Section 5 cases.
  • Acting Chairwoman Maureen Ohlhausen explicitly noted in a concurring statement her skepticism regarding both the allegation that TV viewing data is “sensitive” and that the FTC’s complaint adequately established that the practices at issue constitute “substantial injury” under the unfairness prong of Section 5.

Leaving aside what the chairwoman’s concurrence may portend for future enforcement efforts, the FTC again seems to be using allegedly bad facts about privacy practices to push the envelope of its authority. Accordingly, with the Internet of Things boom fueling a dramatic increase in the number of Internet-connected devices, companies that either collect information via such devices or make use of such collected information should consider the implications of this enforcement action.

Continue Reading Watch Out: The Federal Trade Commission Continues to Watch the (Alleged) Watchers

Devices_482856241Well over a year after holding a workshop addressing privacy issues associated with cross-device tracking, Federal Trade Commission (FTC) staff have issued a report. The report sets the stage by describing how cross-device tracking works, noting its “benefits and challenges,” and reviewing (and largely commending) current industry self-regulatory efforts.

The report also makes recommendations, which—while building upon the staff’s traditional themes of transparency and choice—do not introduce any materially new suggestions for compliance.

The staff’s recommendations do not have the force of law, but they do indicate the steps that the staff believes a company should take in order to avoid a charge of unfairness or deception under Section 5 of the FTC Act.

A Quick Review of Cross-Device Tracking

As more consumers utilize multiple devices in their daily lives, more and more companies are using new technologies to attempt to ascertain that multiple devices are connected to the same person. This is generally done through the use of either deterministic information (e.g., by recognizing a user through the log-in credentials he or she uses across different devices) or probabilistic information (i.e., by inferring that multiple devices are used by the same person based on information about the devices, such as IP address, location, and activities on the devices).

Continue Reading FTC Report Reinforces the Rules for Cross-Device Tracking

Recent enforcement decisions within the digital advertising industry indicate a shift in—and a clarification of—the required disclosures for companies engaged in interest-based advertising (IBA).

In particular, these decisions, taken together, indicate that an app developer’s link to its privacy policy at the point of app download may be deemed insufficient, unless the link points directly to the IBA disclosure section of the policy, or there is a clear link at the top of the policy that directs the user to that section.

Further, these decisions suggest that companies that comply with the digital advertising industry’s IBA self-regulatory principles should expressly affirm such compliance in their privacy policies.

Background

Some quick background: IBA is the collection of information about users’ online activities across different websites or mobile applications, over time, for the purpose of delivering online advertising to those users based on those activities. Although IBA is an important part of the online eco-system, if not done right, it can raise privacy concerns among consumers, who may feel that they are being spied upon by advertisers.

The Digital Advertising Alliance (DAA) has worked to ensure that IBA is done right. The DAA is a consortium of media and marketing associations that, in an effort to ward off legislation, has designed and implemented a self-regulatory compliance regime that seeks to address the Federal Trade Commission’s (FTC) IBA notice and choice expectations. The principles underlying this compliance regime are set out in the DAA’s Self-Regulatory Principles (“DAA Principles”). The DAA enforces these principles through the IBA accountability program, run by the Council of Better Business Bureaus and the Direct Marketing Association.

The DAA self-regulatory program is, at its heart, a notice-and-choice regime. In short, to facilitate such notice and choice, the DAA provides an advertising option icon to be placed in or near an online interest-based ad. By clicking on the icon, a consumer is sent to a landing page that describes the data collection practices associated with the ad and provides an opt-out mechanism.

Importantly, however, the DAA Principles have also been interpreted by the IBA accountability program to require “enhanced” notice on any website where information is collected for IBA purposes. In response to this interpretation, website publishers typically provide such notice in the form of an “Our Ads” or similarly named link in the site footer, separate from the privacy policy link, that clicks through to the same landing page as the advertising option icon, or to similar notice and choice information.

The Recent Decisions

In its recent enforcement actions, the IBA accountability program appears to have exported this manifestation of the enhanced notice requirement to mobile applications, notwithstanding the provisions of the DAA’s guidance on the Application of Self-Regulatory Principles to the Mobile Environment, first published in 2013.

That guidance expressly provides that app publishers (i.e., “first parties”) that permit third parties to collect information for IBA purposes must “provide a clear, meaningful, and prominent link to a disclosure that either points to a choice mechanism or setting that meets Digital Advertising Alliance specifications or individually lists such Third Parties.” This notice must be provided in two separate locations:

  • Either prior to download (e.g., in the app store on the application’s page), during download, on first opening of the app, or at the time cross-app data is first collected; and
  • In the application’s settings or any privacy policy.

The IBA accountability program appears, however, to be taking the position that a link to the privacy policy from the app store (or any other location) is not enough to meet this first prong.  That is, a “clear, meaningful, and prominent link” to the IBA disclosure must be a link directly to the IBA section of the privacy policy, in the same way that the “Our Ads” or similarly named link in the site footer clicks through to the IBA section of the privacy policy.

The IBA accountability program’s Spinrilla decision, for example, states that the accountability program could not find an “enhanced link notice separate from the privacy policy link” in the applicable app stores and affirmed that if only one privacy policy link will be used in the app store (where it is typically not possible to provide two separate links), “the link to the privacy policy must either go directly to the pertinent discussion of IBA or direct the user to that place through a clear link at the top of the privacy policy.”

The other accountability program decisions, Bearbit Studios and Top Free Games, reaffirm this interpretation. In light of these decisions, app publishers may want to revisit how they provide “enhanced notice” of their IBA practices.

Finally, the Mobile Guidance states that first parties should “indicate adherence” to the DAA Principles in their privacy policies. The accountability program decisions noted the absence of this language in the companies’ privacy policies, and the companies appear to have added language to their disclosures to comply with this obligation. Whether a company would want to affirmatively make this representation of its own accord is something that may warrant additional consideration, as the company’s failure to fully comply with such a representation could give rise to a charge of deception under Section 5 of the FTC Act or a similar state law.

The Upshot

In light of these developments, a company engaged in IBA should:

  • If engaged in IBA with respect to one or more of its apps, review how it discloses its IBA practices at the point of app download; and
  • Discuss with counsel the advisability of expressly stating adherence to the DAA Principles in its privacy policy.

 

*                      *                     *

 

For background information on the DAA program and its applicability to the mobile environment, please see our earlier Socially Aware blog post, Digital Advertising Alliance Focuses on Mobile Ads. For more on consumer privacy issues generally, please see the following posts: A Warning for Websites Allowing Data Collection for Online Behavioral Advertising; FTC’s Privacy Report Suggests Tightening of Privacy Regime, Provides Guidance to Business; and Tracking the Trackers: Social Media Companies Face Pressure for Tracking Users’ Browsing Habits.

 

Social media is all about innovation, so it is no surprise that social media marketers are always looking for innovative ways—such as courting social media “influencers” and using native advertising—to promote products and services to customers and potential customers. But, as the retailer Lord & Taylor recently learned, the legal rules that govern traditional marketing also apply to social media marketing.

 

Earlier this year, the Federal Trade Commission (FTC) reached a settlement with Lord & Taylor in a dispute involving its online advertising practices. According to the FTC’s Complaint, Lord & Taylor allegedly:

  • gifted a dress to 50 “fashion influencers” and paid them to post on their Instagram accounts photos of themselves in the dress during a specified timeframe; and
  • paid for, reviewed and preapproved Instagram posts and an article in an online magazine, Nylon.

In neither case, according to the FTC, was Lord & Taylor’s role in the promotional effort appropriately disclosed.

On these alleged facts, the FTC brought three counts alleging the following violations of Section 5 of the FTC Act’s prohibition on deceptive practices:

  • the failure to disclose that the influencers’ Instagram posts did not reflect their independent and impartial statements, but rather were specifically created as part of an advertising campaign;
  • the failure to disclose or adequately disclose that the influencers were paid endorsers; and
  • the failure to disclose that the Nylon materials were not independent statements and opinions of the magazine, but rather “paid commercial advertising.”

As has been widely remarked, this is not the first time the FTC has brought a case relating to social media advertising. The settlement, however, is noteworthy because it brings together issues relating to both native advertisements and endorsements. The FTC has been focusing on these issues since late 2014; its activities have included:

  • Settling with the advertising firm Deutsch LA, Inc. in late 2014 in connection with its allegedly deceptive activities relating to the promotion, on behalf of its client Sony, of the PlayStation Vita handheld gaming console through Twitter (we wrote about the Deutsch LA case on Socially Aware).
  • Settling in September 2015 with Machinima, Inc., an online entertainment network that allegedly paid video bloggers to promote the Microsoft Xbox One system (we also wrote about the Xbox One settlement on Socially Aware).
  • Issuing a closing letter, at the same time as the Machinima settlement, indicating that the FTC had investigated Microsoft and Microsoft’s advertising agency, Starcom, in relation to the influencer videos at issue in Machinima. The closing letter was significant because it suggested that the FTC was primed to take the position that a company whose products are promoted bears responsibility for the actions of its ad agencies—as well as the actions of those engaged by its ad agencies.
  • Releasing a policy statement and guidance on native advertising in late 2015, which warned companies—again—that it is deceptive, in violation of Section 5, if reasonable consumers are misled as to the true nature or source of an advertisement. (Our Client Alert on these materials can be read here.)

The compliance issue with native advertising is that content that does not appear to be advertising—such as an advertisement or promotional article in an online or print publication formatted to look like the non-advertising materials in the same publication—must be clearly and conspicuously disclosed as advertising. The relevant compliance issue with endorsements is that any payment or other compensation received by the endorser from the promoter must be appropriately disclosed.

The concept underlying native advertisements and endorsements is the same: Consumers must be aware that they are reviewing promotional material, not “native” or “organic” content, whether it is on a social media platform, a website or in a print publication.

The Lord & Taylor settlement is yet another clear signal that paid promotions of any kind, in any medium, must be disclosed. Given the FTC’s focus on these issues and the repeated enforcement actions, especially with respect to social media endorsements, it is likely that the FTC will continue to enforce in this area until it is convinced that the market understands the disclosure rules.

In light of the risk in this area, the Lord & Taylor Consent Order is noteworthy, as it provides valuable insight into how the FTC expects companies to avoid running afoul of the endorsement and native advertising rules.

For example, the Order requires Lord & Taylor to provide any endorser “with a clear statement of his or her responsibility to disclose, clearly and conspicuously,” the material connection between the retailer and the endorser in any advertisement and communication, and to obtain a signed and dated acknowledgment of receipt of this statement from the endorser. In addition, the Order requires Lord & Taylor to maintain a system to monitor and review its endorsers’ representations and disclosures. Taken together, these requirements essentially lay out components of a compliance program that any company using social media for advertising should consider.

Of course, any such program requires time and resources, and no company has those in infinite supply. But, moving beyond the FTC’s Complaint and Order, there are other noteworthy aspects of the social media endorsement issue that appear to have been overlooked.

According to news reports and comments from Lord & Taylor, it appears that the company (and commentators) recognized the potential FTC compliance issue right after the ad campaign launched. The company reportedly stated, after the settlement, that “it came to our attention [a year ago] that there were potential issues with how the influencers posted about a dress in this campaign, [and] we took immediate action with the social media agencies that were supporting us on it to ensure that clear disclosures were made.” And, indeed, articles from the time of the advertising campaign noted, for example, that “the [endorsing] bloggers left out an important piece of information in their Instagram posts: a disclosure that they had been paid to post by Lord & Taylor.” Another website commented at the time that the bloggers “failed to mention they were paid,” and suggested that the company was getting away with violating the FTC Act (though it did note that many bloggers had gone back to add “#sponsored or #ad to their posts).” The immediate aftermath of the Lord & Taylor campaign that ultimately formed the FTC’s case suggests that awareness of the issues is rising among the public, and that even a quick fix can be too late.

In light of this awareness, the failure to disclose obvious ties between the endorser and the promoter can undermine a campaign. And, even though the FTC does not have the authority to impose civil money penalties for these types of violations of the FTC Act, state Attorneys General appear to be getting in on the act. Machinima, Inc., for example, settled allegations with the FTC regarding its use of influencers in promoting the Xbox One (as we noted above). A few months later, however, the company entered into a settlement with the New York Attorney General that included a penalty of $50,000 for its alleged failure to disclose payments to the influencers.

These events strongly suggest that ensuring appropriate disclosures is more than just an FTC compliance issue. While the FTC is actively enforcing in this space, the margin of error is shrinking not only because of the FTC, but also because of the increasing awareness of the public, and the new risk of enforcement (including financial penalties) by state Attorneys General.

 

*    *    *

For more information on potential legal hurdles for companies engaged in social media marketing, please see these related blog posts:

An FTC Warning on Native Advertising

FTC Continues Enforcing Ad Disclosure Obligations in New Media and Issues a Warning to Advertisers

FTC Enforcement Action Confirms That Ad Disclosure Obligations Extend to Endorsements Made in Social Media

Magnifying2In a new report, the Federal Trade Commission (FTC) declines to call for new laws but makes clear that it will continue to use its existing tools it to aggressively police unfair, deceptive—or otherwise illegal—uses of big data. Businesses that conduct big data analytics, or that use the results of such analysis, should familiarize themselves with the report to help ensure that their practices do not raise issues.

The report, titled “Big Data: A Tool for Inclusion or Exclusion? Understanding the Issues” grew out of a 2014 FTC workshop that brought together stakeholders to discuss big data’s potential to both create opportunities for consumers and discriminate against them. The Report aims to educate businesses on key laws, and also outlines concrete steps that businesses can take to maximize the benefits of big data while avoiding potentially exclusionary or discriminatory outcomes.

What Is “Big Data”?

The Report explains that “big data” arises from a confluence of factors, including the nearly ubiquitous collection of consumer data from a variety of sources, the plummeting cost of data storage, and powerful new capabilities of drawing connections and making inferences and predictions from collected data. The Report describes the life cycle of big data as involving four phases:

  • Collection: Little bits of data are collected about individual consumers from a variety of sources, such as online shopping, cross-device tracking, online cookies or the Internet of Things (i.e., connected products or services).
  • Compilation and Consolidation: The “little” data is compiled and consolidated into “big” data, often by data brokers who build profiles about individual consumers.
  • Data Mining and Analytics: The “big” data is analyzed to uncover patterns of past consumer behavior or predict future consumer behavior.
  • Use: Once analyzed, big data is used by companies to enhance the development of new products, individualize their marketing, and target potential consumers.

The Report focuses on the final phase of the life cycle: the use of big data. It explores how consumers may be both helped and harmed by companies’ use of big data.

Benefits and Risks of Big Data

The Report emphasizes that, from a policy perspective, big data can provide significant opportunities for social improvements: big data can help target educational, credit, health care, and employment opportunities to low-income and underserved communities.  For instance, the Report notes that big data is already being used to benefit underserved communities, such as by providing access to credit using nontraditional methods to establish creditworthiness, tailoring health care to individual patients’ characteristics, and increasing equal access to employment to hire more diverse workforces. Continue Reading Big Data, Big Challenges: FTC Report Warns of Potential Discriminatory Effects of Big Data

brand advertising word cloud

“Native advertising”—ads that may blur the distinction between advertising and editorial, video or other content—has been a hot topic in recent years for both marketers and regulators. It is popular with marketers because it is apparently an effective advertising model. The Federal Trade Commission (FTC), on the other hand, contends that it may be deceptive when the advertising content is not readily identifiable to consumers as such, and it has just issued guidance on how advertisers can stay on the right side of the law. On December 22, 2015, the FTC released an Enforcement Policy Statement on Deceptively Formatted Advertisements that focuses in particular on “native” advertising, along with guidance for businesses on native advertising that further fleshes out the FTC’s expectations.

The Enforcement Policy Statement defines “natively formatted advertising” as communications “that match the design, style, and behavior of the digital media in which it is disseminated.” For example, an advertisement may be integrated into a newspaper website, with a “headline” and then a few lines of text, so that it appears similar to substantive, publisher-generated news articles posted on the website. Native advertisements may also appear on social media platforms and may be delivered as videos or through other media.

Regardless of format, the rule is the same. As the Statement puts it:

Deception occurs when an advertisement misleads reasonable consumers as to its true nature or source, including that a party other than the sponsoring advertiser is the source of an advertising or promotional message, and such misleading representation is material.

In light of this principle, the FTC may deem an advertisement that looks like an ordinary news article to be deceptive if consumers are not provided with sufficient information to differentiate the advertisement from publisher-generated, non-advertising content. This information may be inherent in the nature of the advertisement, or it may require a separate disclosure indicating that the advertisement is a marketing communication. For example, in FTC v. Coulomb Media, Inc., as well as other cases, the FTC alleged that defendants deceptively used fake news websites to market açai berry products. Similarly, and more recently, in FTC v. NourishLife, LLC, the FTC alleged that the defendants misrepresented that a so-called research website was an independent source for information about the speech disorder apraxia, when in fact the website advertised the health benefits of the company’s products.

A disclosure may be important because, even if the substance of the natively formatted advertisement is not deceptive, the nature of the advertisement itself can be deceptive. In this regard, the FTC has recently brought enforcement actions and warned about advertising that appears to be user-generated commentary about a product or service but is in fact marketing content created by or on behalf of an advertiser. You can read more about these enforcement actions here and here.

To put it another way, the Enforcement Policy Statement holds that “an ad is deceptive if it promotes the benefits and attributes of goods and services, but is not readily identifiable to consumers as an ad.” But what, exactly, does that mean? The Policy Statement and the guide for businesses offer some considerations of what may make an advertisement “readily identifiable.” The guidance lists 17 mini case studies that provide examples of what does and does not require a disclosure. (The fact that 17 examples are necessary suggests the potential complexity in determining what does or does not constitute an advertisement that requires a disclosure.) The recurring theme of the examples is whether the consumer can reasonably ascertain that the advertisement is paid marketing material and not content organically generated by the publisher (or by a user in the case of social media or video-hosting websites).

For cases in which native advertising requires a disclosure, the new guidance recaps the FTC’s .com Disclosures guidance for businesses, which lays out basic requirements for making “clear and prominent” disclosures. The guidance also adds some new considerations, such as the need to disclose that the native content is advertising near the focal point of the ad, or in front of or above the “headline” of the native advertisement. (This disclosure needs to convey to the consumer that the material is advertising before the consumer clicks through the ad to the main advertising page.) In addition, the guidance suggests that, for multimedia ads (such as videos), the disclosure should be made in the video itself before the consumer receives the advertising message. That is, if the advertisement is only a small part of the overall video, the disclosure must be “delivered as close as possible to the advertising messag[e]” itself. Finally, the guidance affirms that the disclosures should include terms likely to be understood, such as “Ad,” “Advertisement,” or “Paid Advertisement,” and not terms such as “Promoted” or “Sponsored,” which are ambiguous in this context and could imply, for example, that a sponsoring advertiser funded the content but did not create or influence it.

As the FTC continues to scrutinize various mechanisms for delivering advertising online, companies should make sure that consumers are aware when they are being marketed to, even as the participants in the digital advertising ecosystem come up with new and innovative ways to deliver those marketing messages. All participants, including the companies whose products are being marketed, are potentially at risk of an FTC enforcement action if their advertisements are found to be deceptive, and thus every participant should pay heed to the FTC’s recent statements and guidance. In light of the FTC’s aggressive approach in this area, making sure that innovative forms of advertising meet the FTC’s timeless disclosure standards should be on every company’s radar.

Word Cloud with Influence related tags

In an age of explosive growth for social media and declining TV viewership numbers, companies are partnering with so-called “influencers” to help the companies grow their brands. Popular users of Instagram, Vine, YouTube and other social media sites have gained celebrity status, generating millions of views, impressions and “likes” with every upload.

Capitalizing on the shift from traditional media to online platforms, advertisers have begun to engage influencers in marketing campaigns. In a May 2015 study, 84% of marketers said they expect to launch at least one influencer marketing campaign in the next 12 months. Of those who had already done so, 81% said influencer engagement was effective. In a separate study, 22% of marketers rated influencer marketing as the fastest-growing online customer-acquisition method.

So what is an influencer, anyway? By its broadest definition, an influencer is any person who has influence over the ideas and behaviors of others. When it comes to social media, an influencer could be someone with millions of followers or a user with just a few loyal subscribers. One thing that all influencers seem to have in common is that their audiences trust them. As such, influencers can be powerful advocates, lending credibility, increasing engagement and ultimately driving consumer actions.

Influencer marketing can be an effective tool, but it’s important to do right. As recent Federal Trade Commission (FTC) and Food and Drug Administration (FDA) investigations demonstrate, online advertising is an area of relatively active enforcement, and influencer marketing presents a number of potential legal issues. The following tips can help companies lead successful influencer marketing campaigns while lessening the risk of liability.

