Ad-tech companies that track consumers across their smartphones, laptops and other devices should inform consumers -- as well as publishers and app developers -- about the practice, the Federal Trade Commission recommends in a new report.
The agency adds that companies engaged in cross-device tracking should allow consumers to opt out of the practice, and should only track "sensitive" data, including some health and financial information, with consumers' opt-in consent.
Companies that fail to "provide truthful information about tracking practices" may be violating laws against deceptive and unfair conduct, the agency adds in its 23-page staff report, released Monday afternoon. The report notes that the FTC brought charges against several companies -- including Epic Marketplace, InMobi and Turn -- for allegedly misrepresenting their data collection practices.
"As consumer-facing companies, publishers and device manufacturers should also be transparent," the FTC adds, referencing its recent warnings to developers who allegedly embedded SilverPush in their apps. SilverPush tracking software can monitor people's television use by embedding "audio beacons" in TV ads; those beacons are inaudible to people, but can be detected by the software, which comes bundled with mobile apps.
The FTC's recommendations come several weeks after the agency reported that many Web sites share the kind of data about consumers that could allow them to be tracked across more than one device, but that few sites clearly spelled out their policies regarding that kind of tracking.
The new staff report also advised companies that they should not refer to information that can be linked to users -- or their devices -- as "anonymous."
"Often, raw email addresses and usernames are personally identifiable, in that they include full names," the report states. "Even hashed email addresses and usernames are persistent identifiers and can be vulnerable to reidentification in some cases."
The FTC added: "Therefore, consumer-facing companies that provide raw or hashed email addresses or usernames to cross-device tracking companies should refrain from referring to this data as anonymous or aggregate, and should be careful about making blanket statements to consumers stating that they do not share 'personal information' with third parties."