In the latest example of the conflict between technological innovation and privacy concerns, the Federal Trade Commission (FTC) reached a settlement agreement last month with Nomi Technologies, Inc.
Nomi is a startup whose technology allows retail merchants to analyze aggregate data about consumer traffic in the merchants’ stores. Although different companies track this data in different ways, it is generally done by monitoring signals emitted from a mobile phone to see where a device moves over time. Nomi’s technology can tell a retailer where a customer walks in a store, or whether she is a repeat customer; it is not able to identify her personally.
Notwithstanding heavy criticism from the public and privacy advocates for invading customers’ privacy by tracking their movement without their consent, the FTC’s action was not brought pursuant to any privacy law or privacy-based right. Instead, the FTC’s action amounted to a run-of-the-mill consumer deception claim. The FTC alleged that Nomi misled consumers by falsely promising to provide mechanisms for consumers to opt-out of tracking and be notified when their information is being tracked. The proposed settlement prohibits the startup from misrepresenting people’s options for controlling whether information about them or their devices is collected, used, disclosed or shared. Notably, it did not impose notice and consent requirements for retail trackers or offer more specific guidance for retailers who track their customers.
The FTC’s decision, which was split 3-2, highlights the tension between allowing emerging retail technologies to grow and innovate, and the potential privacy risks that come with allowing companies to track consumers. The dissenters argued that the FTC should have refrained from bringing this action, given the immateriality of the representation, the lack of evidence of consumer harm and the potential chilling effect to other innovative startups.
Lack of Formal Guidance for Retailers
Even though thousands of retailers currently use some type of in-store tracking technology, the FTC has not yet issued formal standards for how retailers should use this technology without violating customers’ right to privacy.
Still, the FTC has made its interest in this area clear. Over the last several years, the FTC has published several guidance documents related to mobile phone tracking more generally, which touched on retailers’ tracking of their customers. Last spring, the FTC hosted a seminar dedicated to the in-store tracking technology, including the different kinds of technology available and the privacy concerns with each. The Nomi action was just the latest reflection of the FTC’s increasing concern with this issue.
Days after the Nomi settlement, Ashkan Soltani, chief technologist at the FTC, blogged about the policy trade-offs in retail tracking. Soltain emphasized a point that was also clear in the FTC’s majority opinion in Nomi: “Retail tracking has many benefits for retailers and consumers alike. Stores are able to better understand the behaviors and preferences of their shoppers, and individuals in turn receive better service.” For example, by knowing where customers walk in a store, retailers are able to improve store layouts and reduce customer wait times.
Retailers looking to protect customer privacy should look to both Soltani’s blog and the FTC’s cell phone tracking reports for advice. Each reiterates that to best strike the balance between information and privacy, companies should disclose what information they are taking and how they plan on using it, and should ask for customers’ consent. Below are several considerations that apply specifically to the retail context:
1. Individual Identification
Currently, the predominant use for tracking information is to track customers in the aggregate. Although this is done by using unique identifiers to track each individual phone over time and across locations, each phone’s owner remains anonymous in this process.
However, the technology is available to track customers on a more individual basis. When a customer signs into a commercial hotspot, her MAC address can give a retailer access to her name and other WiFi networks she has used, and can “link” the customer’s online and in-store shopping behavior. Although it is unclear whether any companies collect or use this information, accessing this more personal information would clearly elevate privacy concerns related to in-store tracking. Notably, both dissenters in the Nomi case emphasized that Nomi’s technology did not provide the company with information about individual consumers, which suggests that they may have applied different analyses had Nomi been tracking individual customers.
Several efforts are currently being made to randomize phones’ wireless identifiers, so that retailers are not able to track individuals across multiple trips to multiple stores. For example, some smartphone manufacturers have attempted to build in features that limit retail tracking by randomizing the phone’s wireless identifier; according to Soltani, however, the effectiveness of these technologies is somewhat limited. The Internet Engineering Task Force (an Internet standards body) is currently working to achieve the same goal.
Although the FTC has not yet required that retailers obtain customers’ consent before tracking their locations, its recent publications in this area suggest that receiving consent is an effective way to minimize privacy risks.
Notably, it is much easier to receive customer consent for some kinds of tracking technology than others. Soltani distinguished active monitoring, which “is typically performed by the service the device is communicating with, such as by the cellular provider or by the WiFi hotspot the device is connected to,” and passive monitoring, which intercepts signals from the device as it communicates or searches for other devices and networks. Typically, customers are required to agree to terms and conditions before the retailer can use active monitoring; for example, by signing a cellular service contract or by connecting to a WiFi hotspot.
By creating a loyalty program application or offering free in-store WiFi, stores can offer benefits to their customers while also receiving their consent to data tracking. Another option, which is currently used by Apple, Macy’s, Coca-Cola, and Procter & Gamble, is known as proximity marketing. This is an opt-in system that allows retailers to send promotions to customers who are in the proximity of their stores.
Several smartphone location technology companies also allow customers to opt out of data tracking through an opt-out website, http://www.smart-places.org/. This website is one aspect of The Mobile Location Analytics Code of Conduct, which was created by analytics companies in October 2013 to assuage customers’ privacy concerns. Additionally, the Code also calls for companies to obtain consent before collecting customers’ personal information. Although the FTC praised the Code for “[recognizing] consumer concerns about invisible tracking in retail spaces and [taking] a positive step forward in developing a self-regulatory code of conduct,” this code is not legally enforceable. Following the Nomi decision, however, analytics companies could be liable for deceiving consumers by claiming to comply with the Code but then failing to actually do so.
Notice is closely intertwined with consent. By not imposing a notice requirement on Nomi, the FTC — at least for the meantime — seems to have signaled that retailers are not required to notify their customers that they are being tracked through their cell phones. However, both Soltani’s blog post and the FTC’s recent cell phone guidance publications treat notice as a best practice.
As with consent, customers normally receive notice before signing up for a cell phone contract, opening a retailers’ phone app or joining a wireless hotspot. Unlike with these forms of active monitoring, however, customers are generally not notified before being tracked through passive monitoring.
Notice may prove difficult for retailers who use passive monitoring. Although retailers can notify many of its customers by posting signs within their stores, this would not notify every person being tracked because the tracking technology also pulls cell phone signals from people passing by the storefront. To solve this problem, Soltani suggests that passive retail analytics technology devices begin to automatically notify users to the existence of mobile retail tracking and allow them to temporarily join in order to opt-out.
4. Other Ideas from Nomi
Until the FTC issues more concrete guidance in this area, retailers should at least make sure to follow the FTC’s guidance in Nomi by fulfilling any promises they make regarding privacy. Although Nomi provides rather than uses tracking services, the same legal principles apply to retailers. Retailers should act in accordance with every part of their privacy policies by respecting customers’ opt-out options and heeding any statements about what kind of information they collect or how they use that information.
Given that the law in this area is rapidly evolving, retailers should consult with legal counsel before implementing data tracking technology in their stores.