Disclosure Is Key

In September, the FTC settled a case with Machinima, a company that paid popular video bloggers to promote Microsoft’s Xbox One system through YouTube. Despite the hefty sums paid out to the gamers (one of whom pocketed $30,000), Machinima did not require them to make any disclosures. The FTC alleged that the failure to disclose the relationship between Machinima and the gamers was deceptive, in violation of Section 5 of the FTC Act. In its Endorsement Guides, the FTC has taken the position that a failure to disclose unexpected material connections between companies and the individuals who endorse them is deceptive.

This case raises two important questions: (1) when is a disclosure required and (2) what constitutes adequate disclosure? Continue Reading Influencer Marketing: Tips for a Successful (and Legal) Advertising Campaign

Woman using multiple devices phone laptop and tablet lying in a wood bench in a park

Cross-device tracking is a hot new issue for regulators. Companies engaged in the practice should take note of two recent developments. On November 16, 2015, the Federal Trade Commission (FTC) hosted a workshop on the issue and, perhaps not coincidentally, on the same day the Digital Advertising Alliance (DAA) addressed the applicability of its interest-based advertising (IBA) self-regulatory regime to the practice.

Cross-device tracking enables companies to ascertain—either definitively or with a high degree of probability—that multiple devices are connected to the same person. There are two ways to do this.

The first way is through deterministic identifiers, such as login information. For instance, if a user logs into web-based email on two devices (a laptop and mobile phone, for example), the email service can determine that the two devices belong to the same user.

The second way is probabilistic identification, which uses information collected from separate devices (such as an IP address, location, and activities on those devices) to infer that the devices are used by the same person.

At the FTC workshop, panelists, FTC staff and FTC Chairwoman Edith Ramirez all expressed concern that cross-device tracking is inherently different from tracking users on a single device. In particular, they noted that, while the technology provides benefits to consumers (such as a seamless cross-device experience), it has the potential to be harmful from a privacy perspective because it crosses physical borders that consumers may intentionally establish between their devices. That is, consumers may not want anybody to know that their work devices, their personal laptops, and their tablets all reflect activities by the same person.

The FTC seemed to differentiate two aspects of information collection and use related to cross-device tracking: (1) information collected and used for the purposes of tying two or more devices to the same user and (2) information collected and used for IBA purposes, which may include information collected to tie devices together.

At its workshop, the FTC appeared to signal that it expects companies to provide a robust notice and choice regime not only with respect to the ways in which data is collected and used to facilitate cross-device tracking (i.e., to simply tie devices together), but also with respect to the use of data collected and collated across devices for IBA purposes. That is, first parties (such as website publishers and apps) should disclose that information may be collected from users for purposes of cross-device tracking, and users should be able to opt out of the collection of information from a device for purposes of linking it to other devices—and not just for purposes of IBA.

Furthermore, FTC staff also suggested that a failure to precisely describe the scope of an opt-out (such as by suggesting that opting out of cross-device tracking by a user from one device would propagate to all of the user’s devices) may be considered an unfair or deceptive practice in violation of Section 5 of the FTC Act.

The new DAA cross-device principles do not go as far as the FTC would appear to like, but they do apply the DAA notice and choice regime to cross-device tracking. (For more on this regime, see our June 19, 2015 Privacy Minute on the DAA’s mobile guidance.) As a result, the new guidance require entities that collect data for IBA purposes from one device for use on a different device to provide notice that, among other things, “data collected from a particular browser or device may be used with another computer or device that is linked to the browser or device on which such data was collected.” In other words, users need to be provided with notice if their browsing activity on one device may be used to deliver advertising to them on another device.

In addition, the principles affirm that users must be provided with choice regarding the collection and/or use of their information for IBA from a particular device or from sharing with another party. That is, instead of requiring a global opt-out, which is what the FTC seems be advocating, the DAA requires only a device specific opt-out from: (1) collecting data on the device to deliver IBA on another device and (2) delivering IBA on a device based on information collected on another linked device.

In light of the DAA’s foray into cross-device tracking, and the FTC’s heightened interest in this space, companies should tread cautiously if they track and/or target users across devices.