The FTC is Going Full Speed Ahead in Retail Tracking Case

By Marie-Andrée Weiss

On April 23, 2015, the Federal Trade Commission (FTC) published its proposed consent order with Nomi Technologies, Inc. (Nomi), a retail tracking company, Nomi Technologies, Inc. – Consent Agreement; File No. 132 3251. The FTC draft complaint against Nomi alleged that it had violated Section 5 of the Federal Trade Commission Act by misleading consumers when failing to provide them an opt-out mechanism at its clients’ retail store locations, even though its privacy policy represented that such an option was available to them.

What is retail tracking?

This is the first FTC complaint against a retail tracking company. According to the complaint, Nomi “uses mobile device tracking technology to provide analytics services to brick and mortar retailers . . . [and] has been collecting information from consumer’s mobile devices . . . since January 2013.”

While online retailers may easily track their visitors’ digital trail, brick and mortar retailers used to have to resort to asking “are you looking for something in particular?” to find out about their client’s interests, only to be often rebuffed by “just looking…” They also could instruct their staff to report observations about clients’ expressed interests and peruse over sales reports to define and refine their marketing strategy. But tracking companies can now provide retailers precise data on consumer’s behavior.

The complaint explained how sensors placed by Nomi in its clients’ stores detect the media access control (MAC) addresses which mobile devices broadcast when searching for WiFi networks. Nomi also collects MACs from the stores’ WiFi access points. The information thus collected by Nomi is used to compile analytics reports about the percentage of customers passing by the store versus entering it, the average duration of their visit, the type of mobile devices they use, the percentage of repeat consumers within a particular period of time, and the number of customers that have also visited another of the retailer’s location. This information allows retailers to measure the impact of in-store promotions or displays and to adjust their layouts and offerings accordingly.

The FTC did not consider retail tracking per se to be a violation of the FTC Act. Rather, it alleged that Nomi had not kept its privacy promises. Nomi’s privacy policy stated, from at least November 2012 to October 22, 2013, that the company “pledges to… always allow consumers to opt out of Nomi’s service on its website as well as at any retailer using Nomi’s technology.” However, according to the complaint, the retail tracking company had not made available to consumers a list of the retailers using its service, nor did it require its clients to notify consumers about the tracking service and to provide an opt-out mechanism at their stores.

Nomi provided an opt-out option on its own site. However, consumers had to provide all of their mobile devices’ MAC addresses, a rather cumbersome process, especially since consumers did not know which retailers were using Nomi tracking services and could thus spend time opting out of a service which may never even track them.

According of the terms of the consent order, Nomi agreed not to misrepresent “the extent to which, consumers can exercise control over the collection, use, disclosure, or sharing of information collected from or about them or their computers or devices, or… the extent to which consumers will be provided notice about how data from or about a particular consumer, computer, or device is collected, used, disclosed, or shared.”

 

Do retail tracking systems identify consumers?

Each MAC is a 12-digit identifier, which the FTC considers to be a persistent unique identifier, even though Nomi cryptographically hashes it, because when a particular MAC is hashed, the resulted hashed MAC is always the same. When one hashes a document or information to encrypt it, an algorithm transforms a string of characters, the input, into another string of characters, the hash value. In our case, each unique 12-digit identifier input are encrypted into a unique hash value, which can be therefore used as identifier.

In his dissenting statement, Commissioner Wright argued that Nomi did not track individual consumers, but merely recorded whether they are unique or repeat visitors to a store, without knowing their “identity.” But Chairwoman Ramirez cited in her statement about the proposed consent order an article written last year by Jonathan Mayer, from Stanford University, which stated that “[h]ashing [MAC addresses] is… no defense against re-identification” and explained how he had built such a re-identification system in less than an hour. Ashkan Soltani, the FTC Chief Technologist, noted in a post that the use of a persistent identifier presents privacy issues since tracking pattern of movement in itself is often enough to uniquely identify an individual.”

Is having a privacy policy a smart business idea?

Commissioner Wright also argued in his dissenting statement that the FTC should not have issued a complaint against Nomi, as “aggressive prosecution of this sort will inevitably deter industry participants like Nomi from engaging in voluntary practices that promote consumer choices and transparency [ and…] sends a dangerous message to firms weighing the costs and benefits of voluntarily providing information and choice to consumers.” For Commissioner Wright, the market has already responded to consumers expressing their preference, and he alluded in a footnote to several instances where retailers pulled out their tracking programs after consumers voiced their concerns.

But these instances may also be interpreted as signs that consumers are very concerned about being tracked in stores, and thus must be provided with effective ways to opt out, after having been put on notice of such programs. Ashkan Soltani cited in his post a recent OpinionLab survey which found that 8 out of 10 shoppers do not want retailers to track them using their smart phones, adding that “[t]he privacy issues are further exacerbated by the fact that most consumers are not aware that their device information may be captured as they walk by a store or visit an airport.” As such, defining privacy policies may very well drive innovation by incentivizing the creation of products and services respecting consumers’ privacy.

The FTC offered the public the opportunity to file comments about the case, and provided an Analysis to Aid Public Comment. The Information Technology and Innovation Foundation (ITIF), a think tank, while stating it did not condone Nomi’s mistake, argued in its comment that “innovation, by its very nature, involves risks and mistakes . . . .Certainly, companies should not face punitive measures for actions that were taken in good faith and did not cause consumer harm. This would create perverse incentives for companies to slow down the pace of innovation” (ITIF comments, p. 3).

Whether or not the FTC was too quick to act, this case signals the need to provide start-ups and entrepreneurs with the privacy framework they need to create products and services respecting consumers’ privacy. Since most consumers wish to guard their privacy, privacy protection can be an effective marketing tool to attract consumers and generate sales.

Advertisements