On Monday, November 16, the FTC held a Cross-Device Tracking Workshop at the Constitution Center in Washington, D.C. The workshop was held to talk about the challenges and concerns marketers and consumers face as technology continues to evolve, and the population continues to interact with a multitude of platforms. TUNE representatives from legal, engineering, and marketing made the trip to the District to attend this event and host a final Data & Privacy Dinner to continue the conversation with several of the attendees. Hear from Danan Margason, Dan Koch, and Cortney Bigelow as they share their takeaways from their areas of expertise below.
Danan Margason | General Counsel
The cross-device workshop was well-attended by many of privacy’s preeminent academics, practitioners, and technicians. The panelists were primarily FTC staff or academics/privacy advocates sympathetic to the FTC position. Industry participated through its associations—the Digital Advertisers Alliance and the Network Advertising Initiative.
The presentations were divided into three areas of focus:
- Cross-Device Tracking (CDT): What exactly is CDT and why does it matter?
- The Technological Perspective: The benefits of CDT to consumers and businesses and the privacy concerns associated with it—do we effectuate an opt-out and if so, should it be on a per device or per device graph basis?
- The Policy Perspective: What information is being collected, stored, and shared to track consumers? Does the FTC/government need to get involved to regulate, or is this something that trade groups and companies themselves can do effectively?
It was immediately apparent that there is still a lot of confusion about what CDT means and how it can benefit the end user. This led to a general feeling among industry attendees that their technologies remain misunderstood and unfairly villainized. At the same time, very real privacy concerns were brought to the forefront, and everybody left with a sense that we still have a long way to go to ensure that we are protecting consumers as we develop these newer technologies.
The message from FTC Chairwoman Edith Ramirez and other FTC staff was clear—companies engaging in cross-device tracking should provide notice of the activity, an end user opt-out, and also follow other principles: data minimization, data retention, security. No specific call was made by the FTC for additional legislation or regulatory moves to prevent this type of data collection, but considering the workshop was held to digest the topic, we can presume the government is paying attention. As FTC’s Ramirez stated during the workshop, “The FTC will continue to monitor the marketplace and take action as needed to protect consumers”.
At the close of the workshop, there were five takeaways:
- There are benefits to CDT. Maintaining its state and reducing the number of times consumers see ads makes the technology worthwhile.
- There is a need to provide better transparency choices and education to consumers. Though most of the general public is aware there is tracking going on, it is hard to understand the extent of it.
- The consumer’s experience should be at top of mind. Companies should be engaging in a way that will not jeopardize consumers and lose their trust.
- There is room for industry innovation. Through greater innovation and new ideas, choice and transparency can be improved.
Dan Koch | Director, Marketing Automation
From a technical perspective, the FTC workshop emphasized the ongoing uncertainty about the privacy mechanisms available for connected devices. The consensus was that the age of managing digital privacy through browser cookies is over. Users are now staying connected across a panoply of different devices divided across a number of different environments — desktop Web browsers, mobile Web browsers, iOS and Android apps, TV apps, etc. — each of which presents a different set of privacy management tools, authorities, and gaps.
On that basis, the FTC workshop’s technical panel primarily focused on the following two questions:
- When tracking is cross-device, how does a user actually opt out? How can a user be forgotten in a way that ensures that third parties will no longer have access to data that ties to them as an individual?
- Is it possible for personally identifiable information to be depersonalized? Is hashing sufficient, and if so, what are the best practices to make it effective?
The first question provoked strong debate at the ensuing privacy dinner about the mechanisms of opt out as they exist now — both for mobile apps (where the walled gardens of the iOS and Android platform enable device-level opt-out capabilities through their advertising identifiers and ‘limit ad tracking’ flags) and for the Web (where the effectiveness of clearing cookies has been compromised by increasingly effective probabilistic ways of following users and no enforced standard has filled the vacuum).
The situation revealed a catch-22 at the heart of cross-channel privacy. The ideal privacy mechanism would be where an end user could opt of of targeting on all devices at once. But this is only a technical possibility if advertisers and other data collectors maintain a graph that connects all devices back to the person who opted out, which is exactly the type of tracking that the end user was opting out of in the first place.
Simultaneously, there was extensive debate as to the effectiveness of hashing as a means of ‘depersonalizing’ personal data. As was discussed extensively at the workshop, data hashed with insufficient salting is susceptible to be decoded by dictionary attacks, and it was evident that hashing is only a solution if used with the correct level of rigor by the advertisers handling the data in question.
The overriding theme between these two discussions was technical accountability on the advertiser’s side — that any successful cross-channel privacy solution will ultimately require advertisers to honor the privacy mechanisms in place across each channel, and to handle all data with a proper and consistent level of technical rigor.
Cortney Bigelow | Corporate Marketing Specialist
During the evening after the CDT workshop, TUNE hosted its final Data & Privacy Dinner of the year at Poste Brasserie, located within the historic Hotel Monaco. Similar dinners have taken place in London, New York, Seattle, and San Francisco. Our previous success made us excited to host a group of privacy professionals residing in the D.C. area to not only have a conversation around privacy, but continue the discussion from the FTC’s workshop as well.
More than 30 attendees from several big brands (IBM, Verizon, Walmart), ad tech players (Appnexus, Annalect, Nielsen), and privacy think tanks (Center for Democracy and Tech) joined together in a private dining space. We heard industry leaders speak about their concerns that a few bad actors may be tainting the efforts of legitimate cross-device solutions. We also heard loud and clear that one of the most important goals in the near future should be education (for both consumers and government).
At TUNE, we respect privacy with high standards, and ensure that with our products the data always belongs to the consumer. The workshop brought a different perspective from the eyes of regulators and educators, both admittingly discussing that there is more to be researched and shared on the CDT technology. The biggest takeaway from a marketing perspective was that consumer education is key. We are planning to partner with our friends at the Future of Privacy Forum to assist with these efforts, and look forward to releasing new educational materials in 2016.
Like this article? Sign up for our blog digest emails.
Becky is the Senior Content Marketing Manager at TUNE. Before TUNE, she led a variety of marketing and communications projects at San Francisco startups. Becky received her bachelor's degree in English from Wake Forest University. After living nearly a decade in San Francisco and Seattle, she has returned to her home of Charleston, SC, where you can find her enjoying the sun and salt water with her family.