On Thursday, April 23, the FTC settled deception charges against start-up Nomi Technologies, Inc. related to Nomi’s in-store, sensor-based, tracking technology.1 This is the first FTC enforcement action against emerging retail store–based tracking technologies.

Nomi’s Data Collection and Privacy Practices

Launched in 2013, Nomi’s Listen technology is an analytics platform retailers can deploy in their stores, or via their mobile applications, to assess their customers’ behavior. Listen uses store-based sensors to track retail customers’ in-store movements. These sensors detect mobile devices’ media access control (MAC) address — unique device identifiers — as customers move through a store. Nomi combines the collected MAC address data with other aggregated data elements into reports for retailers using the Listen platform. These reports give retailers insights into the percentage of customers passing by the store versus entering the store, the average length of customer visits, the types of mobile devices used by customers, the percentage of repeat customers, and whether a customer had visited a retailer’s other locations.

Nomi collected an impressive cache of data. According to the FTC’s complaint, Listen had collected nine million MAC addresses over 9 months in 2013. During that time, Nomi’s privacy policy told consumers they could always “opt out of Nomi’s services on its website as well as at any retailer using Nomi technology.”2 However, according to the FTC’s complaint, Nomi had no mechanism for in-store customer opt-outs; customers could only opt-out by visiting Nomi’s website.

FTC’s Complaint Against Nomi

The FTC’s complaint alleged Nomi’s privacy disclosure misled consumers in violation of Section 5(a) of the FTC Act. Nomi’s privacy policy failed to accurately describe its privacy practices because Nomi did not, in fact, provide in-store opt-outs. To the FTC, the fact that Nomi provided consumers the ability to opt-out on its website was insufficient to overcome its failure to provide in-store opt-outs because the retailers using Nomi were not contractually obligated to post notices that they were using Listen, and because Nomi did not provide a list of retailers using Listen on its website.

The Commission’s decision to take action against Nomi on these allegations was fractured along party lines. Chairwoman Ramirez and Commissioners Brill and McSweeney voted in favor of the action because privacy disclosures “go to the very heart of consumers’ ability to make decisions about whether to participate” in services like Listen.3 And by failing to accurately describe Nomi’s practices, Nomi’s disclosure was inherently misleading, the majority concluded. However, Commissioners Wright and Ohlhausen dissented, with Commissioner Ohlhausen finding that Nomi — a third party contractor not collecting personally identifiable information and with no direct consumer engagement — was being unfairly held liable for its retail clients’ data collection efforts and its retail clients’ failure to give their customers the ability to opt out of the retailers’ data collection.4 Commissioner Ohlhausen also took issue with the decision to take action because it singled out a small, emerging company.5

In settling the action, Nomi entered a consent decree with the FTC where it agreed to not misrepresent in any manner, “the options through which, or the extent to which, consumers can exercise control over the collection, use, disclosure, or sharing of information collected from or about them or their consumers or devices, or … the extent to which consumers will be provided notice about how data from or about a particular consumer, computer, or device is collected, used, disclosed, or shared.”6 Additionally, Nomi must maintain documentation about consumer complaints about its services for 5 years.

Takeaway

The Commission’s decision to take action against Nomi highlights several areas of potential concern for companies collecting consumer data in general, and for small companies and start-ups in particular:

  • Accurate Privacy Policies. This settlement serves as a reminder to carefully vet privacy notices to ensure claims about consumer choice are actually available in practice. Nomi’s troubles began when it failed to accurately describe its data collection practices to consumers. This was in part due to its claim to allow in-store opt-outs, but the FTC also focused on Nomi’s failure to require retailers to notify consumers that Listen was collecting data and Nomi’s failure to provide a list of retailers using the Listen technology. As Chairwoman Ramirez suggested in her comments on this action, ensuring accurate privacy policies is at the very heart of the FTC enforcement efforts, and it is critical to ensure that such notices are accurate.
  • Customer-facing Tracking Notice. The FTC faulted Nomi for failing to contractually require its retailer clients to post notices that they were using Listen. This finding expands licensed platform developers’ liability, and — in an era of increasingly ubiquitous data collection — suggests that companies offering tracking and analytics services should include contractual provisions requiring retail and other customer-facing end users to post some form of notice that their customers may be tracked.
  • Make Opt-Outs Easy to Find. The FTC action against Nomi makes it clear that if a consumer opt-out feature is offered it must be easy to find. Companies offering such features should include these features in each aspect of their service touching consumers, and should consider embracing industry standards like the Future of Privacy Forum’s Mobile Location Analytics Code of Conduct.7
  • Start-ups Can Get in Trouble, Too. The majority’s decision to take action against Nomi is a reminder that the FTC can and will take action against start-ups and other emerging technology companies. Regardless of their size, start-ups and small companies must ensure that their privacy policies and practices are robust, effective, and accurate. Adages like “we are too small or new to warrant government scrutiny” ring hollow when faced with an FTC civil investigatory demand.
  • Privacy by Design Is Key. The FTC’s action underscores the importance of designing business service applications with an eye toward privacy compliance, particularly where, as here, the application is licensed to third-party partners.