Cross Device Tracking Getting Regulator AttentionBy: Richard Beaumont | Monday, May 18, 2015 | Tagged: Online Privacy, Tracking, Cross Device Tracking, Online Marketing | Leave Comment
One of the big issues faced by the online advertising industry at the moment is the fragmentation of audiences onto different access devices.
Their preferred solution to this problem is cross-device tracking, but this raises new privacy issues, which are drawing increased attention from regulators. In this article we look at the key concerns, and what it may mean for the future of marketing.
Cross Device Tracking Basics
Whilst consumers are spending more time online and therefore generating more behavioural profiling data than ever before, they are also doing it across a range of different devices. This has been a challenge to advertisers because traditionally such data is attributed to the individual device. Multiple devices therefore meant multiple profiles, with little chance of connecting them to a single individual. These multiple profiles in turn mean a more fragmented, less complete picture of the customer, which is a problem for an advertising industry where ever more accurate targeting is the mantra for both efficiency and effectiveness.
However, more sophisticated tracking techniques, more services that require user login, data aggregation and big data analytics have combined to give marketers the tools to close the gaps ever more effectively.
One way this helps marketers is in re-targeting. Visit a website on a desktop, and you might now find you get ads from the site on your mobile or tablet. It also enables marketers to measure the effectiveness of ads better. If you show an ad on a mobile, but people purchase on a tablet because of better usability, then cross device tracking is needed to be able to attribute the ad to the sale, and therefore calculate the ROI of the marketing spend.
The marketing industry has traditionally defended its profiling practices by pointing out that it doesn’t really know who the individuals being targeted are. They don’t have names or email addresses. What they have is a device profile from which the interests of the person or people using it are inferred. The argument goes that because of this, they are not actually dealing with personal data – they don’t hold or use information that would make the individual identifiable.
This argument, which separates ‘personal’ from ‘unique’, has long been seen by many privacy experts as weak, even if current law in many parts of the world tends to support the marketers position. However, trying to identify when different devices are associated with a single individual completely blows any argument of ‘non-identifiability’ away. It is a deliberate attempt to go beyond the device to target the individual behind it – there is no other reason for companies to try to do it.
The case for this to be considered personal data is even stronger when you consider that for the majority of user profiles, at least one of those devices will be smartphone or tablet. Not only are these inherently more personal to an individual than a desktop computer, personal identification is built into the eco system of mobile platforms.
The Regulator’s View
Regulators know this, and are doing something about it. In the USA, the FTC has announced it will hold a public discussion about the issues in November, and at a recent event by Adobe, Iain Bourne of the UK’s Information Commissioners Office supported the view that whatever the current legal interpretation might be, it was better for data collectors to play it safe, and assume that privacy and data protection laws will apply.
“It’s not really worth having a long debate about whether this is not personal information when it’s aimed at identifying people. People want to have very clear decisions placed in front of them, so it’s better to put the consent options right in front of their face.”
The courts are also weighing in. In a recent UK court of appeal decision involving Google, and where the ICO gave evidence to support the decision, the judge gave an opinion that tracking profiles based on the history of webpages visited by an identified device, should be viewed as personal data in UK law.
Big changes in EU wide law in this area are also coming in the next couple of years, which will place more emphasis on the privacy impact of this kind of data. The obligations for businesses, and the penalties for getting it wrong, will be significant.
The Future is Permission Based
The idea of Permission Based Marketing is not a new one - it was first talked about in the late nineties by Seth Godin, who is now a major opinion maker in marketing circles. However, the closest much online advertising comes to this model is the offer of opt-outs from seeing adverts. Permission is assumed unless it is withdrawn.
However, even when opt-outs are activated, this only applies very narrowly to the use of data for marketing, and not its initial collection. The direction of travel in law, regulation and to some extent consumer expectation is towards a model where persmission is applied to the data collection as well, in effect Permission Based Tracking.
The EU cookie laws are the first implementation of this model in legislation. In some countries this is an opt-in, permission-first model, in others it is an opt-out or 'permission withdrawl' one. The browser Do Not Track standard has been an attempt to enable Permission Based Tracking at a technological level.
There has been huge resistance to this from lots of sources, and these initiatives have been a lot less successful so far than many would have liked. However it is important to realise that these are really just the first waves of change.
The EU Data Protection Regulation is going to strengthen the need to gain permission to track in some form. It may or may not enforce an opt-in model - we can only wait and see about that for now. However, with its large potential fines for non-compliance, it will certainly make a case for much more clear cut opt-outs or permission withdrawls.
What Businesses Need To Do
It is clear that regulators and law makers are waking up to and addressing the privacy implications of the increase in the volume and granularity of online tracking of consumers. However, it would be a mistake to assume that only those big technology and advertising companies that do most of the tracking, will have to make changes to their business. As we move towards a model where permission based tracking becomes the norm, all parties in the ecosystem need to understand their role in it, and make sure they are taking steps to minimise their risks.
Most modern websites include code and page content that originates from third parties – like sharing buttons, discussion forums or embedded video, as well as tags to support their own advertising activity. The majority of these elements contribute to user tracking profiles, even if website owners don’t see any benefit from that themselves. Whilst it is widely recognised that site owners don’t have any control over what data is collected through such third party elements, they do of course make the decision to put those elements in their pages in the first place and therefore the responsibility for the contribution to profile building does rest in part with site owners.
The problem that many organisations face is that the decisions about which elements to include in a site are made primarily from a marketing perspective, with little if any consideration given over to the impact on end user privacy.
What is very clear from the direction of travel in the law and regulation is that this situation needs to change. Practically this means that businesses need to understand the tracking implications of all the technologies that go into their digital presence and their visitors’ attitudes to such data collection.
Only then can they make sure they are both complying with regulatory requirements and balancing the needs and values of their brand, with the preferences of their audiences. Organisations that get this wrong in the future, will find themselves at increased risk, not only of significant financial penalties for non-compliance, but also from loss of trust from customers.