FTC Settles with Retail Tracking Company that Made Privacy Policy Promises It Couldn’t Keep

Alysa Hutnik, Dana Rosenfeld
Kelley Drye & Warren LLP
Contact
LinkedIn
Facebook
X
Send
Embed

Last week, the Federal Trade Commission announced its first settlement with a retail tracking company, resolving allegations that Nomi Technologies, Inc., a micro-location platform that provides analytics services to retailers through its product “Listen,” failed to abide by several promises it made in its privacy policy. Under the terms of the agreement, Nomi is prohibited from misrepresenting the options it provides to consumers to control whether and how their information is collected, used, disclosed, or shared.

Listen, which serves approximately 45 retailer clients, uses a retailer’s in-store Wi-Fi to collect statistical information from customers’ mobile devices and provide aggregate customer traffic pattern reports to the retailer. According to the FTC’s complaint, Nomi’s privacy policy represented that the company would provide an opt-out mechanism for customers on the Nomi website and at any retail location, implying that customers would be notified when stores were using the technology. The FTC alleges, however, that, not only did Nomi and the retailers fail to notify customers when stores were using Listen, but no in-store opt-out mechanism was ever available. As a result, Nomi allegedly tracked customers both inside and outside of stores by their MAC address, device type, date and time, and signal strength, and provided aggregate information to its clients, such as the percentage of repeat customers and the average duration of customer visits. In particular, the complaint alleges that Nomi collected information on approximately nine million mobile devices within its first year of operation.

This consent order reminds companies that they have a responsibility to abide by the promises made in their privacy policies, even when dealing with new and emerging technology such as retail tracking. One way to avoid making this mistake is to evaluate and confirm how data are collected and likewise confirm that the privacy policy representations are consistent with practices. Additionally, mindful that business practices evolve, companies should periodically review and consider revising privacy policy statements to keep those statements accurate.

Associate Ilunga Kalala contributed to this post. Mr. Kalala is admitted only in Maryland. He is practicing under the supervision of principals of the firm who are members of the D.C. Bar.

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Kelley Drye & Warren LLP | Attorney Advertising

Written by:

Kelley Drye & Warren LLP
Kelley Drye & Warren LLP
Contact
more
less

Kelley Drye & Warren LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide