United States: FTC Finalizes First Privacy Settlement Against A Retail Tracking Firm

In a first-of-its-kind enforcement action, the Federal Trade Commission (FTC) on Thursday voted along party lines to settle deception allegations against Nomi Technologies (Nomi), a company whose technology allows retailers to track the movement of customers within stores.
 
The Commission's Complaint stems from representations in Nomi's privacy policy that customers could opt-out of the company's tracking either online or in stores that deployed the technology. The FTC alleged that the opt-out was not, in fact, available in stores, and that Nomi's privacy policy created an implied representation that consumers would be informed when a location utilized Nomi's tracking services. The Order, which will last for 20 years, imposes an injunction against Nomi's misrepresenting, expressly or by implication, its opt-out options or the extent to which consumers will be given notice of tracking.
 
The case thus makes clear that a majority of the sitting Federal Trade Commissioners believe that if a consumer control option is offered, it must be easy to find and exercise, in context. What is also clear is that the collection and use of location data is an issue the FTC is actively monitoring. As such, retailers and companies that use mobile location analytics would be wise to comply with industry guidance like the Mobile Location Analytics Code of Conduct issued by the Future of Privacy Forum.
 
Nomi is a startup company that began implementing its in-store tracking technology, known as its "Listen" service, in January 2013. According to the FTC's Complaint, in order to track consumers in stores, Nomi places sensors in its clients' retail locations that detect the MAC address of a mobile device as it searches for a wireless network, or collects MAC addresses through the existing wireless access points of its clients.¹ MAC addresses are unique identifiers associated with a particular device. The FTC's Complaint alleges that Nomi collected the MAC addresses of nine million unique mobile devices between January 2013 and September 2013.² In addition to MAC addresses, the sensors or wireless access points collect: mobile device signal strength; the mobile device manufacturer (which can be derived from the MAC address); the location of the sensor or wireless access point observing the signal; and the date and time the mobile device is observed.³ Nomi aggregates this information into analytic reports for retail clients that, among other things, provide the percentage of consumers passing by the store versus entering the store, the average duration of consumer visits, types of mobile devices used by consumers visiting the stores, the percentage of repeat customers within a specified time period, and the number of customers that had visited another location within the client's chain.⁴ 
 
Where Nomi's Listen service ran afoul of the FTC Act is not in its collection of the MAC address and location information, but rather in its notice to consumers about their control over the collection and use of the information. According to the FTC complaint, Nomi's privacy policy from November 2010 to at least October 2013 stated that "Nomi pledges to .... Always allow consumers to opt out of Nomi's services on its website as well as at any retailer using Nomi's technology."⁵ While Nomi provided and continues to provide an opt-out on its website for consumers who do not want Nomi to store observations of their mobile device, the FTC alleged that Nomi did not provide any means to opt out at retail locations, and that consumers were in fact unaware that the Listen service was even being used.⁶ The FTC further alleged that Nomi has not published or made available to consumers a list of the retailers that used the Listen service, and that Nomi does not require its client retailers to post disclosures or otherwise inform consumers of their use of the Listen service.⁷ The FTC alleged that the privacy policy statements were, therefore, false or misleading in violation of Section 5(a) of the FTC Act.
 
In order to settle the matter, Nomi agreed that it would not misrepresent in any manner, expressly or by implication "(A) the options through which, or the extent to which, consumers can exercise control over the collection, use, disclosure, or sharing of information collected from or about them or their computers or devices, or (B) the extent to which consumers will be provided notice about how data from or about a particular consumer, computer, or device is collected, used, disclosed, or shared."⁸ Nomi must further maintain certain documents and complaints related to the content of the consent order for a period of five years from the date of creation or receipt, and deliver a copy of the consent order to current and future subsidiaries, officers, directors, and managers, and to all current and future employees, agents, and representatives with responsibilities related to the consent order for 10 years.⁹   
 
The Commission vote to take action split along party lines. Voting in favor of action, Chairwoman Ramirez and Commissioners Brill and McSweeny stated that "Nomi's express representations regarding how consumers may opt out of its location tracking services go to the very heart of consumers' ability to make decisions about whether to participate in these services. Thus, [the Commission has] ample reason to believe that Nomi's opt-out representations were material," and, as shown, were ultimately false.¹⁰ Commissioner Wright disagreed, claiming that the statement that a consumer could opt-out in stores was not material to consumers given the easily accessible opt-out available on Nomi's webpage.¹¹ Commissioner Ohlhausen, who also dissented, contended that Nomi, as a third-party contractor collecting no personally identifying information, had no obligation to offer consumers an opt-out, yet it did offer consumers a global opt-out. That global opt-out was fully functional on Nomi's website and thus Nomi's privacy policy was only partially inaccurate; moreover, according to Commissioner Ohlhausen, the partially inaccurate statement harmed no consumers.¹² The dissenting Commissioners viewed Nomi as a prime case for prosecutorial discretion. Commissioner Ohlhausen argued that the Commission should use its limited resources to pursue cases involving consumer harm, and "should not apply a de facto strict liability approach to a young company that attempted to go above and beyond its legal obligation to protect consumers but, in so doing, erred without benefitting itself."¹³ And Commissioner Wright viewed such an aggressive prosecution as likely to deter industry participants from engaging in voluntary practices that promote consumer choice and transparency.¹⁴

¹ In the Matter of Nomi Technologies, Inc., FTC File No. 132-3251, Complaint at ¶ 4 (Apr. 23, 2015). While Nomi cryptographically hashed MAC addresses before storing them, thereby obfuscating the MAC address, the manner in which the company did so resulted in a different unique identifier for each mobile device it tracked. Id. at ¶ 6.
 
² Id. at ¶ 6.
 
³ Id. at ¶ 5.
 
⁴ Id. at ¶ 7.
 
⁵ Id. at ¶ 12.
 
⁶ Id. at ¶ 13.
 
⁷ Id. at ¶¶ 9-11.
 
⁸ In the Matter of Nomi Technologies, Inc., FTC File No. 132-3251, Proposed Consent Order, at 2-3 (Apr. 23, 2015).
 
⁹ Id. at 3
 
¹⁰ Statement of Chairwoman Ramirez, Commissioner Brill, and Commissioner McSweeny, In the Matter of Nomi Technologies, Inc., at 2 (Apr. 23, 2015).
 
¹¹ Dissenting Statement of Commissioner Joshua D. Wright, In the Matter of Nomi Technologies, Inc., at 2 (Apr. 23, 2015).
 
¹² Dissenting Statement of Commissioner Maureen K. Ohlhausen, In the Matter of Nomi Technologies, Inc., at 1 (Apr. 23, 2015).
 
¹³ Id.
 
¹⁴ Dissenting Statement of Commissioner Joshua D. Wright, at 4.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.