Nomi Technologies, a company whose technology allows retailers to track consumers’ movements through their stores, has agreed to settle Federal Trade Commission charges that it misled consumers with promises that it would provide an in-store mechanism for consumers to opt out of tracking and that consumers would be informed when locations were using Nomi’s tracking services.
The FTC’s complaint against Nomi states that beginning in late 2012, the company’s privacy policy promised that Nomi would provide an opt-out mechanism at stores using its services. This promise implied that consumers would be informed when stores were using Nomi’s tracking technology. The complaint alleges that these promises were not true because no in-store opt-out mechanism was available, and consumers were not informed when the tracking was taking place.
The complaint alleges that Nomi collected information on about nine million mobile devices within the first nine months of 2013. The complaint is the FTC’s first against a retail tracking company.
“It’s vital that companies keep their privacy promises to consumers when working with emerging technologies, just as it is in any other context,” said Jessica Rich, Director of the FTC’s Bureau of Consumer Protection. “If you tell a consumer that they will have choices about their privacy, you should make sure all of those choices are actually available to them.”
Nomi, according to the complaint, places sensors in its clients’ stores that collect the MAC addresses of consumers’ mobile devices as the devices search for WiFi networks. MAC addresses are unique 12-digit identifiers that are assigned to individual mobile devices. Although Nomi “hashes” the MAC addresses prior to storing them, the hashing process still results in an identifier that is unique to a consumer’s mobile device and can be tracked over time.
The complaint alleges that Nomi tracked consumers both inside and outside their clients’ stores, tracking the MAC address, device type, date and time the device was observed, and signal strength of consumers’ devices. In reports to clients, Nomi provided aggregated information on how many consumers passed by the store instead of entering, how long consumers stayed in the store, the types of devices used by consumers, how many repeat customers enter a store in a given period and how many customers had visited another location in a particular chain of stores.
The company’s privacy policy said that it “pledged to… always allow consumers to opt out of Nomi’s service on its website, as well as at any retailer using Nomi’s technology.” While the company did provide an opt-out on its website, the complaint alleges that no such option was available at retailers using the service, and that consumers were not informed of the tracking taking place in the stores at all.
Under the terms of the settlement with the FTC, Nomi will be prohibited from misrepresenting consumers’ options for controlling whether information is collected, used, disclosed or shared about them or their computers or other devices, as well as the extent to which consumers will be notified about information practices.
The Commission held a privacy seminar on the issue of mobile device tracking in the retail environment as part of its spring privacy series last year.
The Commission vote to issue the complaint and accept the proposed consent order was 3-2, with Commissioners Maureen K. Ohlhausen and Joshua D. Wright dissenting. Chairwoman Edith Ramirez and Commissioners Julie Brill and Terrell McSweeny issued a separate statement in support of the action. Commissioners Ohlhausen and Wright issued separate dissenting statements.
The FTC will publish a description of the consent agreement package in the Federal Register shortly. The agreement will be subject to public comment for 30 days, beginning today and continuing through May 25, 2015, after which the Commission will decide whether to make the proposed consent order final. Interested parties can submit comments electronically.
SOURCE: Federal Trade Commission