To improve customer experience and understand customers’ movements and interactions on their premises, retailers, hotels and other brick-and-mortar businesses increasingly use signals from mobile devices to observe their customers’ movements.  Typically, this tracking depends on capturing media access control (MAC) addresses emitted from consumers’ mobile devices seeking Wi-Fi connectivity, though other flavors of the tracking also exist.  Rich analytics of consumers’ online browsing behavior are readily available to online merchants, and retailers consider access to comparable information from physical stores to be essential.

In 2013, the Future of Privacy Forum, a privacy think tank, promoted a Mobile Location Analytics Code of Conduct. It currently offers a centralized consumer opt-out for the 12 companies participating in the program.  

Last year, the Federal Trade Commission (FTC) hosted a seminar devoted to exploring the ways in which retailers track consumers’ movements through retail stores using signals from mobile devices, but it has not issued specific guidance or best practices.  The FTC recently broke its silence and focused new attention on retail location analytics.  First, the FTC announced an enforcement action against Nomi Technologies, Inc., a startup and self-described market leader in retail analytics.  A week later, FTC Chief Technologist Ashkan Soltani posted an in-depth blog entry, “Privacy trade-offs in retail tracking.”  Together, these developments serve as a reminder to analytics firms and to the retail, hotel and other clients they serve that the FTC is watching, and businesses must live up to the privacy promises made in connection with these forms of tracking technologies. 

Nomi: FTC Allegations and Settlement

According to the FTC complaint, Nomi uses sensors or Wi-Fi access points in its clients’ stores to detect MAC addresses of mobile devices and information about the devices and the dates and times the devices were observed.  Nomi does not store the MAC addresses but rather “hashes” them to create a different unique identifier to recognize a device over repeated visits.  Nomi provides its clients with aggregate analytics about consumer traffic patterns, such as the percentage of individuals passing by the store who do not enter, the length of consumer visits, the percentage of repeat customers, the number of consumers visiting other locations within a chain, and the type of mobile devices used by individuals visiting a location. 

Nomi’s online privacy policy states that consumers can opt out of such tracking on Nomi’s website or at the retailer’s location.  The FTC charged that this representation was deceptive in violation of Section 5 of the FTC Act because, while consumers could opt out at the Nomi website, no opt-out was provided at retail locations.  The FTC also alleged that Nomi’s privacy policy represented that consumers would also be given notice when a retailer was utilizing Nomi’s service.  In other words, in the FTC’s view, by telling consumers they could opt out at retail locations, Nomi also indicated that consumers would be told if they were at a store where the tracking technology was in use.

To settle the FTC’s claims, Nomi agreed to a 20-year consent order that prohibits the company from misrepresenting either (1) “the options through which . . . consumers can exercise control over the collection, use, disclosure, or sharing of information collected from or about them or their computers or devices” or (2) the extent to which consumers will be provided notice about the collection, use or sharing of consumer data.  Violations of the final consent order can be subject to fines of up to $16,000 per day or per violation. 

FTC Commissioners Maureen K. Ohlhausen and Joshua D. Wright each dissented from the FTC enforcement action, reasoning that it could discourage companies from offering opt-out tools and questioning whether there had been any consumer injury. 

FTC Chief Technologist Weighs In

Soltani’s blog post on the privacy trade-offs in retail tracking provides a thorough review of various forms of both “active” and “passive” retail tracking and the identifiers used for each.  Soltani notes the various approaches—and drawbacks—to existing notice and choice regimes.  The post also links retail tracking to the ever-growing “Internet of Things” and wearables, noting that most health and fitness trackers have no easy way to identify MAC addresses to enter into opt-out tools; some do not even have “off” buttons.  Ultimately, Soltani recommends technical privacy solutions, such as enabling retail analytics technology to automatically broadcast standardized, semi-continuous wireless signals that announce their presence, or the development of privacy-enhancing mobile apps that allow privacy-conscious consumers to automatically disable transmission of signals when approaching these networks in order to avoid data collection altogether.

Lessons for Retailers, Hotels, Analytics Providers and Startups

Given the FTC’s complaint and accompanying Commission majority statement and the Soltani blog post, it appears that the FTC will pay particularly close attention to new forms of tracking and whether these are accompanied by effective notice and easy-to-find opt-outs.

In addition, these recent FTC materials suggest additional issues of potential concern to the FTC:

• Persistent Identifiers Can Create Privacy Risk.  Anonymizing information, even information about a consumer device rather than a consumer, though encouraged by the FTC, may not eliminate the FTC’s privacy concerns if the hashing results in a unique identifier that is used over the life of a device.  At a minimum, the Nomi case suggests that in such situations the FTC would like to see the hashed identifiers accompanied by meaningful consumer choice.  To make the de-identification more effective, the FTC’s chief technologist suggests hashing the incoming identifiers at the time of capture with rotating “salts”—meaning the addition of random data to each hash —based on time or retail location.
• Consumer-Facing Notice.  The FTC faulted Nomi for not contractually requiring its retailer clients to post in-store notices, suggesting that the FTC would like to see prominent signage concerning tracking in stores and that it will look for opportunities to encourage clear notice to consumers.  At the same time, the predicate for the FTC’s deception claim was Nomi’s representation in its privacy policy that consumers would be notified in stores that Nomi’s tracking technology was in use.  
• Startups Not Exempt.  This case illustrates that in the privacy arena the FTC can and often does take action against technology startups.  Regardless of their size or youth, startups should ensure that their privacy policies are accurate.

How Can Businesses Protect Themselves?

The simplest way for businesses to protect themselves is also the surest: Live up to public representations about the collection, use and storage of consumer information, including commitments about whether and how consumers can opt out.  Consumer-facing businesses (e.g., stores, hotels, airports) and analytics firms alike should know what explicit or implied representations they are making about their own conduct and those of their business partners, and they should keep them accurate and up to date.  They should also look to, and ensure that they honor, any notice and choice obligations imposed on them by their tracking partners.

[view source.]