In a first-of-its-kind enforcement action, the Federal Trade
Commission (FTC) on Thursday voted along party lines to settle
deception allegations against Nomi Technologies (Nomi), a company
whose technology allows retailers to track the movement of
customers within stores.
The Commission's Complaint stems from representations in
Nomi's privacy policy that customers could opt-out of the
company's tracking either online or in stores that deployed the
technology. The FTC alleged that the opt-out was not, in fact,
available in stores, and that Nomi's privacy policy created an
implied representation that consumers would be informed when a
location utilized Nomi's tracking services. The Order, which will last for 20 years, imposes
an injunction against Nomi's misrepresenting, expressly or by
implication, its opt-out options or the extent to which consumers
will be given notice of tracking.
The case thus makes clear that a majority of the sitting Federal
Trade Commissioners believe that if a consumer control option is
offered, it must be easy to find and exercise, in context. What is
also clear is that the collection and use of location data is an
issue the FTC is actively monitoring. As such, retailers and
companies that use mobile location analytics would be wise to
comply with industry guidance like the Mobile Location Analytics Code of Conduct
issued by the Future of Privacy Forum.
Nomi is a startup company that began implementing its in-store
tracking technology, known as its "Listen" service, in
January 2013. According to the FTC's Complaint, in order to
track consumers in stores, Nomi places sensors in its clients'
retail locations that detect the MAC address of a mobile device as
it searches for a wireless network, or collects MAC addresses
through the existing wireless access points of its
clients.1 MAC addresses are unique identifiers
associated with a particular device. The FTC's Complaint
alleges that Nomi collected the MAC addresses of nine million
unique mobile devices between January 2013 and September
2013.2 In addition to MAC addresses, the sensors or
wireless access points collect: mobile device signal strength; the
mobile device manufacturer (which can be derived from the MAC
address); the location of the sensor or wireless access point
observing the signal; and the date and time the mobile device is
observed.3 Nomi aggregates this information into
analytic reports for retail clients that, among other things,
provide the percentage of consumers passing by the store versus
entering the store, the average duration of consumer visits, types
of mobile devices used by consumers visiting the stores, the
percentage of repeat customers within a specified time period, and
the number of customers that had visited another location within
the client's chain.4
Where Nomi's Listen service ran afoul of the FTC Act is not in
its collection of the MAC address and location information, but
rather in its notice to consumers about their control over the
collection and use of the information. According to the FTC
complaint, Nomi's privacy policy from November 2010 to at least
October 2013 stated that "Nomi pledges to .... Always allow
consumers to opt out of Nomi's services on its website as well
as at any retailer using Nomi's technology."5
While Nomi provided and continues to provide an opt-out on its
website for consumers who do not want Nomi to store observations of
their mobile device, the FTC alleged that Nomi did not provide any
means to opt out at retail locations, and that consumers were in
fact unaware that the Listen service was even being
used.6 The FTC further alleged that Nomi has not
published or made available to consumers a list of the retailers
that used the Listen service, and that Nomi does not require its
client retailers to post disclosures or otherwise inform consumers
of their use of the Listen service.7 The FTC alleged
that the privacy policy statements were, therefore, false or
misleading in violation of Section 5(a) of the FTC Act.
In order to settle the matter, Nomi agreed that it would not
misrepresent in any manner, expressly or by implication "(A)
the options through which, or the extent to which, consumers can
exercise control over the collection, use, disclosure, or sharing
of information collected from or about them or their computers or
devices, or (B) the extent to which consumers will be provided
notice about how data from or about a particular consumer,
computer, or device is collected, used, disclosed, or
shared."8 Nomi must further maintain certain
documents and complaints related to the content of the consent
order for a period of five years from the date of creation or
receipt, and deliver a copy of the consent order to current and
future subsidiaries, officers, directors, and managers, and to all
current and future employees, agents, and representatives with
responsibilities related to the consent order for 10
years.9
The Commission vote to take action split along party lines. Voting
in favor of action, Chairwoman Ramirez and Commissioners Brill and
McSweeny stated that "Nomi's express representations
regarding how consumers may opt out of its location tracking
services go to the very heart of consumers' ability to make
decisions about whether to participate in these services. Thus,
[the Commission has] ample reason to believe that Nomi's
opt-out representations were material," and, as shown, were
ultimately false.10 Commissioner Wright disagreed,
claiming that the statement that a consumer could opt-out in stores
was not material to consumers given the easily accessible opt-out
available on Nomi's webpage.11 Commissioner
Ohlhausen, who also dissented, contended that Nomi, as a
third-party contractor collecting no personally identifying
information, had no obligation to offer consumers an opt-out, yet
it did offer consumers a global opt-out. That global opt-out was
fully functional on Nomi's website and thus Nomi's privacy
policy was only partially inaccurate; moreover, according to
Commissioner Ohlhausen, the partially inaccurate statement harmed
no consumers.12 The dissenting Commissioners viewed Nomi
as a prime case for prosecutorial discretion. Commissioner
Ohlhausen argued that the Commission should use its limited
resources to pursue cases involving consumer harm, and "should
not apply a de facto strict liability approach to a young
company that attempted to go above and beyond its legal obligation
to protect consumers but, in so doing, erred without benefitting
itself."13 And Commissioner Wright viewed such an
aggressive prosecution as likely to deter industry participants
from engaging in voluntary practices that promote consumer choice
and transparency.14
1 In the Matter of Nomi Technologies, Inc.,
FTC File No. 132-3251, Complaint at ¶ 4 (Apr. 23, 2015). While
Nomi cryptographically hashed MAC addresses before storing them,
thereby obfuscating the MAC address, the manner in which the
company did so resulted in a different unique identifier for each
mobile device it tracked. Id. at ¶ 6.
2 Id. at ¶ 6.
3 Id. at ¶ 5.
4 Id. at ¶ 7.
5 Id. at ¶ 12.
6 Id. at ¶ 13.
7 Id. at ¶¶ 9-11.
8 In the Matter of Nomi Technologies, Inc., FTC
File No. 132-3251, Proposed Consent Order, at 2-3 (Apr. 23,
2015).
9 Id. at 3
10 Statement of Chairwoman Ramirez, Commissioner Brill,
and Commissioner McSweeny, In the Matter of Nomi Technologies,
Inc., at 2 (Apr. 23, 2015).
11 Dissenting Statement of Commissioner Joshua D.
Wright, In the Matter of Nomi Technologies, Inc., at 2
(Apr. 23, 2015).
12 Dissenting Statement of Commissioner Maureen K.
Ohlhausen, In the Matter of Nomi Technologies, Inc., at 1
(Apr. 23, 2015).
13 Id.
14 Dissenting Statement of Commissioner Joshua D.
Wright, at 4.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.