Advocacy group Electronic Privacy Information Center is calling on the Federal Trade Commission to require ad companies to obtain explicit consent from consumers before tracking them across more than one device.
The privacy watchdog also is urging the FTC to require ad companies using cross-device tracking to explain what information they collect and share, minimize the data collected, and allow consumers to access information about themselves.
EPIC makes the request in written comments following up on last month's workshop in cross-device tracking. "One clear message from the FTC’s Cross-Device Tracking Workshop is that consumers lack meaningful control over this intrusive business practice," the organization writes. "Compounding the secrecy of these practices, companies that engage in cross-device tracking collect vast amounts of personal, sensitive information."
The organization criticizes the ad industry's attempts to notify consumers about tracking via lengthy privacy policies, arguing that this approach is flawed for several reasons. One is that consumers who want to use a company's services have no choice other than to accept its policy. Another is that the lengthy online documents don't actually give people "substantive" privacy protections.
"Consumers are rational actors and understand that it is nonsensical to click through 100 privacy settings or read policy statements longer than the US Constitution when there is no practical benefit to them," EPIC writes.
Companies that track consumers across devices tend to rely on two basic methods -- device fingerprinting, and log-ins. Fingerprinting, involves tracking users based on the characteristics of their devices; log-ins relies on compiling data about users who have signed in to sites or services.
The advocacy group Center for Democracy & Technology said in October that device fingerprinting is especially problematic, because it's not obvious to users. But EPIC argues in its comments that both methods warrant regulation, noting that tracking people based on log-in data "directly relies on personally identifiable information, which necessarily implicates privacy interests."