How Cross-Device Tracking Works
Desktop:
- User logs in with email john@example.com
- Watches makeup tutorial
- Meta Pixel transmits: email + page URL to Meta
Mobile:
- Same user logs in with same email
- Watches another tutorial
- Meta Pixel transmits: email + page URL to Meta
Cross-Device Linking:
- Meta recognizes john@example.com on both devices
- Links data: John watched tutorial A (desktop) and B (mobile)
- Builds complete video-watching profile across devices
VPPA Implication
Cross-device tracking creates a more complete picture of video watching.
This makes the PII disclosure more harmful (more comprehensive).
VPPA liability is amplified.
Technical Approaches
Login-Based Linking: When user logs in on mobile with same email, Meta recognizes them as same person
Device ID Linking: Google's Cross-Device ID links devices via user ID
Probabilistic Matching: Ad networks use algorithms to recognize same user without explicit login
VPPA Consent for Cross-Device Tracking
Specific Disclosure Needed:
"We recognize you across devices using your login information. This allows us to show consistent experiences and ads across devices. Your video watching data is linked across all your devices."
IDFA and GAID (Mobile Device IDs)
Apple's IDFA: Built-in mobile ad identifier on iOS
Google's GAID: Built-in mobile ad identifier on Android
Both have VPPA implications similar to fbp or _ga.
If your mobile app or website has video, disclose IDFA/GAID usage and get consent.
The infrastructure answer
The free PieEye compliance scan identifies whether your website has the VPPA vulnerabilities that plaintiffs' attorneys look for — tracking pixels firing on video pages without consent, data flowing to third parties before users have agreed, and policy-to-practice mismatches.
For the complete VPPA compliance framework, see our VPPA compliance guide. For what counts as PII under VPPA, see VPPA PII explained. For consent mechanisms, see VPPA consent mechanisms.
Run a free PieEye compliance scan — it takes minutes, requires no code changes to initiate, and tells you exactly what a plaintiffs' attorney's scanning tool would find if it looked at your website today.
Cross-Device Tracking in Your Checkout Flow
Your eCommerce checkout is a prime area where cross-device tracking creates real VPPA exposure. A customer browses products on mobile during lunch, then completes their purchase on desktop at night. Both interactions fire pixels — Meta Pixel, Google Analytics, TikTok Pixel — to the same user ID or email.
Here's the problem: if your privacy policy doesn't explicitly disclose that you're linking these events across devices and sharing that linked data with third parties, you've created a VPPA violation. The plaintiff's attorney sees: unauthenticated cross-device linking + video content somewhere on your site (even an embedded YouTube review or product demo) + third-party pixel firing = potential class action.
For Shopify stores, this often happens automatically. Your theme fires pixels on every page, including product pages with embedded videos. When a customer logs in or provides their email for a newsletter signup, those pixels now have PII attached. If they later watch a video on your site from a different device, Meta has already linked their cross-device behavior.
The fix: audit your pixel setup in Meta Events Manager, Google Analytics, and any other tracking tools. Document exactly how you're linking users across devices. Then disclose it clearly in your privacy policy. For example: "When you log into your account, we recognize your activity across your phone, tablet, and computer. We share this linked activity with advertising partners to show you relevant products." This transparency doesn't eliminate liability on its own, but it's the foundation of a consent-based approach.
VPPA Violations in Email and SMS Marketing Flows
Cross-device tracking extends into your marketing automation platform, which is where many eCommerce brands miss their VPPA exposure. You send an email campaign to customers who browsed video content on your site. That email is clicked on a mobile device. Klaviyo or your email service fires a tracking pixel into that email (or to a conversion API endpoint), and it's already linked to the customer's email address — which was collected when they watched your product videos.
This creates a secondary VPPA problem: you're now confirming that a specific email address watched video content, and you're sharing that confirmation with your email platform and potentially its downstream partners. Even if you had consent to track video on your website, you may not have consent to re-confirm that behavior via email open tracking.
Shopify stores using Klaviyo often unknowingly compound this. A customer watches a video on your product page (pixel fires, email collected via popup). Later, Klaviyo sends a product recommendation email with a tracking pixel. Klaviyo's tracking infrastructure now has a linkage: this email address watched this video.
Review your email platform's privacy practices. Klaviyo, Omnisend, and other tools do share data with partners. Document what's shared and with whom. Update your privacy policy to disclose email tracking and its connection to on-site video tracking. Consider requiring explicit consent before sending marketing emails to users who have interacted with video content on your site.
Probabilistic Matching and VPPA Consent Gaps
Many ad platforms don't require login-based or device ID linking to match cross-device behavior. Meta, Google, and others use probabilistic matching — algorithms that recognize the same user based on timing, location, ISP, and behavior patterns, even without an explicit ID.
For VPPA purposes, probabilistic matching is arguably riskier than login-based linking because users have less visibility into when it happens. Your privacy policy might say "we link data when you log in," but probabilistic matching happens silently in the background.
If your site has video content and uses Meta Pixel or Google Analytics, probabilistic matching is likely occurring by default. Neither platform waits for you to explicitly enable it — it's built into their cross-device graphs. Your Shopify store's pixels are feeding these platforms data constantly.
The VPPA implication: if you're not explicitly disclosing that your tracking pixels enable probabilistic cross-device matching, and you're not obtaining affirmative consent before those pixels fire on video pages, you have a compliance gap. Plaintiffs' attorneys look for this gap specifically because it's common and often invisible to brand owners.
Add language to your privacy policy: "We use advertising platforms that recognize you across devices using statistical models based on your activity, location, and browser information." Then ensure your consent banner actually blocks pixels on video pages until consent is granted.